Feature Overview (aka. Goal Summary)  

Support the RFC2136 provider (DNS Dynamic Updates) in the OpenShift implementation of ExternalDNS.

Goals (aka. expected user outcomes)

• Enhance our current ExternalDNS support with the RFC2136 provider for additional customer-requested features.  RFC2136 enables support for dynamic updates to an external DNS provider supported by ExternalDNS, including the processing of prerequisites and dependecies with the addition or deletion of RRs or RRsets from a specified zone.  

Requirements (aka. Acceptance Criteria):

• RFC2136 enhancements:
  • dynamic updates
  • DNSSEC support with integration tests

Use Cases (Optional):

• FedRamp has a requirement for DNSSEC capability in CY2025. Note: OpenShift has the ability to do DNS-over-TLS.
• The originating customer can't use the proposed BlueCat plugin due to not having BlueCat Gateway. RFC2136 dynamic updates are available in upstream external-dns and are supported by many DNS providers including BlueCat Address Manager (when deploying to a Linux-based DNS server) and Red Hat IdM
• Customer has a requirement not to use wildcard DNS so automating the creation of dns entries is important to avoid a lot of manual effort.

Questions to Answer (Optional):

Out of Scope

• DNSSEC will not be "forced" for all DNS queries. Applications should be able to send a DNS query with the DO (DNSSEC OK) bit set, and CoreDNS should pass that along to the upstream DNS resolver, and then verify that the response has a valid signature.

Background

• ExternalDNS makes Kubernetes resources (services, ingresses, etc.) discoverable via public DNS servers. It is not a DNS server itself, it configures other DNS providers such as AWS' Route 53 or Google Cloud DNS.

Customer Considerations

Documentation Considerations

• We should note any differences between the upstream version of external-dns and our implementation, for support clarity.

Interoperability Considerations

• The external-dns operator in combination with CoreDNS.