# Configuring RFC2136 provider ## Server credentials: - RFC2136 was developed for and tested with [BIND](https://www.isc.org/downloads/bind/) DNS server. Next is assuming that you already have configured and working server, other way please check first BIND documents or tutorials. - So you should obtain from your administrators TSIG key. It will look like: ```text key "externaldns-key" { algorithm hmac-sha256; secret "XXXXXXXXXXXXXXXXXXXXXX=="; }; ``` - `Warning!` Bind server configuration should enable for this key AFXR zone transfer protocol. It is used for listing DNS records. ```text # cat /etc/named.conf ... include "/etc/rndc.key"; controls { inet 123.123.123.123 port 953 allow { 10.x.y.151; } keys { "externaldns-key"; }; }; options { include "/etc/named/options.conf"; }; include "/etc/named/zones.conf"; ... # cat /etc/named/options.conf ... dnssec-enable yes; dnssec-validation yes; ... # cat /etc/named/zones.conf ... zone "example.com" { type master; file "/var/named/dynamic/db.example.com"; update-policy { grant externaldns-key zonesub ANY; }; }; ... ``` ## RFC2136 provider configuration: - Example fragment of real configuration of ExternalDNS service pod. ```text ... - --provider=rfc2136 - --rfc2136-host=123.123.123.123 - --rfc2136-port=53 - --rfc2136-zone=your-domain.com - --rfc2136-tsig-secret=${rfc2136_tsig_secret} - --rfc2136-tsig-secret-alg=hmac-sha256 - --rfc2136-tsig-keyname=externaldns-key - --rfc2136-tsig-axfr ... ``` - `rfc2136_tsig_secret` - environment variable containing actual secret value from TSIG key. Something like `XXXXXXXXXXXXXXXXXXXXXX==`. - `rfc2136-tsig-keyname` - this is string parameter with secret key name it is should `MATCH!` with server key name. In example it is `externaldns-key`.