kubernetes-sigs · farodin91 · Oct 24, 2025 · Oct 28, 2025 · Oct 29, 2025 · Oct 31, 2025
diff --git a/controller/execute.go b/controller/execute.go
@@ -241,7 +241,7 @@ func buildProvider(
 	case "dnsimple":
 		p, err = dnsimple.NewDnsimpleProvider(domainFilter, zoneIDFilter, cfg.DryRun)
 	case "coredns", "skydns":
-		p, err = coredns.NewCoreDNSProvider(domainFilter, cfg.CoreDNSPrefix, cfg.DryRun)
+		p, err = coredns.NewCoreDNSProvider(domainFilter, cfg.CoreDNSPrefix, cfg.TXTOwnerID, cfg.CoreDNSStrictlyOwned, cfg.DryRun)
 	case "exoscale":
 		p, err = exoscale.NewExoscaleProvider(
 			cfg.ExoscaleAPIEnvironment,

diff --git a/docs/flags.md b/docs/flags.md
@@ -96,6 +96,7 @@
 | `--cloudflare-region-key=""` | When using the Cloudflare provider, specify the default region for Regional Services. Any value other than an empty string will enable the Regional Services feature (optional) |
 | `--cloudflare-record-comment=""` | When using the Cloudflare provider, specify the comment for the DNS records (default: '') |
 | `--coredns-prefix="/skydns/"` | When using the CoreDNS provider, specify the prefix name |
+| `--[no-]coredns-strictly-owned` | When using the CoreDNS provider, store and filter strictly by txt-owner-id using an extra field inside of the etcd service (default: false) |
 | `--akamai-serviceconsumerdomain=""` | When using the Akamai provider, specify the base URL (required when --provider=akamai and edgerc-path not specified) |
 | `--akamai-client-token=""` | When using the Akamai provider, specify the client token (required when --provider=akamai and edgerc-path not specified) |
 | `--akamai-client-secret=""` | When using the Akamai provider, specify the client secret (required when --provider=akamai and edgerc-path not specified) |

diff --git a/docs/tutorials/coredns.md b/docs/tutorials/coredns.md
@@ -261,6 +261,15 @@ dnstools# dig @10.100.4.143 nginx.example.org +short
 dnstools#
 ```
 
+## Multi cluster support options
+
+The CoreDNS provider allows records from different CoreDNS providers to be separated in a single etcd
+by activating the setting `--coredns-strictly-onwed` flag and set `txt-owner-id`.
+
+It will prevent any override (update/create/delete) of records by a different owner and prevent loading of records by a different owner.
+
+This features works directly without any change to CoreDNS. CoreDNS will ignore this field inside the etcd record.
+
 ## Specific service annotation options
 
 ### Groups

diff --git a/endpoint/endpoint_test.go b/endpoint/endpoint_test.go
@@ -583,7 +583,7 @@ func TestIsOwnedBy(t *testing.T) {
 				Labels: tt.fields.Labels,
 			}
 			if got := e.IsOwnedBy(tt.args.ownerID); got != tt.want {
-				t.Errorf("Endpoint.IsOwnedBy() = %v, want %v", got, tt.want)
+				t.Errorf("Endpoint.isOwnedBy() = %v, want %v", got, tt.want)
 			}
 		})
 	}

diff --git a/pkg/apis/externaldns/types.go b/pkg/apis/externaldns/types.go
@@ -117,6 +117,7 @@ type Config struct {
 	CloudflareRegionalServices                    bool
 	CloudflareRegionKey                           string
 	CoreDNSPrefix                                 string
+	CoreDNSStrictlyOwned                          bool
