Incorrect Cloudflare proxied record configuration makes External DNS crash #5964
Description
What happened:
I deployed an application and exposed it using Gateway + HTTPRoute resources.
I added the external-dns.alpha.kubernetes.io/cloudflare-proxied annotation to the HTTP route as I need the DNS record to be proxied by Cloudflare.
Unfortunately, the Gateway status reports the private IP address instead of the public one, so External DNS attempts to create the DNS record with the incorrect IP address -- and this is rejected by Cloudflare as expected. However, this is seen as a fatal error by External DNS and this makes it crash in loop.
What you expected to happen:
I would expect External DNS to report the error and ignore the resource until the next reconciliation loop. I think this could be considered a soft error, as this shouldn't prevent External DNS from processing other cluster resources.
How to reproduce it (as minimally and precisely as possible):
Here are the manifests I'm using.
Gateway:
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
annotations:
cert-manager.io/cluster-issuer: google-trust-services
name: some-gateway
namespace: some-namespace
spec:
gatewayClassName: public
listeners:
- allowedRoutes:
namespaces:
from: Same
hostname: application-a.example.com
name: https
port: 443
protocol: HTTPS
tls:
certificateRefs:
- group: ""
kind: Secret
name: application-a-example-com-tls
mode: TerminateHTTPRoute:
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: application-a
namespace: some-namespace
annotations:
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
spec:
hostnames:
- application-a.example.com
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: some-gateway
namespace: some-namespace
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- group: gateway.envoyproxy.io
kind: Backend
name: application-a-server-a
weight: 100The IP address reported in the Gateway status:
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: some-gateway
namespace: some-namespace
<..snip..>
status:
addresses:
- type: IPAddress
value: 192.168.1.128Environment:
- External-DNS version (use
external-dns --version): v0.19.0 - DNS provider: Cloudflare
{
"action": "CREATE",
"level": "info",
"msg": "Changing record.",
"record": "application-a.example.com",
"time": "2025-11-13T14:36:55Z",
"ttl": 1,
"type": "A",
"zone": "abcdefghijklmnopqrstuvwxyz"
}
{
"action": "CREATE",
"level": "error",
"msg": "failed to create record: POST \"https://api.cloudflare.com/client/v4/zones/abcdefghijklmnopqrstuvwxyz/dns_records\": 400 Bad Request {\"result\":null,\"success\":false,\"errors\":[{\"code\":9003,\"message\":\"Target 192.168.1.128 is not allowed for a proxied record.\"}],\"messages\":[]}",
"record": "application-a.example.com",
"time": "2025-11-13T14:36:57Z",
"ttl": 1,
"type": "A",
"zone": "abcdefghijklmnopqrstuvwxyz"
}
{
"level": "fatal",
"msg": "Failed to do run once: failed to submit all changes for the following zones: [\"abcdefghijklmnopqrstuvwxyz\"]",
"time": "2025-11-13T14:37:00Z"
}
Happy to provide some more information as needed.
Thanks!
Frederic