Deleting an ignored DNSEntry unexpectedly deletes the corresponding DNS records

[F7502]

What happened:

I modified an existing DNSEntry resource on my cluster and added the dns.gardener.cloud/ignore: "true" annotation. The resource changed the status to Ignored. When I modified the DNSEntry resource, the corresponding DNS records in my AWS account were not updated. When I deleted the DNSEntry resource (still in status Ignored) the corresponding DNS records in my AWS account got deleted.

What you expected to happen:

The DNS records in the AWS account are not deleted.

How to reproduce it (as minimally and precisely as possible):

As described above, create minimal DNSEntry, wait for reconciliation, add annotation, then delete.

Anything else we need to know:

I need to migrate DNSEntry from one cluster to another. The plan is:

• in source cluster, add ignore annotation to existing DNSEntry
• create copy of DNSEntry in target cluster (without ignore annotation)
• remove still ignored DNSEntry from source cluster

The last step currently breaks the migration as the DNS records will be deleted. Eventually they will be recreated from the target cluster but I want to avoid any downtime during the migration. The DNS records shall never be deleted during the migration.

Environment:

Gardener cluster on Azure with v0.22.2 of external-dns-management. DNS records managed in AWS Route53.

[MartinWeindel]

This behaviour is by design to avoid leaking DNS records, e.g. during shoot deletion. The dns.gardener.cloud/ignore: "true" is only thought for temporarily skipping reconciliation of entries.

You may use weighted routing policy instead.
Change the existing DNSEntry to be a weighted entry, e.g. weight=1. Create the new DNSEntry on the other cluster also to be a weighted entry. Now you delete the old DNSEntry and remove the routing policy from the new one.

[F7502]

Thanks for the fast response. I tested what you proposed and it worked well. What confused me was this part here in the documentation which made me think that the ignore annotation is the way to realize the migration:

Please note that these edge cases are not supported anymore. For handing over responsibility of DNS record, please use the dns.gardener.cloud/ignore=true annotation on DNSEntries or the annotated source objects (like Ingress, Service, etc.)

https://github.com/gardener/external-dns-management/tree/master?tab=readme-ov-file#important-note-support-for-owner-identifiers-is-discontinued

[MartinWeindel]

@F7502
Great to hear that the routing policy proposal is working for you!
I'm sorry for causing confusion by proposing dns.gardener.cloud/ignore=true for handing over without seeing the problem that it is not respected on deleting DNSEntries.
We are planning to improve it by allowing additional values for the dns.gardener.cloud/ignore annotation to cover this case too. Therefore please keep this issue open. We will post an update as soon as we have implemented it. As there is the alternative using the routing policy, it will take some weeks until a fix will be included in a regular release.