- On-the-fly DNSSEC signing of served data in CoreDNS.
kube-dns
supports onlyetcd
as the backend, CoreDNS on the other hand has several supported backends.kube-dns
records do not reflect the state of the cluster. Any query tow-x-y-z.namespace.pod.cluster.local
will return an A record with w.x.y.z, even if that IP does not belong to specified namespace or even to the cluster address space. CoreDNS integration offers the option pods verified, which will verify that the IP addressw.x.y.z
returned is in fact the IP of a pod in the specified namespace.- Plugin chaining and pluggable architecture makes CoreDNS better suited to adapt to various backends, as compared to
kubedns
.
- Set up
etcd
as the backend for CoreDNS: https://coredns.io/plugins/etcd/ - Enable
DNSSEC
for signing served data: https://coredns.io/plugins/dnssec/ - Check out this library https://github.com/miekg/dns for DNSSEC verification
- TLS & client certificates supported for two way authentication. Ref: https://coreos.com/etcd/docs/latest/op-guide/security.html
- Official
etcd
Go client library https://github.com/coreos/etcd/tree/master/clientv3 - Nice description of how
kubedns
+etcd
work https://rsmitty.github.io/Manually-Checking-Out-KubeDNS/
The data in etcd has to be encoded as a struct like this, for CoreDNS etcd
plugin to pick it up :
// This *is* the rdata from a SRV record, but with a twist.
// Host (Target in SRV) must be a domain name, but if it looks like an IP
// address (4/6), we will treat it like an IP address.
type Service struct {
Host string `json:"host,omitempty"`
Port int `json:"port,omitempty"`
Priority int `json:"priority,omitempty"`
Weight int `json:"weight,omitempty"`
Text string `json:"text,omitempty"`
Mail bool `json:"mail,omitempty"` // Be an MX record. Priority becomes Preference.
Ttl uint32 `json:"ttl,omitempty"`
// When a SRV record with a "Host: IP-address" is added, we synthesize
// a srv.Target domain name. Normally we convert the full Key where
// the record lives to a DNS name and use this as the srv.Target. When
// TargetStrip > 0 we strip the left most TargetStrip labels from the
// DNS name.
TargetStrip int `json:"targetstrip,omitempty"`
// Group is used to group (or *not* to group) different services
// together. Services with an identical Group are returned in the same
// answer.
Group string `json:"group,omitempty"`
// Etcd key where we found this service and ignored from json un-/marshalling
Key string `json:"-"`
}