Description
What happened:
After upgrading the Bitnami Helm chart from 8.8.6 to 8.9.1, we started seeing the following warning in the logs:
{"level":"warning","msg":"Got error while parsing domain _acme-challenge.<some_xyz_domain>: idna: disallowed rune U+005F","time":"2025-07-14T08:25:49Z"}.
External-dns then skips that record set. As a result, the companion A record is never deleted, so stale DNS entries remain.
This behavior did not occur in earlier versions.
What you expected to happen:
ExternalDNS continues to manage _acme-challenge TXT records created by cert-manager.
How to reproduce it (as minimally and precisely as possible):
- ExternalDNS is configured to sync with Azure DNS. An example of flags:
--registry=txt
--txt-owner-id=default
--provider=azure
--azure-resource-group=<resource-group-name>
--domain-filter=<some_xyz_domain>
- Deploy cert-manager configured to issue certificates using the ACME DNS-01 challenge (e.g., Let’s Encrypt).
- Deploy an Ingress resource with the following annotation:
cert-manager.io/cluster-issuer: <your_cluster-issuer>
- Wait until an IP is assigned and cert-manager creates the DNS-01 challenge record (_acme-challenge.<some_xyz_domain>).
- Delete the Ingress resource to trigger cleanup.
- Observe the external dns logs - the mentioned above warning should appear. The record is not being cleaned up
Anything else we need to know?:
We're using Azure DNS, cert-manager, let’s encrypt. Maybe it's caused by stricter domain validation introduced in a newer version of Go or the ExternalDNS codebase
Environment:
- External-DNS version (use
external-dns --version): v0.18.0 - DNS provider: azure