[WIP] NE-2118: Enable AAAA filtering via CoreDNS template plugin

[grzpiotrowski]

Adds enhancements/dns/coredns-custom-ipv6-template-plugin.md for configuring CoreDNS template plugins through the DNS operator API.

This enhancement introduces a templates field in the DNS operator API to enable AAAA query filtering and custom IPv6 response generation. The primary use case is filtering AAAA queries in IPv4-only clusters where dual-stack applications query for both A and AAAA records, causing CoreDNS to forward unresolvable AAAA queries to upstream resolvers.

The proposal was initially drafted using the /add-enhancement ai-helper command and reviewed and edited by the author.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@grzpiotrowski: This pull request references NE-2118 which is a valid jira issue.

Details

In response to this:

Adds enhancements/dns/coredns-custom-ipv6-template-plugin.md for configuring CoreDNS template plugins through the DNS operator API.

This enhancement introduces a templates field in the DNS operator API to enable AAAA query filtering and custom IPv6 response generation. The primary use case is filtering AAAA queries in IPv4-only clusters where dual-stack applications query for both A and AAAA records, causing CoreDNS to forward unresolvable AAAA queries to upstream resolvers.

The proposal was initially drafted using the /add-enhancement ai-helper command and reviewed and edited by the author.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign knobunc for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• enhancements/dns/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[alebedev87]

Initial review. I will need more time to think about the API and the place of template plugin in zone blocks.

[alebedev87]

Suggested change

	In IPv4-only clusters, dual-stack applications query for both A and AAAA
	records. CoreDNS forwards unresolvable AAAA queries to upstream resolvers,
	In IPv4-only clusters, applications may query for both A and AAAA
	records. CoreDNS forwards unresolvable AAAA queries to upstream resolvers,

Stub resolvers like the one from glibc will try to send both DNS queries even on a single stack IPv4 Kubernetes clusters. getaddrinfo() function from glibc does exactly this it tries to shield the user space application from details of different ip families and returns a list of addrinfo. From the man page:

The getaddrinfo() function combines the functionality provided by the gethostbyname(3) and getservbyname(3) functions into a single interface, but unlike the latter functions, getaddrinfo() is reentrant and allows programs to eliminate IPv4-versus-IPv6 dependencies.

Specifying hints as NULL is equivalent to setting ai_socktype and ai_protocol to 0; ai_family to AF_UNSPEC;

hints.ai_family = AF_UNSPEC; /* Allow IPv4 or IPv6 */

[grzpiotrowski]

Done.

[alebedev87]

Also we can mention the fact that this allows a central cluster wide configuration. As opposed to more tedious (from customers) configuration which needs to be done in every pod (dnsConfig can be used in the pod spec to set option no-aaaa).

[alebedev87]

Would be good if we can phrase it in a way to highlight the fact that the cluster admin wants to make it a central (single for the whole cluster) configuration.

[grzpiotrowski]

Rephrased now as suggested.

[alebedev87]

That's a good point. I didn't think of it, the template plugin provides some built in metrics.

[alebedev87]

I'm not quite sure about NXDOMAIN response code. This may be disruptive for dns clients, I can think of a dns client which may interpret AAAA's NXDOMAIN response as "don't try A query and go to the next search domain". To be double checked on a real cluster. Also, the initial request was for NOERROR code only, going beyond this is possible but we need to have a strong reason.

[grzpiotrowski]

Right, I was trying to take the extendability of the API into account but didn't think this one through and definitely not a place for the NXDOMAIN in the current goals. Removed that now.

[alebedev87]

I suppose that this is just an example of how we can extend the API to do answer stanza, right? We will have to remove it from the final version of the EP but for now we can keep it to help us design an extensible API.

[grzpiotrowski]

Yes this wouldn't be in the scope now. Though with the future extensibility in mind.

[alebedev87]

Interesting point. How do you think the DNS operator can detect a dual-stack setup? And how this will translate into Corefile instructions?

[grzpiotrowski]

The operator can get the Network config and check if the ClusterNetwork has a IPv6 CIDR.
If we detect one, then we would have a fallthrough inserted conditionally in the corefile kubernetes plugin.

      template IN AAAA . {
          match "^(.*\.)?cluster\.local\.$"
          fallthrough # This would skip to the next plugin (kubernetes)
      }

      template IN AAAA . {
          rcode NOERROR
      }

      kubernetes cluster.local in-addr.arpa ip6.arpa {
          pods insecure
          fallthrough in-addr.arpa ip6.arpa
      }

Actually more to consider here since the order of executing the plugins doesn't depend on the corefile order but rather on the coredns plugin.cfg.

[alebedev87]

Which template plugin's stanza rewrite or redirect map to? Or you meant to use template field as an umbrella for rewrite plugin too?

[grzpiotrowski]

This doesn't seem to make much sense looking at it again. Putting rewrite and redirect or any other plugins for that matter under the template field would be a confusing design.
If there are any other plugin implemented in the future I reckon they should be all kept separated.

[alebedev87]

If there are any other plugin implemented in the future I reckon they should be all kept separated.

