Based on customer feedback it doesn't appear that OVN address_set gets IPs corresponding to at least DNS wildcard lookups removed after some time. This means the set can grow unbounded if the IP addresses change over time.    

    4.16.8

    100%

1. Create an EgressFirewallDNS entry for *.webhook.office.com
2. Repeatedly connect to that host to populate entries
3. Stop accessing that host
    

address_set items never expire    

address_set items should expire after some reasonable timeframe or possibly at the TTL received when looking up the hostname?

Should there be an option to set maximum number of entries so that an errant DNS entry doesn't allow someone to create DoS scenarios by yielding billions of address_set entries?

Need to also ensure that when/if we remove entries due to expiry there are no active connections to those IP addresses, considering that some connections may be long lived. TTL may not be the best value, because it may be too short.

Also, some dns servers don't provide all answers on each query.

Maybe this needs to be configured per hostname or per cluster, ie: 1 hour timeout if it's not been refreshed. Based on maximum duration for long lived connections given a specific use case.