From c3228615e071de61b0c6f60d9a231c494726dda0 Mon Sep 17 00:00:00 2001
From: LAMRobinson <116984079+LAMRobinson@users.noreply.github.com>
Date: Tue, 13 Dec 2022 20:36:46 +0000
Subject: [PATCH] plugin/kubernetes: error NXDOMAIN for TXT lookups (#5737)

plugin/kubernetes: fix NXDOMAIN/NOERROR responses for TXT queries

Signed-off-by: Laurence Robinson <laurence_robinson@live.co.uk>
Co-authored-by: Laurence Robinson <laurence.robinson@deshaw.com>
---
 plugin/kubernetes/handler_test.go | 16 ++++++++++++++++
 plugin/kubernetes/kubernetes.go   | 20 ++++++++++++++------
 2 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/plugin/kubernetes/handler_test.go b/plugin/kubernetes/handler_test.go
index 203c9d943..55a8b8c32 100644
--- a/plugin/kubernetes/handler_test.go
+++ b/plugin/kubernetes/handler_test.go
@@ -247,6 +247,22 @@ var dnsTestCases = []kubeTestCase{
 			test.TXT("dns-version.cluster.local 28800 IN TXT 1.1.0"),
 		},
 	}},
+	// A TXT record does not exist but another record for the same FQDN does
+	{Case: test.Case{
+		Qname: "svc1.testns.svc.cluster.local.", Qtype: dns.TypeTXT,
+		Rcode: dns.RcodeSuccess,
+		Ns: []dns.RR{
+			test.SOA("cluster.local.	5	IN	SOA	ns.dns.cluster.local. hostmaster.cluster.local. 1499347823 7200 1800 86400 5"),
+		},
+	}},
+	// A TXT record does not exist and neither does another record for the same FQDN
+	{Case: test.Case{
+		Qname: "svc0.svc-nons.svc.cluster.local.", Qtype: dns.TypeTXT,
+		Rcode: dns.RcodeNameError,
+		Ns: []dns.RR{
+			test.SOA("cluster.local.	5	IN	SOA	ns.dns.cluster.local. hostmaster.cluster.local. 1499347823 7200 1800 86400 5"),
+		},
+	}},
 	// A Service (Headless) does not exist
 	{Case: test.Case{
 		Qname: "bogusendpoint.hdls1.testns.svc.cluster.local.", Qtype: dns.TypeA,
diff --git a/plugin/kubernetes/kubernetes.go b/plugin/kubernetes/kubernetes.go
index ec0d5a4b1..9e4633ca8 100644
--- a/plugin/kubernetes/kubernetes.go
+++ b/plugin/kubernetes/kubernetes.go
@@ -100,15 +100,23 @@ func (k *Kubernetes) Services(ctx context.Context, state request.Request, exact
 		// 1 label + zone, label must be "dns-version".
 		t, _ := dnsutil.TrimZone(state.Name(), state.Zone)
 
+		// Hard code the only valid TXT - "dns-version.<zone>"
 		segs := dns.SplitDomainName(t)
-		if len(segs) != 1 {
+		if len(segs) == 1 && segs[0] == "dns-version" {
+			svc := msg.Service{Text: DNSSchemaVersion, TTL: 28800, Key: msg.Path(state.QName(), coredns)}
+			return []msg.Service{svc}, nil
+		}
+
+		// Check if we have an existing record for this query of another type
+		services, _ := k.Records(ctx, state, false)
+
+		if len(services) > 0 {
+			// If so we return an empty NOERROR
 			return nil, nil
 		}
-		if segs[0] != "dns-version" {
-			return nil, nil
-		}
-		svc := msg.Service{Text: DNSSchemaVersion, TTL: 28800, Key: msg.Path(state.QName(), coredns)}
-		return []msg.Service{svc}, nil
+
+		// Return NXDOMAIN for no match
+		return nil, errNoItems
 
 	case dns.TypeNS:
 		// We can only get here if the qname equals the zone, see ServeDNS in handler.go.