Skip to content

dns-update (rfc2136) over TCP (rfc1035) #7849

Closed
#7881
Closed
dns-update (rfc2136) over TCP (rfc1035)#7849
#7881
Assignees
hjoshi123
Labels
area/acme/dns01Indicates a PR modifies ACME DNS01 provider codegood first issueDenotes an issue ready for a new contributor, according to the "help wanted" guidelines.kind/featureCategorizes issue or PR as related to a new feature.
@gberche-orange

Description

@gberche-orange
gberche-orange
opened on Jul 9, 2025

Is your feature request related to a problem? Please describe.

I need to contact a remote dns server to perform dns updates (rfc2136) over TCP (rfc1035) instead of UDP.

See https://datatracker.ietf.org/doc/html/rfc2136

2.1 - Transport Issues

An update transaction may be carried in a UDP datagram, if the
request fits, or in a TCP connection (at the discretion of the
requestor). When TCP is used, the message is in the format described
in [RFC1035 4.2.2].

This is supported by the nsupdate cli

https://linux.die.net/man/8/nsupdate

By default nsupdate uses UDP to send update requests to the name server. The -v option makes nsupdate use a TCP connection. This may be preferable when a batch of update requests is made.

Describe the solution you'd like

A new protocol key in the rfc2136 section of issuer CRD that triggers use of the dns client support for tcp

https://github.com/miekg/dns/blob/96a6b9c19dd7b14558793fa557a62cfd3da5282d/client.go#L49-L72

// A Client defines parameters for a DNS client.
type Client struct {
	Net       string      // if "tcp" or "tcp-tls" (DNS over TLS) a TCP query will be initiated, otherwise an UDP one (default is "" for UDP)
//...
	TsigSecret   map[string]string // secret(s) for Tsig map[<zonename>]<base64 secret>, zonename must be in canonical form (lowercase, fqdn, see RFC 4034 Section 6.2)
	TsigProvider TsigProvider      // An implementation of the TsigProvider interface. If defined it replaces TsigSecret and is used for all TSIG operations.

}
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: example-issuer
spec:
  acme:
    ...
    solvers:
    - dns01:
        rfc2136:
          nameserver: <address of authoritative nameserver configured above>
          protocol: tcp # one of "udp", "tcp". Defaults to udp when unset
          tsigKeyName: <key name used in `dnssec-keygen`, use something semantically meaningful in both environments>
          tsigAlgorithm: HMACSHA512 // should be matched to the algo you chose in `dnssec-keygen`
          tsigSecretSecretRef:
            name: <the name of the k8s secret holding the TSIG key.. not the key itself!>
            key: <name of the key *inside* the secret>

Describe alternatives you've considered

Additional context

Currently, I understand that cert manager does not allow setting the dns Client.Net = "tcp" in

cert-manager/pkg/issuer/acme/dns/rfc2136/rfc2136.go

Lines 129 to 139 in 83911aa

// Setup client
c := new(dns.Client)
c.TsigProvider = tsigHMACProvider(r.tsigSecret)
// TSIG authentication / msg signing
if len(r.tsigKeyName) > 0 && len(r.tsigSecret) > 0 {
m.SetTsig(dns.Fqdn(r.tsigKeyName), r.tsigAlgorithm, 300, time.Now().Unix())
c.TsigSecret = map[string]string{dns.Fqdn(r.tsigKeyName): r.tsigSecret}
}
// Send the query
reply, _, err := c.Exchange(m, r.nameserver)

Environment details (remove if not applicable):

  • Kubernetes version: 1.30 (k3s)
  • Cloud-provider/provisioner: rfc2136
  • cert-manager version: 1.16.3
  • Install method: e.g., helm/static manifests

/kind feature

Metadata

Metadata

Assignees

Labels

area/acme/dns01Indicates a PR modifies ACME DNS01 provider codegood first issueDenotes an issue ready for a new contributor, according to the "help wanted" guidelines.kind/featureCategorizes issue or PR as related to a new feature.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions