rfc2136.md

Configuring RFC2136 provider

Server credentials:

• RFC2136 was developed for and tested with BIND DNS server. Next is assuming that you already have configured and working server, other way please check first BIND documents or tutorials.
• So you should obtain from your administrators TSIG key. It will look like:

key "externaldns-key" {
	algorithm hmac-sha256;
	secret "XXXXXXXXXXXXXXXXXXXXXX==";
};

• Warning! Bind server configuration should enable for this key AFXR zone transfer protocol. It is used for listing DNS records.

# cat /etc/named.conf
...
include "/etc/rndc.key";

controls {
	inet 123.123.123.123 port 953 allow { 10.x.y.151; } keys { "externaldns-key"; };
};
options {
	include "/etc/named/options.conf";
};

include "/etc/named/zones.conf";
...

# cat /etc/named/options.conf
...
dnssec-enable yes;
dnssec-validation yes;
...

# cat /etc/named/zones.conf
...
zone "example.com" {
	type master;
	file "/var/named/dynamic/db.example.com";
	update-policy {
		grant externaldns-key zonesub ANY;
  	};
};
...

RFC2136 provider configuration:

• Example fragment of real configuration of ExternalDNS service pod.

...
        - --provider=rfc2136
        - --rfc2136-host=123.123.123.123
        - --rfc2136-port=53
        - --rfc2136-zone=your-domain.com
        - --rfc2136-tsig-secret=${rfc2136_tsig_secret}
        - --rfc2136-tsig-secret-alg=hmac-sha256
        - --rfc2136-tsig-keyname=externaldns-key
        - --rfc2136-tsig-axfr
...

• rfc2136_tsig_secret - environment variable containing actual secret value from TSIG key. Something like XXXXXXXXXXXXXXXXXXXXXX==.
• rfc2136-tsig-keyname - this is string parameter with secret key name it is should MATCH! with server key name. In example it is externaldns-key.