This provider uses the native DNS protocols. It uses the AXFR (RFC5936, Zone Transfer Protocol) to retrieve the existing records and DDNS (RFC2136, Dynamic Update) to make corrections. It can use TSIG (RFC2845) or IP-based authentication (ACLs).
Authentication information is included in the
creds.json entry for
transfer-key: If this exists, the value is used to authenticate AXFR transfers.
update-key: If this exists, the value is used to authenticate DDNS updates.
For instance, your
creds.json might looks like:
If either key is missing, DNSControl defaults to IP-based ACL authentication for that function. Including both keys is the most secure option. Omitting both keys defaults to IP-based ACLs for all operations, which is the least secure option.
If distinct zones require distinct keys, you will need to instantiate the provider once for each key:
The AXFR+DDNS provider can be configured with a list of default nameservers. They will be added to all the zones handled by the provider.
This list can be provided either as metadata or in
the later allows
get-zones to work properly.
By default, the AXFR+DDNS provider will send the AXFR requests and the
DDNS updates to the first nameserver of the zone, usually known as the
“primary master”. Typically, this is the first of the default
nameservers. Though, on some networks, the primary master is a private
node, hidden behind slaves, and it does not appear in the
of the zone. In that case, the IP or the name of the primary server
must be provided in
creds.json. With this option, a non-standard
port might be used.
When no nameserver appears in the zone, and no default nameservers nor custom master are configured, the AXFR+DDNS provider will fail with the following error message:
Here is a sample
named.conf example for an authauritative server on
example.tld. It uses a simple IP-based ACL for the AXFR
transfer and a conjunction of TSIG and IP-based ACL for the updates.
get-zones, a custom master or a list of default
nameservers should be configured in
THe AXFR+DDNS provider does not display DNSSec records. But, if any DNSSec records is found in the zone, it will replace all of them with a single placeholder record:
The AXFR+DDNS provider is not able to create domain.
The AXFR+DDNS provider is not able to ask the DNS server to sign the zone. But, it is able to check whether the server seems to do so or not.
When AutoDNSSEC is enabled, the AXFR+DDNS provider will emit a warning when no RRSIG, DNSKEY or NSEC records are found in the zone.
When AutoDNSSEC is disabled, the AXFR+DDNS provider will emit a warning when RRSIG, DNSKEY or NSEC records are found in the zone.
When AutoDNSSEC is not enabled or disabled, no checking is done.