Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs(Microsoft DNS): improve instructions #4893

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 28 additions & 27 deletions docs/tutorials/rfc2136.md
Original file line number Diff line number Diff line change
Expand Up @@ -299,41 +299,18 @@ spec:
- --domain-filter=k8s.example.org
```

## Microsoft DNS (Insecure Updates)
## Microsoft DNS

While `external-dns` was not developed or tested against Microsoft DNS, it can be configured to work against it. YMMV.

### Insecure Updates

#### DNS-side configuration

1. Create a DNS zone
2. Enable insecure dynamic updates for the zone
3. Enable Zone Transfers to all servers

#### `external-dns` configuration

You'll want to configure `external-dns` similarly to the following:

```text
...
- --provider=rfc2136
- --rfc2136-host=192.168.0.1
- --rfc2136-port=53
- --rfc2136-zone=k8s.example.org
- --rfc2136-zone=k8s.your-zone.org
- --rfc2136-insecure
- --rfc2136-tsig-axfr # needed to enable zone transfers, which is required for deletion of records.
...
```

### Secure Updates Using RFC3645 (GSS-TSIG)

#### DNS-side configuration

1. Create a DNS zone
2. Enable secure dynamic updates for the zone
3. Enable Zone Transfers to all servers
2. Enable **secure** dynamic updates for the zone
3. Enable Zone Transfers to all servers and/or other domains
4. Create a user with permissions to create/update/delete records in that zone
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you please detail when / how this user is used ?


If you see any error messages which indicate that `external-dns` was somehow not able to fetch
existing DNS records from your DNS server, this could mean that you forgot about step 3.
Expand Down Expand Up @@ -423,6 +400,30 @@ This means that Active Directory might only work if this is set to a specific do
`KDC_ERR_S_PRINCIPAL_UNKNOWN Server not found in Kerberos database`.
To fix this, try setting `--rfc2136-host` to the "actual" hostname of your DNS server.

### Insecure Updates

#### DNS-side configuration

1. Create a DNS zone
2. Enable insecure dynamic updates for the zone
3. Enable Zone Transfers to all servers and/or other domains

#### `external-dns` configuration

You'll want to configure `external-dns` similarly to the following:

```text
...
- --provider=rfc2136
- --rfc2136-host=192.168.0.1
- --rfc2136-port=53
- --rfc2136-zone=k8s.example.org
- --rfc2136-zone=k8s.your-zone.org
- --rfc2136-insecure
- --rfc2136-tsig-axfr # needed to enable zone transfers, which is required for deletion of records.
...
```

## DNS Over TLS (RFCs 7858 and 9103)

If your DNS server does zone transfers over TLS, you can instruct `external-dns` to connect over TLS with the following flags:
Expand Down