external-dns not ignoring pre-existing DNS records it does not have ownership of

[Max-Chandler]

Since upgrading to 0.13.5 from 0.13.4, external-dns will try and create A an record when a CNAME already exists in the zone that it does not control, where previously it would skip trying to create/manage this record. This causes external-dns to crashloop with the following error:

{"level":"fatal","msg":"googleapi: Error 400: The resource record set 'entity.change.additions[[some-record.example.com](http://some-record.example.com/).][A]’ is invalid because the DNS name '[some-record.example.com](http://some-record.example.com/).' has a resource record set of the type 'CNAME'. A DNS name may have either one CNAME resource record set or resource record sets of other types, but not both., cnameResourceRecordSetConflict","time":"2023-06-15T16:45:39Z"}

Here’s our relevant helm chart configuration for our deployment:

policy: sync
provider: google
registry: txt
txtOwnerId: "{{ .Values.cluster_name }}-some-domain“
txtPrefix: "{{ .Values.cluster_name }}-some-domain."

I’ve seen other issues where TXT and A records collide when the registry hasn’t been configured, but this looks to be a different issue:
#262
#740
#318

These bugs look to be similar:
#3714
#3706

Not a contribution.

[szuecs]

Please show the bogus resources that lead to this and which source you use including all flags.
We try to not hide errors that can impact your infrastructure, so fail fast is the right decision in our belief.
I don't see this as bug.

[Max-Chandler]

Sure, the dns zone has this relevant record that isn't managed by external-dns:

some-record.example.com. CNAME 30 some-other-record.example.com.

Here are some debug logs comparing the behaviour between the two versions.
v0.13.4

{"level":"debug","msg":"Endpoints generated from ingress: some-namespace/some-ingress: [some-record.example.com 0 IN A  127.0.01 [] some-record.example.com 0 IN A  127.0.01 []]","time":"2023-06-21T08:47:05Z"}
{"level":"debug","msg":"Removing duplicate endpoint some-record.example.com 0 IN A  127.0.0.1 []","time":"2023-06-21T08:47:35Z"}
{"level":"debug","msg":"Skipping endpoint some-record.example.com 0 IN A  127.0.0.1 [] because owner id does not match, found: \"\", required: \"cluster-name-some-domain\"","time":"2023-06-21T08:47:35Z"}
{"level":"debug","msg":"Skipping endpoint some-record.example.com 30 IN CNAME  some-other-record.example.com [] because owner id does not match, found: \"\", required: \"cluster-name-some-domain\"","time":"2023-06-21T08:47:35Z"}

v0.13.5

{"level":"debug","msg":"Endpoints generated from ingress: some-namespace/some-ingress: [some-record.example.com 0 IN A  127.0.01 [] some-record.example.com 0 IN A  127.0.01 []]","time":"2023-06-21T08:48:14Z"}
{"level":"debug","msg":"Removing duplicate endpoint some-record.example.com 0 IN A  127.0.01 []","time":"2023-06-21T08:48:14Z"}
{"level":"debug","msg":"Skipping endpoint some-record.example.com 30 IN CNAME  some-other-record.example.com [] because owner id does not match, found: \"\", required: \"cluster-name-some-domain\"","time":"2023-06-21T08:48:14Z"}
{"level":"info","msg":"Add records: some-record.example.com. A [127.0.0.1] 300","time":"2023-06-21T08:48:14Z"}
{"level":"info","msg":"Add records: cluster-name-some-domain.a-some-record.example.com. TXT [\"heritage=external-dns,external-dns/owner=cluster-name-some-domain,external-dns/resource=ingress/some-namespace/some-ingress\"] 300","time":"2023-06-21T08:48:14Z"}
{"level":"info","msg":"Add records: cluster-name-some-domain.some-record.example.com. TXT [\"heritage=external-dns,external-dns/owner=cluster-name-some-domain,external-dns/resource=ingress/some-namespace/some-ingress\"] 300","time":"2023-06-21T08:48:14Z"}
{"level":"fatal","msg":"googleapi: Error 400: The resource record set 'entity.change.additions[some-record.example.com.][A]' is invalid because the DNS name 'some-record.example.com.' has a resource record set of the type 'CNAME'. A DNS name may have either one CNAME resource record set or resource record sets of other types, but not both., cnameResourceRecordSetConflict","time":"2023-06-21T08:48:14Z"}

It seems 0.13.5 now tries to create the A record, where previously it would skip trying to create this.

[johngmyers]

It's not surprising, external-dns now treats different record types on the same domain as being independent.

[Max-Chandler]

Was this change documented anywhere? Maybe I've missed it, but I don't see it in the changelog for v0.13.5.

What would be your recommended action for this? Remove the CNAMEs and have external-dns manage them? Or is there a way that we can have external-dns check for existing CNAME records, and skip record creation as afaik they cannot coexist with other record types: rfc1912, rfc1034?

[johngmyers]

The change came in as part of #2461. My recommended actions are in review comments for #3747.

[slyshovsv]

@johngmyers sorry to disturb you, but I don't quite get the idea in #3747 , is it to focus on filtering by owner ID on the domain level and prefer A over CNAME?

That's because I'm having a similar issue on 0.13.6, it goes through most of the hostnames fine, but a few subdomains in the same zone already have CNAMEs in place and it crashes with the same fatal error as OP.

Does this mean that there is no way to skip/ignore hosts with existing CNAMEs in general and the only way is to either filter out the whole domain our skip those subdomains with a mix of annotations directly on resources?

Thanks.

[max-blue]

still seeing an error with chart version 6.28.0 and app version 0.13.6. Getting the error below:

time="2023-11-01T13:29:42Z" level=fatal msg="googleapi: Error 400: The resource record set 'entity.change.additions[www.beta.domain.com.][A]' is invalid because the DNS name 'www.beta.domain.com.' has a resource record set of the type 'CNAME'. A DNS name may have either one CNAME resource record set or resource record sets of other types, but not both., cnameResourceRecordSetConflict"

www. is CNAMED to a cloudfront distro outside of external-dns

[nishasati6oct]

I am getting this conflict error in pod logs
"Conflict",\n "message": "The record could not be created because a CNAME record with the same name already exists in this zone."\n}\n--------------------------------------------------------------------------------\n"
time="2024-01-10T09:35:42Z" level=info msg="Updating TXT record named 'cname-dev-service' to '"heritage=external-dns,external-dns/owner=default,external-dns/resource=ingressroute/traefik/service"' for Azure DNS zone.

TXT record already created along with CNAME, but seeing this message for all the CNAME and TXT records created by External-DNS. Is there any way to suppress the checking for TXT record again and again by External-DNS?

[Max-Chandler]

Testing this on the latest release (0.14.0), it looks like the issue has been resolved. I'm now seeing external-dns checking for ownership of the records, and ignoring the conflict:

{"level":"debug","msg":"Skipping endpoint some-record.example.com 3600 IN CNAME some-other-record.example.com [] because owner id does not match, found: \"\", required: \"some-owner-ref\"","time":"2024-01-11T10:27:59Z"}