New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DNS validation fails but it's wrong #4477
Comments
…sses This commit improves the bad DNS wildcard validation message to include a list of IP addresses that the bad wildcard domain resolves to so they can be included in the message. This might help users understand where the bad wildcard record is coming from. See openshift#4477 - user was stuck on this validation for a while but was able to figure out the issue almost immediately when I told them the IP address that gets resolved is 127.0.0.1 (turns out it's some weird known router issue/behavior)
…sses This commit improves the bad DNS wildcard validation message to include the list of IP addresses that the bad wildcard domain resolves to so they This might help users understand where the bad wildcard record is coming from. See openshift#4477 - user was stuck on this validation for a while but was able to figure out the issue almost immediately when I told them the IP address that gets resolved is 127.0.0.1 (turns out it's some weird known router issue/behavior)
…sses This commit improves the bad DNS wildcard validation message to include the list of IP addresses that the bad wildcard domain resolves to. This might help users understand where the bad wildcard record is coming from. See openshift#4477 - user was stuck on this validation for a while but was able to figure out the issue almost immediately when I told them the IP address that gets resolved is 127.0.0.1 (turns out it's some weird known router issue/behavior)
/close User figured out it's some weird router behavior. Created #4482 to give users more information in this situation |
…sses This commit improves the bad DNS wildcard validation message to include the list of IP addresses that the bad wildcard domain resolves to. This might help users understand where the bad wildcard record is coming from. See openshift#4477 - user was stuck on this validation for a while but was able to figure out the issue almost immediately when I told them the IP address that gets resolved is 127.0.0.1 (turns out it's some weird known router issue/behavior) Also fixed a (theoretical) bug where when the agent omitted the wildcard entry from its DNS resolution response, the validation would fail (instead of error) and would tell the user that the domain is resolving while in reality we don't really know whether it's resolving or not.
…sses This commit improves the bad DNS wildcard validation message to include the list of IP addresses that the bad wildcard domain resolves to. This might help users understand where the bad wildcard record is coming from. See openshift#4477 - user was stuck on this validation for a while but was able to figure out the issue almost immediately when I told them the IP address that gets resolved is 127.0.0.1 (turns out it's some weird known router issue/behavior) Also fixed a (theoretical) bug where when the agent omitted the wildcard entry from its DNS resolution response, the validation would fail (instead of error) and would tell the user that the domain is resolving while in reality we don't really know whether it's resolving or not.
Thank you so much @omertuc for the support! |
…sses (#4482) This commit improves the bad DNS wildcard validation message to include the list of IP addresses that the bad wildcard domain resolves to. This might help users understand where the bad wildcard record is coming from. See #4477 - user was stuck on this validation for a while but was able to figure out the issue almost immediately when I told them the IP address that gets resolved is 127.0.0.1 (turns out it's some weird known router issue/behavior) Also fixed a (theoretical) bug where when the agent omitted the wildcard entry from its DNS resolution response, the validation would fail (instead of error) and would tell the user that the domain is resolving while in reality we don't really know whether it's resolving or not.
Just in case anybody else stumbles across this thread:
|
Seems like an issue in how our validation works. Thanks for the explanation / looking into it. I will open an internal ticket to see how we can address it |
The strange thing for me here is, that although i agree and the validator should probably output a different error message, it is still somehow correct when saying "the cluster will not work with the current DNS/DHCP configuration". I initially ran into this issue since i saw the core DNS on my running cluster resolving service names (e.g. myservice.mynamespace.svc.cluster.local) to the address of my wildcard record (for |
Good to know that because our proposed solution on internal Slack was to append But if the presence of your DHCP config breaks OCP itself... maybe we shouldn't do that. Perhaps we should first wait for OCP to be tolerant of such DHCP config and just improve the error message until then |
Yeah, i think improving the error message would be a good first step. I will keep you posted once i figure out how to configure oc for this scenario :). |
…sses (openshift#4482) This commit improves the bad DNS wildcard validation message to include the list of IP addresses that the bad wildcard domain resolves to. This might help users understand where the bad wildcard record is coming from. See openshift#4477 - user was stuck on this validation for a while but was able to figure out the issue almost immediately when I told them the IP address that gets resolved is 127.0.0.1 (turns out it's some weird known router issue/behavior) Also fixed a (theoretical) bug where when the agent omitted the wildcard entry from its DNS resolution response, the validation would fail (instead of error) and would tell the user that the domain is resolving while in reality we don't really know whether it's resolving or not.
I've tried to install a cluster with
with the following dns settings
but the validations fails due to the dns wildcard certificate (that does not exists at all!)
Is that a known issue?
The text was updated successfully, but these errors were encountered: