diff --git a/docs/tutorials/rfc2136.md b/docs/tutorials/rfc2136.md index fb676808e8..a936d8a707 100644 --- a/docs/tutorials/rfc2136.md +++ b/docs/tutorials/rfc2136.md @@ -6,9 +6,8 @@ To use external-dns with BIND: generate/procure a key, configure DNS and add a deployment of external-dns. ### Server credentials: -- RFC2136 was developed for and tested with -[BIND](https://www.isc.org/downloads/bind/) DNS server. This documentation -assumes that you already have a configured and working server. If you don't, +- RFC2136 was developed for and tested with [BIND](https://www.isc.org/downloads/bind/) DNS server. +This documentation assumes that you already have a configured and working server. If you don't, please check BIND documents or tutorials. - If your DNS is provided for you, ask for a TSIG key authorized to update and transfer the zone you wish to update. The key will look something like below. @@ -134,7 +133,11 @@ tutorial and are covered in the main documentation. ### Test with external-dns installed on local machine (optional) You may install external-dns and test on a local machine by running: -```external-dns --txt-owner-id k8s --provider rfc2136 --rfc2136-host=192.168.0.1 --rfc2136-port=53 --rfc2136-zone=k8s.example.org --rfc2136-tsig-secret=96Ah/a2g0/nLeFGK+d/0tzQcccf9hCEIy34PoXX2Qg8= --rfc2136-tsig-secret-alg=hmac-sha256 --rfc2136-tsig-keyname=externaldns-key --rfc2136-tsig-axfr --source ingress --once --domain-filter=k8s.example.org --dry-run``` + +``` +external-dns --txt-owner-id k8s --provider rfc2136 --rfc2136-host=192.168.0.1 --rfc2136-port=53 --rfc2136-zone=k8s.example.org --rfc2136-tsig-secret=96Ah/a2g0/nLeFGK+d/0tzQcccf9hCEIy34PoXX2Qg8= --rfc2136-tsig-secret-alg=hmac-sha256 --rfc2136-tsig-keyname=externaldns-key --rfc2136-tsig-axfr --source ingress --once --domain-filter=k8s.example.org --dry-run +``` + - host should be the IP of your master DNS server. - tsig-secret should be changed to match your secret. - tsig-keyname needs to match the keyname you used (if you changed it). @@ -309,7 +312,7 @@ You'll want to configure `external-dns` similarly to the following: ### Secure Updates Using RFC3645 (GSS-TSIG) -### DNS-side configuration +#### DNS-side configuration 1. Create a DNS zone 2. Enable secure dynamic updates for the zone @@ -318,7 +321,7 @@ You'll want to configure `external-dns` similarly to the following: If you see any error messages which indicate that `external-dns` was somehow not able to fetch existing DNS records from your DNS server, this could mean that you forgot about step 3. -#### Kerberos Configuration +##### Kerberos Configuration DNS with secure updates relies upon a valid Kerberos configuration running within the `external-dns` container. At this time, you will need to create a ConfigMap for the `external-dns` container to use and mount it in your deployment. Below is an example of a working Kerberos configuration inside a ConfigMap definition. This may be different depending on many factors in your environment: @@ -356,8 +359,7 @@ data: yourdomain.com = YOUR-REALM.COM .yourdomain.com = YOUR-REALM.COM ``` -In most cases, the realm name will probably be the same as the domain name, so you can simply replace -`YOUR-REALM.COM` with something like `YOURDOMAIN.COM`. +In most cases, the realm name will probably be the same as the domain name, so you can simply replace `YOUR-REALM.COM` with something like `YOURDOMAIN.COM`. Once the ConfigMap is created, the container `external-dns` container needs to be told to mount that ConfigMap as a volume at the default Kerberos configuration location. The pod spec should include a similar configuration to the following: @@ -376,7 +378,7 @@ Once the ConfigMap is created, the container `external-dns` container needs to b ... ``` -#### `external-dns` configuration +##### `external-dns` configuration You'll want to configure `external-dns` similarly to the following: