external-dns/docs/tutorials/rfc2136.md

# Configuring RFC2136 provider

## Server credentials:
- RFC2136 was developed for and tested with [BIND](https://www.isc.org/downloads/bind/) DNS server. 
Next is assuming that you already have configured and working server, other way please check first BIND documents or tutorials.
- So you should obtain from your administrators TSIG key. It will look like:
```text
key "externaldns-key" {
	algorithm hmac-sha256;
	secret "XXXXXXXXXXXXXXXXXXXXXX==";
};
```
- `Warning!` Bind server configuration should enable for this key AFXR zone transfer protocol. It is used for listing DNS records.

```text
# cat /etc/named.conf
...
include "/etc/rndc.key";

controls {
	inet 123.123.123.123 port 953 allow { 10.x.y.151; } keys { "externaldns-key"; };
};
options {
	include "/etc/named/options.conf";
};

include "/etc/named/zones.conf";
...

# cat /etc/named/options.conf
...
dnssec-enable yes;
dnssec-validation yes;
...

# cat /etc/named/zones.conf
...
zone "example.com" {
	type master;
	file "/var/named/dynamic/db.example.com";
	update-policy {
		grant externaldns-key zonesub ANY;
  	};
};
...
```

## RFC2136 provider configuration:
- Example fragment of real configuration of ExternalDNS service pod.

```text
...
        - --provider=rfc2136
        - --rfc2136-host=123.123.123.123
        - --rfc2136-port=53
        - --rfc2136-zone=your-domain.com
        - --rfc2136-tsig-secret=${rfc2136_tsig_secret}
        - --rfc2136-tsig-secret-alg=hmac-sha256
        - --rfc2136-tsig-keyname=externaldns-key
        - --rfc2136-tsig-axfr
...
```
- `rfc2136_tsig_secret` - environment variable containing actual secret value from TSIG key. Something like `XXXXXXXXXXXXXXXXXXXXXX==`.
- `rfc2136-tsig-keyname` - this is string parameter with secret key name it is should `MATCH!` with server key name. In example it is `externaldns-key`.