external-dns icon indicating copy to clipboard operation
external-dns copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Support for TXT, NS, and wildcard Records

Open hh opened this issue 2 years ago • 16 comments

Once this works, a domain can be created, a TLS wildcard cert issued, and a wildcard IP can route everything for the domain to a single ingress controller from scratch.

The goal is to create cluster that hosts a dns-domain (via PowerDNS or similar) exposed to the public internet.

whois ii.nz | grep \Name\ Server
Name Server: ns1.103.233.62.77.nip.io
Name Server: ns2.103.233.62.77.nip.io

While by default it comes up with zero records, at a minimum NS records and A records are required:

dig @ns1.103.233.62.77.nip.io ii.nz NS | grep -A2 ANSWER\ SECTION
;; ANSWER SECTION:
ii.nz.			60	IN	NS	ns1.103.233.62.77.nip.io.
ii.nz.			60	IN	NS	ns2.103.233.62.77.nip.io.

dig @ns1.103.233.62.77.nip.io some-wildcard.ii.nz A | grep -A2 ANSWER\ SECTION 
;; ANSWER SECTION:
some-wildcard.ii.nz.	60	IN	A	103.233.62.77

dig @ns1.103.233.62.77.nip.io ii.nz A | grep -A2 ANSWER\ SECTION
;; ANSWER SECTION:
ii.nz.			60	IN	A	103.233.62.77

I'd like to populate all these records from external-dns CRDs, but NS and wildcard *.domain.tld are currently unsupported afaik.

There is a cert-manager + external-dns PoC that seems interesting.

It does so by adding support for TXT records ((diff )) to external-dns and a cert-manager-webhook

This allows for TXT record updates so my previously empty zone can response to DNS01 verification requests.

This issue created from a conversation in the #external-dns slack channel

hh avatar Feb 14 '23 00:02 hh

In particular TXT records seems to clash with the current method of tracking ownership, and creation of *.domain.tld A records fail due to an error about * being an invalid character.

hh avatar Feb 14 '23 00:02 hh

@hh you can change the prefix to the ownership TXT records. So can't you use DNSEndpoint (external-dns CRD) to manage the TXT records?

I think NS records and wildcards should be each another issue, because we would need to discuss how this should work and if/how we want to support it.

szuecs avatar Feb 15 '23 20:02 szuecs

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar May 16 '23 21:05 k8s-triage-robot

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Jan 20 '24 17:01 k8s-triage-robot

/remove-lifecycle stale

DerEnderKeks avatar Feb 09 '24 15:02 DerEnderKeks

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar May 09 '24 16:05 k8s-triage-robot

/remove-lifecycle stale

DerEnderKeks avatar May 09 '24 16:05 DerEnderKeks

Wildcards are working for me on Cloudflare, but External DNS doesn't know it's a wildcard per se so when subdomains in the istio virtual services are added, it creates them too.

Confirmed it worked by omitting the virtual services from the External DNS sources, and just kept the istio gateways - but I need to monitor the virtual services too for non standard hostnames.

I understand this is likely working by accident instead of by design, it'd be nice for External DNS to confirm if it has a wildcard on record for that parent and if so, don't create the subdomain if it matches the same record value.

danielloader avatar Jun 06 '24 13:06 danielloader

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Sep 04 '24 13:09 k8s-triage-robot

/remove-lifecycle stale

Mareo avatar Sep 04 '24 14:09 Mareo