Not necessary, we may try to combine similar plugins under the same DNS API. However as of now, it may complicate the design without an explicit requirement for it. The rewrite pluigin is something which we considered as an implementation for AAAA filtering however it appeared to be 1) trying to cover some legacy stack usecases (pre Happy eyeballs dns clients which send AAAA query first), 2) more "hacky" (may cause problems for some dns clients) while template plugin seems to give more standard (predictable for dns clients) api.

[alebedev87]

So dns.spec.templates will be applied only for the default block? I need to think about it more but just to understand - what was your reasoning?

[alebedev87]

After giving it another though. I think adding the template to all servers is what we makes most sense at least for the first iteration (simple, "in one place" filtering).

An alternative would be add another API field to DNS.spec.servers to explicitly configure each upstream server.

[alebedev87]

We should not forget origin tests needed for the featuregate promotion.

[grzpiotrowski]

Right, added mention of the origin tests.

[alebedev87]

One thing I missed in the first iteration. Since it's a slice, what the fallthrough behavior we are anticipating here?

Seems like without regex matching having multiple templates may be not useful:

fallthrough Continue with the next template instance if the template’s ZONE matches a query name but no regex match. If there is no next template, continue resolution with the next plugin.

Another phrase attracted my attention too:

Without fallthrough, when the template’s ZONE matches a query but no regex match then a SERVFAIL response is returned.

Does it mean that we should consider adding regex to the API to not get SERVFAIL? Something to be checked.

[grzpiotrowski]

I think without the match in the implementation we won't be affected by the SERVFAIL scenario as the template would execute when the zone matches and if it doesn't match, then it would skip over to the next template.
api spec:

spec:
  templates:
    - name: some-filter
      zones: ["some.example.com"]
      queryType: AAAA
      action:
        returnEmpty:
          rcode: NOERROR

    - name: global-filter
      zones: ["."]
      queryType: AAAA
      action:
        returnEmpty:
          rcode: NOERROR

corefile:

.:5353 {
    template IN AAAA some.example.com {
        rcode NOERROR
    }

    template IN AAAA . {
        rcode NOERROR
    }

    kubernetes cluster.local ...
}

[alebedev87]

the template would execute when the zone matches and if it doesn't match, then it would skip over to the next template.

Did you test this?

[Miciah]

/assign

[candita]

/cc
/assign @alebedev87 @bentito

[alebedev87]

Another look. Main things which may need another iteration:

• Special treatment of dual stack clusters, I would like to avoid it to simplify the implementation.
• Action API field and it's forward thinking design to support multiple actions.
• Template ordering by zone, I would prefer to avoid any complex interpretation of the API on the operator side.
• Template fallthrough, I'm still not quite convinced we need it to support multiple templates.

Apart from this, if other comments are addressed I think we are fine to convert from a draft to a real EP.

[alebedev87]

Suggested change

	without maintaining external DNS infrastructure. The CoreDNS template plugin
	supports both use cases but lacks operator API integration.
	without maintaining external DNS infrastructure. The CoreDNS [template plugin](https://coredns.io/plugins/template/) supports both use cases but lacks operator API integration.

[alebedev87]

Everything which follows "Protect dual-stack clusters with cluster.local exclusions"is providing too many details for Goals section. They would better belong in Proposal or Implementation Details section.

[alebedev87]

The word "unresolvable" caught my attention. I think I understand what you meant. A use case when AAAA query goes to upstream resolvers configured for the default zone, that is, which were not resolved by the kubernetes plugin. However 1) we may have additional servers whose blocks precede the default zone, 2) the interpretation of the word can catch attestation. I think saying simply this would avoid any misinterpretation:

Suggested change

	records. CoreDNS forwards unresolvable AAAA queries to upstream resolvers,
	records. CoreDNS forwards AAAA queries to upstream resolvers,

[alebedev87]

Not sure if necessary.

If we won't use it in the implementation (or API, as a discriminant for instance), it won't make sense to keep at it as this will be additional work for us and for users.

[alebedev87]

Thanks for clarifying. You are right that we should think about use cases in which users can harm themselves. However 1) the template API is optional; 2) this restriction can work against us in the future as it'll limit our freedom in where to put the template plugin (in Corefile) and how to extend the API with regexp matching and new actions. So, unless you have any strong reason I didn't find, I think that we can keep the API and implementation simplier and do something later of an explicit user requirement will come up.

[alebedev87]

As I mentioned in the comment for the action API, we need to design the API thinking about not blocking future use cases which may include multiple actions on a plugin (e.g. rcode + authority).

[alebedev87]

I thought template <zone(s)> {} stanza can accept multiple zones (all zones from Zones slice): template IN AAAA zone1.com zone2.com {}.

[alebedev87]

After giving it another though. I think adding the template to all servers is what we makes most sense at least for the first iteration (simple, "in one place" filtering).

An alternative would be add another API field to DNS.spec.servers to explicitly configure each upstream server.

[alebedev87]

the template would execute when the zone matches and if it doesn't match, then it would skip over to the next template.

Did you test this?

[alebedev87]

Do you mean options no-aaaa from /etc/resolv.conf which can be configured in the pod spec? If so, can you please detail this.