Skip to content

Latest commit

 

History

History
93 lines (77 loc) · 2.79 KB

rfc2136.md

File metadata and controls

93 lines (77 loc) · 2.79 KB
Raw

Configuring RFC2136 provider

Using with BIND

Server credentials:

  • RFC2136 was developed for and tested with BIND DNS server. This documentation assumes that you already have a configured and working server. If you don't, please check BIND documents or tutorials.
  • So you should obtain from your administrator a TSIG key. It will look like:
key "externaldns-key" {
	algorithm hmac-sha256;
	secret "XXXXXXXXXXXXXXXXXXXXXX==";
};
  • Warning! Bind server configuration should enable this key for AFXR zone transfer. external-dns uses it for listing DNS records.
# cat /etc/named.conf
...
include "/etc/rndc.key";

controls {
	inet 123.123.123.123 port 953 allow { 10.x.y.151; } keys { "externaldns-key"; };
};
options {
	include "/etc/named/options.conf";
};

include "/etc/named/zones.conf";
...

# cat /etc/named/options.conf
...
dnssec-enable yes;
dnssec-validation yes;
...

# cat /etc/named/zones.conf
...
zone "example.com" {
	type master;
	file "/var/named/dynamic/db.example.com";
	update-policy {
		grant externaldns-key zonesub ANY;
  	};
};
...

RFC2136 provider configuration:

  • Example fragment of real configuration of ExternalDNS service pod.
...
        - --provider=rfc2136
        - --rfc2136-host=123.123.123.123
        - --rfc2136-port=53
        - --rfc2136-zone=your-domain.com
        - --rfc2136-tsig-secret=${rfc2136_tsig_secret}
        - --rfc2136-tsig-secret-alg=hmac-sha256
        - --rfc2136-tsig-keyname=externaldns-key
        - --rfc2136-tsig-axfr
...
  • --rfc2136-tsig-secret - environment variable containing actual secret value from TSIG key. Something like XXXXXXXXXXXXXXXXXXXXXX==.
  • --rfc2136-tsig-keyname - this is a string parameter with the key name in the Kubernetes secret. It must match with key name on the DNS server. In this example it is externaldns-key.

Using with Microsoft DNS

While external-dns was not developed or tested against Microsoft DNS, it can be configured to work against it. YMMV.

DNS-side configuration

  1. Create a DNS zone
  2. Enable insecure dynamic updates for the zone
  3. Enable Zone Transfers from all servers

external-dns configuration

You'll want to configure external-dns similarly to the following:

...
        - --provider=rfc2136
        - --rfc2136-host=123.123.123.123
        - --rfc2136-port=53
        - --rfc2136-zone=your-domain.com
        - --rfc2136-tsig-secret=not-needed
        - --rfc2136-tsig-secret-alg=hmac-sha256
        - --rfc2136-tsig-keyname=externaldns-key
        - --rfc2136-tsig-axfr # needed to enable zone transfers, which is required for deletion of records.
...

Since Microsoft DNS does not support secure updates via TSIG, this will let external-dns make insecure updates. Do this at your own risk.