What would you like to be added
In many Kubernetes clusters (especially IPv4-only ones), containers and OS base images (like Alpine/Ubuntu) still aggressively query for AAAA (IPv6) records. When nodelocaldns forwards these to upstream DNS servers that don't handle them well, it results in dropped packets, timeouts, and severe log spam (FORMERR).
The standard fix is to use the CoreDNS template plugin to instantly return a NOERROR for AAAA queries.
While Kubespray provides the nodelocaldns_additional_configs variable to inject custom configuration into the external zone (.:53), there is no equivalent variable hook for the internal cluster zone ({{ ([dns_domain] + old_dns_domains) | join(' ') }}:53). To fix the AAAA spam for internal lookups, users are currently forced to manually modify roles/kubernetes-apps/ansible/templates/nodelocaldns-configmap.yml.j2, which gets overwritten during Kubespray upgrades.
I propose adding a new variable, such as nodelocaldns_cluster_zone_additional_configs, that behaves exactly like nodelocaldns_additional_configs but applies to the internal cluster zone block(s) in the nodelocaldns ConfigMap template.
Proposed change in nodelocaldns-configmap.yml.j2:
{{ ([dns_domain] + old_dns_domains) | join(' ') }}:53 {
{% if nodelocaldns_cluster_zone_additional_configs is defined %}
{{ nodelocaldns_cluster_zone_additional_configs | indent(width=8, first=False) }}
{% endif %}
errors
cache {
success 9984 30
denial 9984 5
}
# ... rest of the block ...
(This would also need to be applied to the Corefile-second block if enable_nodelocaldns_secondary is true).
Why is this needed
With this feature, users could cleanly resolve the AAAA timeout issue purely via their k8s-cluster.yml inventory variables:
# Fix external zone AAAA lookups
nodelocaldns_additional_configs: |
template IN AAAA {
rcode NOERROR
}
# Fix internal zone AAAA lookups (Proposed)
nodelocaldns_cluster_zone_additional_configs: |
template IN AAAA {
rcode NOERROR
}
What would you like to be added
In many Kubernetes clusters (especially IPv4-only ones), containers and OS base images (like Alpine/Ubuntu) still aggressively query for AAAA (IPv6) records. When nodelocaldns forwards these to upstream DNS servers that don't handle them well, it results in dropped packets, timeouts, and severe log spam (FORMERR).
The standard fix is to use the CoreDNS template plugin to instantly return a NOERROR for AAAA queries.
While Kubespray provides the nodelocaldns_additional_configs variable to inject custom configuration into the external zone (.:53), there is no equivalent variable hook for the internal cluster zone ({{ ([dns_domain] + old_dns_domains) | join(' ') }}:53). To fix the AAAA spam for internal lookups, users are currently forced to manually modify roles/kubernetes-apps/ansible/templates/nodelocaldns-configmap.yml.j2, which gets overwritten during Kubespray upgrades.
I propose adding a new variable, such as nodelocaldns_cluster_zone_additional_configs, that behaves exactly like nodelocaldns_additional_configs but applies to the internal cluster zone block(s) in the nodelocaldns ConfigMap template.
Proposed change in nodelocaldns-configmap.yml.j2:
(This would also need to be applied to the Corefile-second block if enable_nodelocaldns_secondary is true).
Why is this needed
With this feature, users could cleanly resolve the AAAA timeout issue purely via their k8s-cluster.yml inventory variables: