Bug 2006803 - Set CoreDNS cache entries for forwarded zones
Summary: Set CoreDNS cache entries for forwarded zones
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.10.0
Assignee: Miciah Dashiel Butler Masters
QA Contact: Shudi Li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-22 13:03 UTC by arajapa
Modified: 2022-12-01 13:05 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The DNS operator did not enable the cache plugin for server blocks in the CoreDNS Corefile configmap corresponding to entries in the spec.servers field of the dnses.operator.openshift.io/default object. Consequence: CoreDNS did not cache responses from upstream resolvers that were configured using spec.servers. Fix: The DNS operator was changed to enable the cache plugin for all server blocks, using the same parameters that the operator already configured for the default server block. Result: CoreDNS now caches responses from all upstream resolvers.
Clone Of:
Environment:
Last Closed: 2022-03-10 16:12:32 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-dns-operator pull 296 0 None Merged Bug 2006803: Set CoreDNS cache entries for forwarded zones 2022-01-11 16:10:02 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:13:04 UTC

Comment 3 Shudi Li 2021-09-24 02:11:24 UTC
Verified it with 4.10.0-0.nightly-2021-09-23-031209

1.
% oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.nightly-2021-09-23-031209   True        False         14h     Cluster version is 4.10.0-0.nightly-2021-09-23-031209
%

2. Modify the default dns operation by adding 3 forwarding zones
% oc edit dns.operator/default

spec:
  nodePlacement: {}
  servers:
  - forwardPlugin:
      upstreams:
      - 1.1.1.1
      - 2.2.2.2:5353
    name: foo-server
    zones:
    - foo.com
  - forwardPlugin:
      upstreams:
      - 3.3.3.3
      - 4.4.4.4:5454
    name: bar-server
    zones:
    - bar.com
    - example.com
  - forwardPlugin:
      upstreams:
      - 5.5.5.5
      - 6.6.6.6
      - 7.7.7.7
    name: customer-3-server
    zones:
    - www.google.12345678901234567890123456789012345678901234567890.com
    - sina.test.com
    - test12345abcde12345abcde12345abcde12345abcde12345abcde12345abcde12345abcde12345abcde.gov


3. check the ConfigMap of dns-default

% oc -n openshift-dns get cm dns-default -oyaml
apiVersion: v1
data:
  Corefile: |
    # foo-server
    foo.com:5353 {
        forward . 1.1.1.1 2.2.2.2:5353
        errors
        bufsize 512
        cache 900 {
            denial 9984 30
        }
    }
    # bar-server
    bar.com:5353 example.com:5353 {
        forward . 3.3.3.3 4.4.4.4:5454
        errors
        bufsize 512
        cache 900 {
            denial 9984 30
        }
    }
    # customer-3-server
    www.google.12345678901234567890123456789012345678901234567890.com:5353 sina.test.com:5353 test12345abcde12345abcde12345abcde12345abcde12345abcde12345abcde12345abcde12345abcde.gov:5353 {
        forward . 5.5.5.5 6.6.6.6 7.7.7.7
        errors
        bufsize 512
        cache 900 {
            denial 9984 30
        }
    }
    .:5353 {
        bufsize 512
        errors
        health {
            lameduck 20s
        }
        ready
        kubernetes cluster.local in-addr.arpa ip6.arpa {
            pods insecure
            fallthrough in-addr.arpa ip6.arpa
        }
        prometheus 127.0.0.1:9153
        forward . /etc/resolv.conf {
            policy sequential
        }
        cache 900 {
            denial 9984 30
        }
        reload
    }
kind: ConfigMap
metadata:
  creationTimestamp: "2021-09-23T10:21:09Z"
  labels:
    dns.operator.openshift.io/owning-dns: default
  name: dns-default
  namespace: openshift-dns
  ownerReferences:
  - apiVersion: operator.openshift.io/v1
    controller: true
    kind: DNS
    name: default
    uid: 2bfacddb-9ac1-4560-8616-3d40124e9abe
  resourceVersion: "283359"
  uid: 02529d78-9e23-4041-9738-6af88f6dc6c1
%

4. get the dns pods
% oc get pods -n openshift-dns
NAME                  READY   STATUS    RESTARTS   AGE
dns-default-bprz2     2/2     Running   0          15h
dns-default-fhl6g     2/2     Running   0          15h
dns-default-gcbvv     2/2     Running   0          15h
dns-default-k6ttw     2/2     Running   0          15h
dns-default-qdgn7     2/2     Running   0          15h
dns-default-zxszb     2/2     Running   0          15h
node-resolver-5l2xz   1/1     Running   0          15h
node-resolver-9lfbn   1/1     Running   0          15h
node-resolver-c5tf8   1/1     Running   0          15h
node-resolver-hmbvf   1/1     Running   0          15h
node-resolver-k7tv2   1/1     Running   0          15h
node-resolver-ndczg   1/1     Running   0          15h
%

5. Check the CoreFile in all the dns-default pods
%oc -n openshift-dns rsh dns-default-bprz2 
Defaulted container "dns" out of: dns, kube-rbac-proxy
sh-4.4# 
sh-4.4# cat /etc/coredns/Corefile
# foo-server
foo.com:5353 {
    forward . 1.1.1.1 2.2.2.2:5353
    errors
    bufsize 512
    cache 900 {
        denial 9984 30
    }
}
# bar-server
bar.com:5353 example.com:5353 {
    forward . 3.3.3.3 4.4.4.4:5454
    errors
    bufsize 512
    cache 900 {
        denial 9984 30
    }
}
# customer-3-server
www.google.12345678901234567890123456789012345678901234567890.com:5353 sina.test.com:5353 test12345abcde12345abcde12345abcde12345abcde12345abcde12345abcde12345abcde12345abcde.gov:5353 {
    forward . 5.5.5.5 6.6.6.6 7.7.7.7
    errors
    bufsize 512
    cache 900 {
        denial 9984 30
    }
}
.:5353 {
    bufsize 512
    errors
    health {
        lameduck 20s
    }
    ready
    kubernetes cluster.local in-addr.arpa ip6.arpa {
        pods insecure
        fallthrough in-addr.arpa ip6.arpa
    }
    prometheus 127.0.0.1:9153
    forward . /etc/resolv.conf {
        policy sequential
    }
    cache 900 {
        denial 9984 30
    }
    reload
}
sh-4.4#

Comment 6 errata-xmlrpc 2022-03-10 16:12:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.