RFC2136: Document DNS-over-TLS

Add a note about the TLS flags to the RFC2136 Tutorial.
kubernetes-sigs · Oct 24, 2023 · 78effd8 · 78effd8
1 parent 696d499
commit 78effd8
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/docs/tutorials/rfc2136.md b/docs/tutorials/rfc2136.md
@@ -399,3 +399,15 @@ However, it also determines the name of the Kerberos principal which is used dur
 This means that Active Directory might only work if this is set to a specific domain name, possibly leading to errors like this:
 `KDC_ERR_S_PRINCIPAL_UNKNOWN Server not found in Kerberos database`.
 To fix this, try setting `--rfc2136-host` to the "actual" hostname of your DNS server.
+
+## DNS Over TLS (RFCs 7858 and 9103)
+
+If your DNS server does zone transfers over TLS, you can instruct `external-dns` to connect over TLS with the following flags:
+
+ * `--rfc2136-use-tls` Will enable TLS for both zone transfers and for updates.
+ * `--tls-ca=<cert-file>` Is the path to a file containing certificate(s) that can be used to verify the DNS server
+ * `--tls-client-cert=<client-cert-file>` and
+ * `--tls-client-cert-key=<client-key-file>` Set the client certificate and key for mutual verification
+ * `--rfc2136-skip-tls-verify` Disables verification of the certificate supplied by the DNS server.
+
+It is currently not supported to do only zone transfers over TLS, but not the updates. They are enabled and disabled together.