k8gb-io / coredns-crd-plugin Goto Github PK

Although we have quite good coverage by unittests, cover Weight Round Robin by terratests .

https://github.com/k8gb-io/coredns-crd-plugin/security/dependabot currently reports the following vulnerabilities:

According to RFCs (https://tools.ietf.org/rfcmarkup?doc=2308#section-2.2, https://tools.ietf.org/html/rfc6147#section-5.1.2, https://tools.ietf.org/html/rfc4074#section-3),
coredns-crd-plugin should respond with NODATA (=RCODE 0 (NoError)+empty answer section), in case if AAAA requests are not supported, especially if there's A type of record available:

https://tools.ietf.org/html/rfc4074#section-3:

3.  Expected Behavior

    Suppose that an authoritative server has an A RR but has no AAAA RR
    for a host name.  Then, the server should return a response to a
    query for an AAAA RR of the name with the response code (RCODE) being
    0 (indicating no error) and with an empty answer section (see
    Sections 4.3.2 and 6.2.4 of [1]).  Such a response indicates that
    there is at least one RR of a different type than AAAA for the
    queried name, and the stub resolver can then look for A RRs.

    This way, the caching server can cache the fact that the queried name
    has no AAAA RR (but may have other types of RRs), and thus improve
    the response time to further queries for an AAAA RR of the name.

After recent change brought by #8, coredns-crd-plugin now returns RCODE 3 (NxDomain) for AAAA DNS queries.

This behavior is marked as problematic in RFCs:

https://tools.ietf.org/html/rfc4074#section-4.2:

4.2.  Return "Name Error"

    This type of server returns a response with RCODE 3 ("Name Error") to
    a query for an AAAA RR, indicating that it does not have any RRs of
    any type for the queried name.

    With this response, the stub resolver may immediately give up and
    never fall back.  Even if the resolver retries with a query for an A
    RR, the negative response for the name has been cached in the caching
    server, and the caching server will simply return the negative
    response.  As a result, the stub resolver considers this to be a
    fatal error in name resolution.

https://tools.ietf.org/html/rfc6147#section-5.1.2:

   It is important to note that, as of this writing, some servers
   respond with RCODE=3 to a AAAA query even if there is an A record
   available for that owner name.  Those servers are in clear violation
   of the meaning of RCODE 3, and it is expected that they will decline
   in use as IPv6 deployment increases.

If #8 addresses a corner case of particular DNS infra not behaving according to standards, then this behavior should be at least made optional, and disabled by default.

Consider to use stack structure for particular messages in container package. If all plugins pass, write message by message from the stack otherwise write only messages till failed plugin.

* currently we merge all changes into one message till broken plugin and write it down once, anyway, then we lose the possibility that if something goes wrong in the message writing, we lose all the changes at once.

k8s_crd plugin works well but will be extended which requires extra changes.

As plugin growths and more functionality is required, the k8s_crd plugin must execute multiple independent parts (another plugins / subplugins).

Currently the plugin has one larger function ServeDNS making core logic, but extending new - independent functionality leads to mixing with the old functionality.

Consider how to refactor k8s_crd to be able to run independent modules and keep them maintainable, testable. (e.g: by extending middleware (multiple ServeDNS funcs)? / run all in one ServeDNS but as submodules ? ….).

nit: look at configuration :

  {{ .Values.k8gb.dnsZone }}:5353 {
        errors
        health
        ready
        prometheus 0.0.0.0:9153
        forward . /etc/resolv.conf
        k8s_crd {
            loadbalance weight
            resources DNSEndpoint
            filter k8gb.absa.oss/dnstype=local
            negttl {{ .Values.k8gb.dnsZoneNegTTL }}
        }
    }

^^^ consider if changes are necessary as well.

basic_test terratest racing in Github workflow.

Investigate and fix the issue

Make it possible to explicitly activate debug mode, which would also display messages log.Debugf(...).

• See if it's already in CoreDNS somewhere
• k8s_crd plugin may be producing too many INFO messages, try overwriting them with DEBUG
• find places where it would be useful to add DEBUG and extend the plugin to include those places
• take inspiration from k8gb, e.g: see this

please see identical k8gb issue:

• k8gb-io/k8gb#965