Support for TXT, NS, and wildcard Records

[hh]

Once this works, a domain can be created, a TLS wildcard cert issued, and a wildcard IP can route everything for the domain to a single ingress controller from scratch.

The goal is to create cluster that hosts a dns-domain (via PowerDNS or similar) exposed to the public internet.

whois ii.nz | grep \Name\ Server
Name Server: ns1.103.233.62.77.nip.io
Name Server: ns2.103.233.62.77.nip.io

While by default it comes up with zero records, at a minimum NS records and A records are required:

dig @ns1.103.233.62.77.nip.io ii.nz NS | grep -A2 ANSWER\ SECTION
;; ANSWER SECTION:
ii.nz.          60  IN  NS  ns1.103.233.62.77.nip.io.
ii.nz.          60  IN  NS  ns2.103.233.62.77.nip.io.

dig @ns1.103.233.62.77.nip.io some-wildcard.ii.nz A | grep -A2 ANSWER\ SECTION 
;; ANSWER SECTION:
some-wildcard.ii.nz.    60  IN  A   103.233.62.77

dig @ns1.103.233.62.77.nip.io ii.nz A | grep -A2 ANSWER\ SECTION
;; ANSWER SECTION:
ii.nz.          60  IN  A   103.233.62.77

I'd like to populate all these records from external-dns CRDs, but NS and wildcard *.domain.tld are currently unsupported afaik.

There is a cert-manager + external-dns PoC that seems interesting.

It does so by adding support for TXT records ((diff )) to external-dns and a cert-manager-webhook

This allows for TXT record updates so my previously empty zone can response to DNS01 verification requests.

This issue created from a conversation in the #external-dns slack channel

[hh]

In particular TXT records seems to clash with the current method of tracking ownership, and creation of *.domain.tld A records fail due to an error about * being an invalid character.

[szuecs]

@hh you can change the prefix to the ownership TXT records. So can't you use DNSEndpoint (external-dns CRD) to manage the TXT records?

I think NS records and wildcards should be each another issue, because we would need to discuss how this should work and if/how we want to support it.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[DerEnderKeks]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[DerEnderKeks]

/remove-lifecycle stale

[danielloader]

Wildcards are working for me on Cloudflare, but External DNS doesn't know it's a wildcard per se so when subdomains in the istio virtual services are added, it creates them too.

Confirmed it worked by omitting the virtual services from the External DNS sources, and just kept the istio gateways - but I need to monitor the virtual services too for non standard hostnames.

I understand this is likely working by accident instead of by design, it'd be nice for External DNS to confirm if it has a wildcard on record for that parent and if so, don't create the subdomain if it matches the same record value.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[Mareo]

/remove-lifecycle stale