Merge pull request #4893 from TomyLobo/patch-1

k8s-ci-robot · web-flow · commit fc24607635c4 · 2025-01-23T00:38:57.000-08:00
docs(Microsoft DNS): improve instructions
diff --git a/docs/tutorials/rfc2136.md b/docs/tutorials/rfc2136.md
@@ -299,41 +299,18 @@ spec:
         - --domain-filter=k8s.example.org
 ```
 
-## Microsoft DNS (Insecure Updates)
+## Microsoft DNS
 
 While `external-dns` was not developed or tested against Microsoft DNS, it can be configured to work against it. YMMV.
 
-### Insecure Updates
-
-#### DNS-side configuration
-
-1. Create a DNS zone
-2. Enable insecure dynamic updates for the zone
-3. Enable Zone Transfers to all servers
-
-#### `external-dns` configuration
-
-You'll want to configure `external-dns` similarly to the following:
-
-```text
-...
-        - --provider=rfc2136
-        - --rfc2136-host=192.168.0.1
-        - --rfc2136-port=53
-        - --rfc2136-zone=k8s.example.org
-        - --rfc2136-zone=k8s.your-zone.org
-        - --rfc2136-insecure
-        - --rfc2136-tsig-axfr # needed to enable zone transfers, which is required for deletion of records.
-...
-```
-
 ### Secure Updates Using RFC3645 (GSS-TSIG)
 
 #### DNS-side configuration
 
 1. Create a DNS zone
-2. Enable secure dynamic updates for the zone
-3. Enable Zone Transfers to all servers
+2. Enable **secure** dynamic updates for the zone
+3. Enable Zone Transfers to all servers and/or other domains
+4. Create a user with permissions to create/update/delete records in that zone
 
 If you see any error messages which indicate that `external-dns` was somehow not able to fetch
 existing DNS records from your DNS server, this could mean that you forgot about step 3.
@@ -402,7 +379,7 @@ You'll want to configure `external-dns` similarly to the following:
 ```text
 ...
         - --provider=rfc2136
-	 - --rfc2136-gss-tsig
+	- --rfc2136-gss-tsig
         - --rfc2136-host=dns-host.yourdomain.com
         - --rfc2136-port=53
         - --rfc2136-zone=your-zone.com
@@ -423,6 +400,30 @@ This means that Active Directory might only work if this is set to a specific do
 `KDC_ERR_S_PRINCIPAL_UNKNOWN Server not found in Kerberos database`.
 To fix this, try setting `--rfc2136-host` to the "actual" hostname of your DNS server.
 
+### Insecure Updates
+
+#### DNS-side configuration
+
+1. Create a DNS zone
+2. Enable insecure dynamic updates for the zone
+3. Enable Zone Transfers to all servers and/or other domains
+
+#### `external-dns` configuration
+
+You'll want to configure `external-dns` similarly to the following:
+
+```text
+...
+        - --provider=rfc2136
+        - --rfc2136-host=192.168.0.1
+        - --rfc2136-port=53
+        - --rfc2136-zone=k8s.example.org
+        - --rfc2136-zone=k8s.your-zone.org
+        - --rfc2136-insecure
+        - --rfc2136-tsig-axfr # needed to enable zone transfers, which is required for deletion of records.
+...
+```
+
 ## DNS Over TLS (RFCs 7858 and 9103)
 
 If your DNS server does zone transfers over TLS, you can instruct `external-dns` to connect over TLS with the following flags:
