feat: add alias sshfp naptr and ptr records

api/v1alpha1/dnsrecordset_types.go

@@ -7,7 +7,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-// +kubebuilder:validation:Enum=A;AAAA;CNAME;TXT;MX;SRV;CAA;NS;SOA;PTR;TLSA;HTTPS;SVCB
+// +kubebuilder:validation:Enum=A;AAAA;CNAME;TXT;MX;SRV;CAA;NS;SOA;PTR;TLSA;HTTPS;SVCB;ALIAS;SSHFP;NAPTR
 type RRType string
 
 const (
@@ -24,6 +24,9 @@ const (
 	RRTypeTLSA  RRType = "TLSA"
 	RRTypeHTTPS RRType = "HTTPS"
 	RRTypeSVCB  RRType = "SVCB"
+	RRTypeALIAS RRType = "ALIAS"
+	RRTypeSSHFP RRType = "SSHFP"
+	RRTypeNAPTR RRType = "NAPTR"
 )
 
 // DNSRecordSetSpec defines the desired state of DNSRecordSet
@@ -81,12 +84,60 @@ type RecordEntry struct {
 
 	// +optional
 	PTR *PTRRecordSpec `json:"ptr,omitempty"`
+
+	// +optional
+	ALIAS *ALIASRecordSpec `json:"alias,omitempty"`
+
+	// +optional
+	SSHFP *SSHFPRecordSpec `json:"sshfp,omitempty"`
+
+	// +optional
+	NAPTR *NAPTRRecordSpec `json:"naptr,omitempty"`
+}
+
+// ALIASRecordSpec is a PowerDNS-specific RR type that behaves like a CNAME at apex.
+// Content is a hostname (FQDN or relative) and will be normalized to an absolute name in providers.
+type ALIASRecordSpec struct {
+	Content string `json:"content"`
 }
 
 type PTRRecordSpec struct {
 	Content string `json:"content"`
 }
 
+type SSHFPRecordSpec struct {
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=255
+	Algorithm uint8 `json:"algorithm"`
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=255
+	Type uint8 `json:"type"`
+	// Fingerprint is the hex fingerprint data.
+	// +kubebuilder:validation:MinLength=1
+	Fingerprint string `json:"fingerprint"`
+}
+
+type NAPTRRecordSpec struct {
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=65535
+	Order uint16 `json:"order"`
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=65535
+	Preference uint16 `json:"preference"`
+	// Flags is typically "S", "A", "U", or "".
+	// +optional
+	Flags string `json:"flags,omitempty"`
+	// Services is the service field (often something like "E2U+sip").
+	// +optional
+	Services string `json:"services,omitempty"`
+	// Regexp is the substitution expression (often empty).
+	// +optional
+	Regexp string `json:"regexp,omitempty"`
+	// Replacement is the next domain name (FQDN/relative) or ".".
+	// +kubebuilder:validation:MinLength=1
+	Replacement string `json:"replacement"`
+}
+
 type TXTRecordSpec struct {
 	Content string `json:"content"`
 }

config/agent/manager.yaml

@@ -163,6 +163,30 @@ spec:
             drop:
             - "ALL"
             add: ["NET_BIND_SERVICE"]
+      - name: pdns-recursor
+        image: powerdns/pdns-recursor-51:latest
+        imagePullPolicy: IfNotPresent
+        command: ["/bin/sh","-c"]
+        args:
+          - |
+            set -eu;
+            exec pdns_recursor \
+              --daemon=no \
+              --disable-syslog=yes \
+              --local-address=127.0.0.1,::1 \
+              --local-port=5300 \
+              --allow-from=127.0.0.1/32,::1/128
+        volumeMounts:
+          - name: pdns-recursor-run
+            mountPath: /var/run/pdns-recursor
+        securityContext:
+          runAsUser: 953
+          runAsGroup: 953
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+            - "ALL"
       - name: lightningstream
         image: powerdns/lightningstream:main
         imagePullPolicy: IfNotPresent
@@ -227,6 +251,8 @@ spec:
           name: agent-server-config
       - name: pdns-shared
         emptyDir: {}
+      - name: pdns-recursor-run
+        emptyDir: {}
       - name: lightningstream-config
         configMap:
           name: lightningstream-config

config/agent/pdns.conf

@@ -22,6 +22,11 @@ webserver-port=8082
 api=yes
 # api-key will be passed via CLI using /run/pdns/api-key
 
+# ALIAS support: authoritative expansion requires a recursive resolver.
+# We run a local recursor sidecar on 127.0.0.1:5300.
+resolver=127.0.0.1:5300
+expand-alias=yes
+
 zone-cache-refresh-interval=0
 zone-metadata-cache-ttl=0
 

config/crd/bases/dns.networking.miloapis.com_dnsrecordsets.yaml

@@ -80,6 +80,9 @@ spec:
                 - TLSA
                 - HTTPS
                 - SVCB
+                - ALIAS
+                - SSHFP
+                - NAPTR
                 type: string
               records:
                 description: Records contains one or more owner names with values
@@ -105,6 +108,16 @@ spec:
                       required:
                       - content
                       type: object
+                    alias:
+                      description: |-
+                        ALIASRecordSpec is a PowerDNS-specific RR type that behaves like a CNAME at apex.
+                        Content is a hostname (FQDN or relative) and will be normalized to an absolute name in providers.
+                      properties:
+                        content:
+                          type: string
+                      required:
+                      - content
+                      type: object
                     caa:
                       properties:
                         flag:
@@ -170,6 +183,37 @@ spec:
                       minLength: 1
                       pattern: ^(@|[A-Za-z0-9*._-]+)$
                       type: string
+                    naptr:
+                      properties:
+                        flags:
+                          description: Flags is typically "S", "A", "U", or "".
+                          type: string
+                        order:
+                          maximum: 65535
+                          minimum: 0
+                          type: integer
+                        preference:
+                          maximum: 65535
+                          minimum: 0
+                          type: integer
+                        regexp:
+                          description: Regexp is the substitution expression (often
+                            empty).
+                          type: string
+                        replacement:
+                          description: Replacement is the next domain name (FQDN/relative)
+                            or ".".
+                          minLength: 1
+                          type: string
+                        services:
+                          description: Services is the service field (often something
+                            like "E2U+sip").
+                          type: string
+                      required:
+                      - order
+                      - preference
+                      - replacement
+                      type: object
                     ns:
                       properties:
                         content:
@@ -240,6 +284,25 @@ spec:
                       - target
                       - weight
                       type: object
+                    sshfp:
+                      properties:
+                        algorithm:
+                          maximum: 255
+                          minimum: 0
+                          type: integer
+                        fingerprint:
+                          description: Fingerprint is the hex fingerprint data.
+                          minLength: 1
+                          type: string
+                        type:
+                          maximum: 255
+                          minimum: 0
+                          type: integer
+                      required:
+                      - algorithm
+                      - fingerprint
+                      - type
+                      type: object
                     svcb:
                       properties:
                         params: