search

ori-edge / k8s_gateway

A CoreDNS plugin to resolve all types of external Kubernetes resources
Apache License 2.0
295 stars 63 forks source link

Authoritative flag in NS answers #186

Closed ArsenyBelorukov closed 1 year ago

ArsenyBelorukov commented 1 year ago

Hi, thanks for the plugin! I noticed that k8s_gateway doesn't set an Authoritative flag for all answers on authoritative zones. At least: in answer to NS record request (this is the main issue, bind9 waits for this flag when I delegate subzone to k8s_gateway):

# dig NS example.domain @127.0.0.1 -p 1053

; <<>> DiG 9.10.6 <<>> NS example.domain @127.0.0.1 -p 1053
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63945
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.domain.            IN  NS

;; ANSWER SECTION:
example.domain.     60  IN  NS  exdns-k8s-gateway.exdns.example.domain.

;; ADDITIONAL SECTION:
exdns-k8s-gateway.exdns.example.domain. 60 IN A 10.65.245.194

;; Query time: 0 msec
;; SERVER: 127.0.0.1#1053(127.0.0.1)
;; WHEN: Mon Jan 23 21:59:46 GMT 2023
;; MSG SIZE  rcvd: 163

in answer to A record request for apex:

dig A exdns-k8s-gateway.exdns.example.domain.  @127.0.0.1 -p 1053

; <<>> DiG 9.10.6 <<>> A exdns-k8s-gateway.exdns.example.domain. @127.0.0.1 -p 1053
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 267
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;exdns-k8s-gateway.exdns.example.domain.    IN A

;; ANSWER SECTION:
exdns-k8s-gateway.exdns.example.domain. 60 IN A 10.65.245.194

;; Query time: 0 msec
;; SERVER: 127.0.0.1#1053(127.0.0.1)
;; WHEN: Mon Jan 23 22:01:34 GMT 2023
;; MSG SIZE  rcvd: 121

in answer to A requests for unexisting services (I am not sure how this should work in case of chaining plugins):

dig A not-existing.service.example.domain.  @127.0.0.1 -p 1053

; <<>> DiG 9.10.6 <<>> A not-existing.service.example.domain. @127.0.0.1 -p 1053
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21120
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;not-existing.service.example.domain. IN    A

;; AUTHORITY SECTION:
example.domain.     60  IN  SOA exdns-k8s-gateway.exdns.example.domain. hostmaster.exdns-k8s-gateway.exdns.example.domain. 12345 7200 1800 86400 60

;; Query time: 0 msec
;; SERVER: 127.0.0.1#1053(127.0.0.1)
;; WHEN: Mon Jan 23 22:02:47 GMT 2023
;; MSG SIZE  rcvd: 201

k8s_gateway is the authoritative server for the full zone and should set Authoritative flag. What do you think?

Config is

k8s_gateway example.domain {
      apex exdns-k8s-gateway.exdns
      ttl 300
    }
networkop commented 1 year ago

yep, makes sense. Looks like a bug.

ArsenyBelorukov commented 1 year ago

Looks good, but for apex it is still not authoritative

 dig exdns-k8s-gateway.exdns.example.domain.  @127.0.0.1 -p 1053

; <<>> DiG 9.10.6 <<>> exdns-k8s-gateway.exdns.example.domain. @127.0.0.1 -p 1053
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35471
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;exdns-k8s-gateway.exdns.example.domain.    IN A

;; ANSWER SECTION:
exdns-k8s-gateway.exdns.example.domain. 60 IN A 10.65.245.194

;; Query time: 3 msec
;; SERVER: 127.0.0.1#1053(127.0.0.1)
;; WHEN: Wed Jan 25 13:25:16 GMT 2023
;; MSG SIZE  rcvd: 121
ArsenyBelorukov commented 1 year ago

@networkop ^

there are no setting Authoritative in apex.go

networkop commented 1 year ago

@ArsenyBelorukov can you try the latest 731bfdc tag?

ArsenyBelorukov commented 1 year ago

@networkop 731bfdc works ! thanks!

➜  k8s_gateway git:(master) ✗ dig exdns-k8s-gateway.exdns.example.domain.  @127.0.0.1 -p 1053

; <<>> DiG 9.10.6 <<>> exdns-k8s-gateway.exdns.example.domain. @127.0.0.1 -p 1053
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48859
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;exdns-k8s-gateway.exdns.example.domain.    IN A

;; ANSWER SECTION:
exdns-k8s-gateway.exdns.example.domain. 60 IN A 10.65.245.194

;; Query time: 1 msec
;; SERVER: 127.0.0.1#1053(127.0.0.1)
;; WHEN: Thu Jan 26 16:56:09 GMT 2023
;; MSG SIZE  rcvd: 121
networkop commented 1 year ago

cool. I'll include this in the next release