community icon indicating copy to clipboard operation
community copied to clipboard
verified publisher icon aws-controllers-k8s

route53 - Support for FQDN Record Names (without appended hosted zone names) (ACM validation records)

Open bongardino opened this issue 1 year ago • 4 comments

Description

Creating aRecordSet resource with spec.name as a fully qualified domain name (FQDN) ending with a period (.) throws an error.
This happens because the domain name corresponding to hostedZoneID is coerced into the spec.name as a suffix

Steps to Reproduce

  1. Create an ACM certificate that requires DNS validation.

  2. Attempt to create a RecordSet for the validation CNAME record using the following spec:

    apiVersion: route53.services.k8s.aws/v1alpha1
kind: RecordSet
metadata:
  name: hello-world-cert-validation
  namespace: default
spec:
  hostedZoneID: Z18NDHFOAV4GGH
  name: _231eec6e74d88e02592b9a8216e6ac46.hello-world.example.com.
  recordType: CNAME
  resourceRecords:
  - value: _55e2e41666e15565c76009875960fa96.zfyfvmchrl.acm-validations.aws.
  ttl: 60

  3. Observe the error:

    InvalidInput: FATAL problem: DomainLabelEmpty (Domain label is empty)
encountered with '_231eec6e74d88e02592b9a8216e6ac46.hello-world.example.com..example.com'
status code: 400, request id: <request-id>

Expected Behavior

The RecordSet should treat spec.name as an absolute FQDN because it ends with a period (.), and no further appending of the hosted zone domain should occur. This behavior is critical for creating ACM validation records, which require FQDNs.

Actual Behavior

The hosted zone domain is appended to the record name, resulting in a misconfigured domain name with duplicate suffixes (example.com..example.com).

Impact

This issue prevents the creation of DNS validation records required for ACM certificate validation via ACK.

Workarounds

  • Remove the trailing period from spec.name and allow Route 53 to append the hosted zone domain, but this doesn't match the requirements for ACM DNS validation
  • Manually create the validation records using the AWS CLI or SDK, bypassing ACK entirely, but this workflow pushes outside of ACK and makes resources more difficult to manage.

Proposed Solution

ACK should support FQDNs in spec.name for RecordSet resources. If record names end with a period, don't append the hosted zone.

Environment

  • K8s Rev: v1.31.3-eks-56e63d8
  • route53-controller release: v0.0.19

Relevant Issues

  • https://github.com/aws/aws-cdk/issues/29149
  • https://github.com/hashicorp/terraform-provider-aws/issues/5237

bongardino avatar Dec 18 '24 05:12 bongardino

Issues go stale after 180d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 60d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle stale

ack-bot avatar Aug 11 '25 21:08 ack-bot

Stale issues rot after 60d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 60d of inactivity. If this issue is safe to close now please do so with /close. Provide feedback via https://github.com/aws-controllers-k8s/community. /lifecycle rotten

ack-bot avatar Oct 10 '25 22:10 ack-bot

Rotten issues close after 60d of inactivity. Reopen the issue with /reopen. Provide feedback via https://github.com/aws-controllers-k8s/community. /close

ack-bot avatar Dec 09 '25 23:12 ack-bot

@ack-bot: Closing this issue.

In response to this:

Rotten issues close after 60d of inactivity. Reopen the issue with /reopen. Provide feedback via https://github.com/aws-controllers-k8s/community. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

ack-prow[bot] avatar Dec 09 '25 23:12 ack-prow[bot]