Getting error: The domain name belongs to other users with alibabacloud dns provider

kubernetes-sigs / external-dns

Configure external DNS servers (AWS Route53, Google CloudDNS and others) for Kubernetes Ingresses and Services

Apache License 2.0

7.68k stars 2.56k forks source link

Getting error: The domain name belongs to other users with alibabacloud dns provider #3625

Closed allurisravanth closed 1 year ago

allurisravanth commented 1 year ago

What happened: We recently upgraded the external dns version from 0.12.2 to 0.13.4. After the upgrade we see the following error in the external-dns pods Alibaba Cloud DNS: SDK.ServerError\nErrorCode: IncorrectDomainUser\nRecommend: https://next.api.aliyun.com/troubleshoot?q=IncorrectDomainUser&product=Alidns\nRequestId: 6F0CD720-98F8-5368-9C0E-3D64DE169834\nMessage: The domain name belongs to other users. Transfer the domain name to the current user and then try the binding and setting actions. The pods themselves are in RUNNING state

Anything else we need to know?:

When we reverted back to 0.12.2 it works as expected

Environment:

External-DNS version : 0.13.4
DNS provider: alibabacloud
Others:

allurisravanth commented 1 year ago

@stan-chen your PR https://github.com/kubernetes-sigs/external-dns/pull/3073 has modified the splitDNSName method. That seems to be the reason for this issue. For example if we have a domain like this a.b.c.container-service.top then splitDNSName spits out the domain as container-service.top.

In our organization, we don't manage the top level domain. it is globally managed and our user just manages the subdomain.

Atleast for get records we have this option to not pass any domain filters and get the subdomain correctly https://github.com/kubernetes-sigs/external-dns/blob/master/provider/alibabacloud/alibaba_cloud.go#L377-L389

Can you suggest how to proceed here?

FYI @szuecs

szuecs commented 1 year ago

Either revert PR or create a fix. I would be in favor of fix provided by someone, who can test it in alibaba cloud.

stan-chen commented 1 year ago

@allurisravanth

You mean DescribeDomainRecords api you only have the permission of the subdomain but not top-level domain name?

allurisravanth commented 1 year ago

@stan-chen yes exactly, i can describe the domain records for the subdomain but when i try to do it for the top-level domain i get this error Message: The domain name belongs to other users. Transfer the domain name to the current user and then try the binding and setting actions.. It's because our user doesn't manage that domain

in our case the subdomain looks like this : a.b.c.d.vlab-cloudplatformdev.cn and top-level domain is like : vlab-cloudplatformdev.cn

stan-chen commented 1 year ago

endpoint.DomainFilter.Filters I understand that it should be used as a suffix match instead of using this Filter to query the domain name.

DescribeDomainRecords should not be able to use the record value to query

such as:

subdomain.example.com is a subdomain name, using this subdomain name as a DescribeDomainRecords param can query all the records of this subdomain name.

but using aaa.subdomain.example.com as a DescribeDomainRecords param cannot return a value because aaa.subdomain.example.com is not a valid zones (will throw The specified domain name does not exist. error).

Therefore, using aaa.subdomain.example.com as DomainFilter.Filters will fail to get a list of matching domain records.

fix method should be similar to aws.route53, first list all Hosted Zones, and then query and match in turn.

allurisravanth commented 1 year ago

@stan-chen can you please check if this PR fixes the issue. I have tested with regex filter, domain filters (with top level domain, subdomain) and without any domain filters as well.

Please also check with your alicloud setup if this works for you as well