 	AkamaiServiceConsumerDomain                   string
 	AkamaiClientToken                             string
 	AkamaiClientSecret                            string
@@ -266,6 +267,7 @@ var defaultConfig = &Config{
 	Compatibility:                "",
 	ConnectorSourceServer:        "localhost:8080",
 	CoreDNSPrefix:                "/skydns/",
+	CoreDNSStrictlyOwned:         false,
 	CRDSourceAPIVersion:          "externaldns.k8s.io/v1alpha1",
 	CRDSourceKind:                "DNSEndpoint",
 	DefaultTargets:               []string{},
@@ -697,6 +699,7 @@ func bindFlags(b FlagBinder, cfg *Config) {
 	b.StringVar("cloudflare-record-comment", "When using the Cloudflare provider, specify the comment for the DNS records (default: '')", "", &cfg.CloudflareDNSRecordsComment)
 
 	b.StringVar("coredns-prefix", "When using the CoreDNS provider, specify the prefix name", defaultConfig.CoreDNSPrefix, &cfg.CoreDNSPrefix)
+	b.BoolVar("coredns-strictly-owned", "When using the CoreDNS provider, store and filter strictly by txt-owner-id using an extra field inside of the etcd service (default: false)", defaultConfig.CoreDNSStrictlyOwned, &cfg.CoreDNSStrictlyOwned)
 	b.StringVar("akamai-serviceconsumerdomain", "When using the Akamai provider, specify the base URL (required when --provider=akamai and edgerc-path not specified)", defaultConfig.AkamaiServiceConsumerDomain, &cfg.AkamaiServiceConsumerDomain)
 	b.StringVar("akamai-client-token", "When using the Akamai provider, specify the client token (required when --provider=akamai and edgerc-path not specified)", defaultConfig.AkamaiClientToken, &cfg.AkamaiClientToken)
 	b.StringVar("akamai-client-secret", "When using the Akamai provider, specify the client secret (required when --provider=akamai and edgerc-path not specified)", defaultConfig.AkamaiClientSecret, &cfg.AkamaiClientSecret)

diff --git a/provider/coredns/coredns.go b/provider/coredns/coredns.go
@@ -84,10 +84,15 @@ type Service struct {
 
 	// Etcd key where we found this service and ignored from json un-/marshaling
 	Key string `json:"-"`
+
+	// OwnedBy is used to prevent service to be added by different external-dns (only used by external-dns)
+	OwnedBy string `json:"ownedby,omitempty"`
 }
 
 type etcdClient struct {
-	client *etcdcv3.Client
+	client        *etcdcv3.Client
+	ownerID       string
+	strictlyOwned bool
 }
 
 var _ coreDNSClient = etcdClient{}
@@ -110,12 +115,25 @@ func (c etcdClient) GetServices(ctx context.Context, prefix string) ([]*Service,
 		if err := json.Unmarshal(n.Value, svc); err != nil {
 			return nil, fmt.Errorf("%s: %w", n.Key, err)
 		}
-		}
+		}
+		if c.strictlyOwned && svc.OwnedBy != c.ownerID {
+			continue
+		}
-		}
+		}
+		if c.strictlyOwned && svc.OwnedBy != c.ownerID {
+			continue
+		}
-		b := Service{Host: svc.Host, Port: svc.Port, Priority: svc.Priority, Weight: svc.Weight, Text: svc.Text, Key: string(n.Key)}
+		b := Service{
+			Host:     svc.Host,
+			Port:     svc.Port,
+			Priority: svc.Priority,
+			Weight:   svc.Weight,
+			Text:     svc.Text,
+			Key:      string(n.Key),
+		}
+		if c.strictlyOwned {
+			b.OwnedBy = svc.OwnedBy
+		}
 		if _, ok := bx[b]; ok {
 			// skip the service if already added to service list.
