Skip to content

external-dns loops while failing to create redundant CNAME towards the apex of its managed zone #5882

New issue
New issue
Open
Open
external-dns loops while failing to create redundant CNAME towards the apex of its managed zone#5882
Labels
kind/bugCategorizes issue or PR as related to a bug.
@juliohm1978

Description

@juliohm1978
juliohm1978
opened on Oct 1, 2025

Context:
We use external-dns to manage DNS records for a subzone that represents the entire cluster. As an example, we have several k8s clusters:

  • staging.company.com
  • training.company.com
  • production.company.com

Each cluster has its external-dns configured to manage the DNS subzone related that cluster.

What happened:
Several applications hosted in the cluster, will be served as a context inside the apex domain, ie:

Those applications are deployed with an Ingress that defines host: staging.company.com.
As a result, the cluster accumulates dozens of Ingresses with the same host.

The cluster also has ingress-nginx-controller as a reverse proxy to balance the applications in the same domain. So, the only Service of type LoadBalancer is the one exposed by the ingress-nginx-controller.

In this case, external-dns will create the A record for the Ingress Nginx Controller.

staging.company.com A 123.123.123.123

That is expected.

Meanwhile, external-dns will also handle each Ingress and attempt to create a CNAME that points to that A record. This is what we see in the logs:

ing-int-external-dns-699d996bdb-wm6fc external-dns time="2025-10-01T12:38:28Z" level=info msg="Adding RR: staging.company.com 3600 CNAME staging.company.com"

That log message will loop forever, since the CNAME update fails for a number of reasons:

  1. It is not possible to create a CNAME to itself.
  2. CNAME records must exist on their own. In this case, there is already an A record with the same name.
  3. It is not possible to create a CNAME inside the apex of the zone as well (reference docs).

What you expected to happen:
In this particular case, it would be wise for external-dns to recognize that it's trying to do something redundant, either comparing the source and destination of the CNAME, or recognizing that the CNAME alias is the apex of the zone it's managing.

How to reproduce it (as minimally and precisely as possible):
Install ingress-nginx-controller and expose it with a Service LoadBalancer annotated with

external-dns.alpha.kubernetes.io/target: staging.company.com

external-dns will create the A record for the Service.

Configure an Ingress with host=staging.company.com and annotate with

external-dns.alpha.kubernetes.io/target: staging.company.com

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions