external-dns: TXT records created for aliases in AWS Route 53 have wrong record type prefix

What happened:

Using the “aws” provider to create DNS records for hostnames that point at AWS ELBs (such as for endpoints extracted from a Kubernetes Service or Ingress), since the hostnames don’t parse as IP addresses, ExternalDNS considers the endpoints warrant a record of type CNAME. As the target hostname discovered from the Ingress’s status sits within a canonical hosted zone, ExternalDNS decides that the record should be an alias to the target ELB’s DNS record. Later, when composing the changes to send to the Route 53 service, ExternalDNS changes its mind and decides to use an A record instead. At that point, ExternalDNS leaves the endpoint.Endpoint’s “RecordType” field’s value as the original endpoint.RecordTypeCNAME (“CNAME”).

That sets us up to create an A record for an endpoint.Endpoint that still represents a CNAME record. ExternalDNS then goes on to add the TXT ownership records to the change batch, and consults the endpoint.Endpoint’s “RecordType” field, finding it to be “CNAME.” This leads to a TXT record prefix of “cname-” even though it should probably be “a-” instead, if the goal is to have the TXT records indicate which of several primary records they describe.

What you expected to happen:

ExternalDNS will create a TXT record with a prefix indicating the same primary record type that the TXT record describes. In this case, since the primary record type created in Route 53 turns out to be A, I expect the TXT record’s prefix to be “a-” instead of “cname-.”

How to reproduce it (as minimally and precisely as possible):

In a Kubernetes cluster running within AWS EC2, create a Service of type “LoadBalancer,” and allow ExternalDNS to discover the endpoint and its target by using either the “service” or “ingress” source.

Inspect the Route 53 service to see that ExternalDNS creates a primary record of type A, as an alias to the target AWS-hosted load balancer. Note too that ExternalDNS creates a TXT record with a prefix of “cname-” instead of “a-.”

Anything else we need to know?:

In order to align the record type mentioned by these primary and TXT records, we need to make the TXT registry portion of ExternalDNS aware of the late decision that the AWS provider makes to use an A record instead. I am not sure whether other providers make similar overriding decisions when composing changes.

Environment:

External-DNS version: 0.12.0
DNS provider: aws (AWS Route 53)
Others: Source is Kubernetes Ingress

About this issue

Original URL
State: open
Created 2 years ago
Reactions: 41
Comments: 15 (2 by maintainers)

Most upvoted comments

What I see is two guard records being produced; one with same name as ‘A’ record and one with ‘cname-’ prefix.

chonton on Sep 1, 2022

So, will be any fix of that behaviour? I need to pin the tag version(0.11.1-debian-10-r27) due to this

stefkkkk on Dec 9, 2023

Version v0.12.2

Args

      containers:
      - args:
        - --log-level=info
        - --namespace=mis-feature
        - --publish-host-ip
        - --aws-batch-change-size=20
        - --domain-filter=mis.example.com
        - --interval=2m
        - --policy=upsert-only
        - --provider=aws
        - --source=ingress
        - --source=service
        - --registry=txt
        - --txt-owner-id=use-feature

Redacted Kubernetes Resources

---
apiVersion: v1
kind: Service
metadata:
  name: unified-theatre
  annotations:
    external-dns.alpha.kubernetes.io/alias: "true"
    external-dns.alpha.kubernetes.io/hostname: us.example.com
    external-dns.alpha.kubernetes.io/ingress-hostname-source: annotation-only
    external-dns.alpha.kubernetes.io/aws-weight: "255"
    external-dns.alpha.kubernetes.io/set-identifier: us-east-1
spec:
  type: ExternalName
  externalName: use.example.com
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: unified-region
  annotations:
    external-dns.alpha.kubernetes.io/alias: "true"
    external-dns.alpha.kubernetes.io/hostname: use.example.com
    external-dns.alpha.kubernetes.io/ingress-hostname-source: annotation-only

Redacted Route53 records

Record name	Type	Policy	Weight	Value/Route traffic to
cname-us-feature.mis.example.com	TXT	Weighted	255	“heritage=external-dns,external-dns/owner=use-feature,external-dns/resource=service/mis-feature/unified-theatre”
cname-use-feature.mis.example.com	TXT	Simple	-	“heritage=external-dns,external-dns/owner=use-feature,external-dns/resource=ingress/mis-feature/unified-region”
use.feature.mis.example.com	A	Simple	-	10.93.177.118
us-feature.mis.example.com	A	Weighted	255	use-feature.mis.example.com.
us-feature.mis.example.com	TXT	Weighted	255	“heritage=external-dns,external-dns/owner=use-feature,external-dns/resource=service/mis-feature/unified-theatre”
use-feature.mis.example.com	A	Simple	-	internal-k8s-misfeatu-unifiedr-201835383a-1018808261.us-east-1.elb.amazonaws.com.
use-feature.mis.example.com	TXT	Simple	-	“heritage=external-dns,external-dns/owner=use-feature,external-dns/resource=ingress/mis-feature/unified-region”

chonton on Sep 1, 2022