 			// the same service might be found in multiple etcd nodes.
 			continue
 		}
+		if c.strictlyOwned && b.OwnedBy != c.ownerID {
+			continue
+		}
 		bx[b] = true
 
 		svc.Key = string(n.Key)
@@ -132,6 +150,16 @@ func (c etcdClient) SaveService(ctx context.Context, service *Service) error {
 	ctx, cancel := context.WithTimeout(ctx, etcdTimeout)
 	defer cancel()
 
+	if ownedBy, err := c.isOwnedBy(ctx, service.Key); err != nil {
+		return err
+	} else if !ownedBy {
+		return fmt.Errorf("key %q is not owned by this service", service.Key)
+	}
+
+	if c.strictlyOwned {
+		service.OwnedBy = c.ownerID
+	}
+
 	value, err := json.Marshal(&service)
 	if err != nil {
 		return err
@@ -148,10 +176,45 @@ func (c etcdClient) DeleteService(ctx context.Context, key string) error {
 	ctx, cancel := context.WithTimeout(ctx, etcdTimeout)
 	defer cancel()
 
+	if owned, err := c.isOwnedBy(ctx, key); err != nil {
+		return err
+	} else if !owned {
+		return fmt.Errorf("key %q is not owned by this service", key)
+	}
+
 	_, err := c.client.Delete(ctx, key, etcdcv3.WithPrefix())
 	return err
 }
 
+func (c etcdClient) isOwnedBy(ctx context.Context, key string) (bool, error) {
+	if !c.strictlyOwned {
+		return true, nil
+	}
+
+	r, err := c.client.Get(ctx, key)
-	r, err := c.client.Get(ctx, key)
+	r, err := c.client.Get(ctx, key, etcdcv3.WithLimit(1))
-	r, err := c.client.Get(ctx, key)
+	r, err := c.client.Get(ctx, key, etcdcv3.WithLimit(1))
+	switch {
+	case err != nil:
+		return false, err
+	case r == nil:
+		return true, nil
+	case len(r.Kvs) > 1:
+		return false, fmt.Errorf("found multiple keys with the same key this service")
+	case len(r.Kvs) == 0:
+		return true, nil
+	}
+	for _, n := range r.Kvs {
+		svc := new(Service)
+		if err := json.Unmarshal(n.Value, svc); err != nil {
+			return false, fmt.Errorf("%s: %w", n.Key, err)
+		}
+
+		if svc.OwnedBy == c.ownerID {
+			return true, nil
+		}
+	}
+	return false, nil
-	return false, nil
+	 svc, err := c.unmarshalService(r.Kvs[0])
+ if err != nil {
+  return false, fmt.Errorf("failed to unmarshal value for key %q: %w", key, err)
+ }
+
+ return svc.OwnedBy == c.ownerID, nil
-	return false, nil
+	 svc, err := c.unmarshalService(r.Kvs[0])
+ if err != nil {
+  return false, fmt.Errorf("failed to unmarshal value for key %q: %w", key, err)
+ }
+
+ return svc.OwnedBy == c.ownerID, nil
+}
+
 // builds etcd client config depending on connection scheme and TLS parameters
 func getETCDConfig() (*etcdcv3.Config, error) {
 	etcdURLsStr := os.Getenv("ETCD_URLS")
@@ -183,7 +246,7 @@ func getETCDConfig() (*etcdcv3.Config, error) {
 }
 
 // the newETCDClient is an etcd client constructor
-func newETCDClient() (coreDNSClient, error) {
+func newETCDClient(ownerID string, strictlyOwned bool) (coreDNSClient, error) {
 	cfg, err := getETCDConfig()
 	if err != nil {
 		return nil, err
@@ -192,12 +255,12 @@ func newETCDClient() (coreDNSClient, error) {
 	if err != nil {
 		return nil, err
 	}
-	return etcdClient{c}, nil
+	return etcdClient{c, ownerID, strictlyOwned}, nil
 }
 
 // NewCoreDNSProvider is a CoreDNS provider constructor
-func NewCoreDNSProvider(domainFilter *endpoint.DomainFilter, prefix string, dryRun bool) (provider.Provider, error) {
-	client, err := newETCDClient()
+func NewCoreDNSProvider(domainFilter *endpoint.DomainFilter, prefix, ownerID string, strictlyOwned, dryRun bool) (provider.Provider, error) {
+	client, err := newETCDClient(ownerID, strictlyOwned)
 	if err != nil {
 		return nil, err
 	}