From e51c9025acdc6948d08797b28948e5014b6f1162 Mon Sep 17 00:00:00 2001
From: Blake <blake.barnett@postmates.com>
Date: Wed, 13 Feb 2019 13:23:53 -0800
Subject: [PATCH 1/2] Lowers the default nodelocaldns denial cache TTL

Similar to `--no-negcache` on dnsmasq, this prevents issues which poll DNS for orchestration such as operators with StatefulSets. It can also be very confusing for users when negative caching results in a change they just made seeming to be broken until the cache expires. This assumes that 5 seconds is reasonable and will still catch repeated AAAA negative responses. We could also set the denial cache size to zero which should effectively fully disable it like dnsmasq in kube-dns but testing shows this approach seems to work well in our (albeit small) test clusters.
---
 cluster/addons/dns/nodelocaldns/README.md         | 4 ++++
 cluster/addons/dns/nodelocaldns/nodelocaldns.yaml | 5 ++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/cluster/addons/dns/nodelocaldns/README.md b/cluster/addons/dns/nodelocaldns/README.md
index fc84f78378..ff847b4ff9 100644
--- a/cluster/addons/dns/nodelocaldns/README.md
+++ b/cluster/addons/dns/nodelocaldns/README.md
@@ -35,3 +35,7 @@ spec:
   - Ingress
   - Egress
 ```
+
+### Negative caching
+
+The `denial` cache TTL has been reduced to the minimum of 5 seconds [here](https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml#L37). In the unlikely event that this impacts performance, setting this TTL to a higher value make help alleviate issues, but be aware that operations that rely on DNS polling for orchestration may fail (for example operators with StatefulSets).
diff --git a/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml b/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml
index 4b9bebeaac..d532443b62 100644
--- a/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml
+++ b/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml
@@ -34,7 +34,10 @@ data:
   Corefile: |
     __PILLAR__DNS__DOMAIN__:53 {
         errors
-        cache 30
+        cache {
+                success 10000 30
+                denial 10000 5
+        }
         reload
         loop
         bind __PILLAR__LOCAL__DNS__

From 46c299c1b107a0cb307003d0b3de2aecf196917c Mon Sep 17 00:00:00 2001
From: Blake <blake.barnett@postmates.com>
Date: Thu, 21 Feb 2019 15:03:30 -0800
Subject: [PATCH 2/2] Match default cache size of 10000

https://github.com/coredns/coredns/blob/master/plugin/cache/cache.go#L236
This gets rounded down to the nearest multiple of 256: 9984
---
 cluster/addons/dns/nodelocaldns/nodelocaldns.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml b/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml
index d532443b62..1ddd9b4e03 100644
--- a/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml
+++ b/cluster/addons/dns/nodelocaldns/nodelocaldns.yaml
@@ -35,8 +35,8 @@ data:
     __PILLAR__DNS__DOMAIN__:53 {
         errors
         cache {
-                success 10000 30
-                denial 10000 5
+                success 9984 30
+                denial 9984 5
         }
         reload
         loop