MSF with Minio and Core DNS

federation.md

CoreDNS vs kubedns

• On-the-fly DNSSEC signing of served data in CoreDNS.
• kube-dns supports only etcd as the backend, CoreDNS on the other hand has several supported backends.
• kube-dns records do not reflect the state of the cluster. Any query to w-x-y-z.namespace.pod.cluster.local will return an A record with w.x.y.z, even if that IP does not belong to specified namespace or even to the cluster address space. CoreDNS integration offers the option pods verified, which will verify that the IP address w.x.y.z returned is in fact the IP of a pod in the specified namespace.
• Plugin chaining and pluggable architecture makes CoreDNS better suited to adapt to various backends, as compared to kubedns.

CoreDNS plugins

• Set up etcd as the backend for CoreDNS: https://coredns.io/plugins/etcd/
• Enable DNSSEC for signing served data: https://coredns.io/plugins/dnssec/
• Check out this library https://github.com/miekg/dns for DNSSEC verification

etcd capabilities

• TLS & client certificates supported for two way authentication. Ref: https://coreos.com/etcd/docs/latest/op-guide/security.html
• Official etcd Go client library https://github.com/coreos/etcd/tree/master/clientv3
• Nice description of how kubedns + etcd work https://rsmitty.github.io/Manually-Checking-Out-KubeDNS/

The data in etcd has to be encoded as a struct like this, for CoreDNS etcd plugin to pick it up :

// This *is* the rdata from a SRV record, but with a twist.
// Host (Target in SRV) must be a domain name, but if it looks like an IP
// address (4/6), we will treat it like an IP address.
type Service struct {
	Host     string `json:"host,omitempty"`
	Port     int    `json:"port,omitempty"`
	Priority int    `json:"priority,omitempty"`
	Weight   int    `json:"weight,omitempty"`
	Text     string `json:"text,omitempty"`
	Mail     bool   `json:"mail,omitempty"` // Be an MX record. Priority becomes Preference.
	Ttl      uint32 `json:"ttl,omitempty"`

	// When a SRV record with a "Host: IP-address" is added, we synthesize
	// a srv.Target domain name.  Normally we convert the full Key where
	// the record lives to a DNS name and use this as the srv.Target.  When
	// TargetStrip > 0 we strip the left most TargetStrip labels from the
	// DNS name.
	TargetStrip int `json:"targetstrip,omitempty"`

	// Group is used to group (or *not* to group) different services
	// together. Services with an identical Group are returned in the same
	// answer.
	Group string `json:"group,omitempty"`

	// Etcd key where we found this service and ignored from json un-/marshalling
	Key string `json:"-"`
}