What happened:
I’m running external-dns v0.21.0 with the rfc2136 provider against Microsoft Active Directory DNS. Authentication with GSS-TSIG (Kerberos) works and external-dns successfully creates/updates records.
However, on every interval run (e.g. --interval=1m) it keeps sending DNS update messages to the nameserver even when there are no changes in Kubernetes resources.
Debug logs repeatedly show messages like:
time="2026-05-20T15:03:18Z" level=debug msg="ApplyChanges (Create: 6, UpdateOld: 0, UpdateNew: 0, Delete: 0)"
time="2026-05-20T15:03:18Z" level=debug msg="Sending message to nameserver : <name_server_fqdn>"
... <reddacted>
time="2026-05-20T15:04:18Z" level=debug msg="ApplyChanges (Create: 6, UpdateOld: 0, UpdateNew: 0, Delete: 0)"
time="2026-05-20T15:04:18Z" level=debug msg="Sending message to nameserver : <name_server_fqdn>"
From the logs it looks like it keeps attempting to “apply” records repeatedly instead of detecting that desired and current DNS state matches. This results in constant DNS traffic and repeated “adding/upserting” behavior at the configured interval, despite stable inputs.
What you expected to happen:
After the initial create/upsert of A + TXT registry records, external-dns should detect that no changes are required and not send DNS update messages every interval.
In other words: idempotent behavior where periodic sync does not produce updates when there are no differences.
How to reproduce it (as minimally and precisely as possible):
Deploy external-dns v0.21.0 in a Kubernetes cluster with the following flags (actual process flags):
--interval=1m
--log-level=debug
--log-format=text
--source=service
--policy=upsert-only
--registry=txt
--txt-owner-id=test-owner
--txt-prefix=extdns-%{record_type}-
--provider=rfc2136
--rfc2136-host=<server_fqdn>
--rfc2136-port=53
--rfc2136-zone=test-domain.com
--rfc2136-gss-tsig
--rfc2136-kerberos-realm=$(AD_DNS_REALM)
--rfc2136-kerberos-username=$(AD_DNS_USER)
--rfc2136-kerberos-password=$(AD_DNS_PASSWORD)
Example service:
apiVersion: v1
kind: Service
metadata:
name: demo-svc
namespace: default
annotations:
external-dns.alpha.kubernetes.io/hostname: demo.test-domain.com
spec:
type: ClusterIP
selector:
app: demo
ports:
- port: 80
targetPort: 8080
Confirm external-dns creates records in AD DNS:
demo.test-domain.com record (A/CNAME depending on setup)
TXT registry record with prefix extdns-%{record_type}-... and owner test-owner
Wait for the next interval. Observe that every minute it logs “Sending message to nameserver …” and appears to attempt updates even though nothing has changed.
Anything else we need to know?:
I've tried to enable zone transfers using --rfc2136-tsig-axfr, but as I checked later in Microsoft documentation, AD DNS supports only GSS-TSIG.
Environment:
external-dns version: v0.21.0
DNS provider: rfc2136 against Microsoft Active Directory DNS using GSS-TSIG
Others:
Kubernetes version: 1.33
AD DNS version: Windows Server 2019
What happened:
I’m running external-dns v0.21.0 with the rfc2136 provider against Microsoft Active Directory DNS. Authentication with GSS-TSIG (Kerberos) works and external-dns successfully creates/updates records.
However, on every interval run (e.g.
--interval=1m) it keeps sending DNS update messages to the nameserver even when there are no changes in Kubernetes resources.Debug logs repeatedly show messages like:
From the logs it looks like it keeps attempting to “apply” records repeatedly instead of detecting that desired and current DNS state matches. This results in constant DNS traffic and repeated “adding/upserting” behavior at the configured interval, despite stable inputs.
What you expected to happen:
After the initial create/upsert of A + TXT registry records, external-dns should detect that no changes are required and not send DNS update messages every interval.
In other words: idempotent behavior where periodic sync does not produce updates when there are no differences.
How to reproduce it (as minimally and precisely as possible):
Deploy external-dns v0.21.0 in a Kubernetes cluster with the following flags (actual process flags):
Example service:
Confirm external-dns creates records in AD DNS:
demo.test-domain.com record (A/CNAME depending on setup)
TXT registry record with prefix extdns-%{record_type}-... and owner test-owner
Wait for the next interval. Observe that every minute it logs “Sending message to nameserver …” and appears to attempt updates even though nothing has changed.
Anything else we need to know?:
I've tried to enable zone transfers using
--rfc2136-tsig-axfr, but as I checked later in Microsoft documentation, AD DNS supports only GSS-TSIG.Environment:
external-dns version: v0.21.0
DNS provider: rfc2136 against Microsoft Active Directory DNS using GSS-TSIG
Others:
Kubernetes version: 1.33
AD DNS version: Windows Server 2019