Bug 1943826 - CoreDNS caches NXDOMAIN responses for up to 900 seconds
Summary: CoreDNS caches NXDOMAIN responses for up to 900 seconds
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.6
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: 4.7.z
Assignee: Stephen Greene
QA Contact: Arvind iyengar
URL:
Whiteboard:
Depends On: 1943578
Blocks: 1944245
TreeView+ depends on / blocked
 
Reported: 2021-03-27 18:23 UTC by OpenShift BugZilla Robot
Modified: 2022-08-04 22:39 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Bug 1936587 set the global CoreDNS cache max TTL to 900 seconds. Consequence: NXDOMAIN records received from upstream resolvers are cached for 900 seconds. Fix: Explicitly cache negative DNS response records for maximum 30 seconds. Result: Resolving domains that are in the process of being published does not take at minimum 15 minutes.
Clone Of:
Environment:
Last Closed: 2021-04-12 23:22:57 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-dns-operator pull 254 0 None open [release-4.7] Bug 1943826: Corefile: Use 30 second max TTL for caching of negative responses 2021-03-30 20:23:11 UTC
Red Hat Product Errata RHBA-2021:1075 0 None None None 2021-04-12 23:23:07 UTC

Comment 1 Arvind iyengar 2021-03-31 05:57:43 UTC
Verified in "4.7.0-0.ci.test-2021-03-31-042927-ci-ln-sv7y39b". With this payload it is observed that the additional configuration of 30 second TTL for negative records get set by default along with 900 seconds for positive record in cache plugin section:
-----
Defaulting container name to dns.
Use 'oc describe pod/dns-default-chmn9 -n openshift-dns' to see all of the containers in this pod.
.:5353 {
    errors
    health {
        lameduck 20s
    }
    ready
    kubernetes cluster.local in-addr.arpa ip6.arpa {
        pods insecure
        upstream
        fallthrough in-addr.arpa ip6.arpa
    }
    prometheus 127.0.0.1:9153
    forward . /etc/resolv.conf {
        policy sequential
    }
    cache 900 {
        denial 9984 30
    }
    reload
}
-----

Comment 3 Hongan Li 2021-04-02 00:45:52 UTC
merged in 4.7.0-0.nightly-2021-04-01-052823, moving to verified per #Comment 1

(should be verified by bot but seems it missed this one)

Comment 6 errata-xmlrpc 2021-04-12 23:22:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.7.6 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1075


Note You need to log in before you can comment on or make changes to this bug.