Traefik v3 IngressRoute not working in AWS R53

[stefan-korchahin]

Hi, I'm getting all the time such error when creating IngressRoute:

time="2025-12-11T14:50:06Z" level=info msg="Applying provider record filter for domains: [loc. .loc. svc.loc. .svc.loc.]"
time="2025-12-11T14:50:07Z" level=info msg="Desired change: CREATE cname-whoami.loc TXT [Id: /hostedzone/112223334444]"
time="2025-12-11T14:50:07Z" level=info msg="Desired change: CREATE whoami.loc CNAME [Id: /hostedzone/112223334444]"
time="2025-12-11T14:50:07Z" level=info msg="Desired change: CREATE whoami.loc TXT [Id: /hostedzone/112223334444]"
time="2025-12-11T14:50:07Z" level=error msg="Failure in zone loc. [Id: /hostedzone/112223334444] when submitting change batch: InvalidChangeBatch: [RRSet of type CNAME with DNS name whoami.loc. is not permitted as it creates a CNAME loop in the zone.]\n\tstatus code: 400, request id: e15606e2-be3b-4feb-b931-c6a01e404fd6"
time="2025-12-11T14:50:08Z" level=error msg="Failed to do run once: soft error\nfailed to submit all changes for the following zones

Advises which I found in issues not helped, especially to set txt prefix, futhermore traefik for Ingress source working normally it is something exactly with IngressRoute

Records for such domain are absent!

I'm using external-dns version: v0.14.2

My IngressRoute:

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: whoami
  annotations:
    kubernetes.io/ingress.class: traefik-internal
    external-dns.alpha.kubernetes.io/target: whoami.loc
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`whoami.loc`)
      kind: Rule
      services:
        - name: whoami
          port: 80
      middlewares:
        - name: custom-headers
          namespace: default

My helm values:

          values: |
            domainFilters: ["loc"]
            env:
            - name: AWS_SHARED_CREDENTIALS_FILE
              value: /.aws/credentials
            extraVolumeMounts:
            - name: aws-credentials
              mountPath: /.aws
            extraVolumes:
            - name: aws-credentials
              secret:
                secretName: external-dns
            provider: aws
            interval: "10s"
            txtOwnerId: "devops"
            extraArgs:
              - "--traefik-disable-legacy"
            sources:
              - service
              - ingress
              - traefik-proxy

[ivankatliarchuk]

I'm using external-dns version: v0.14.2

Current version is 0.20. Make sure to test using latest version first.

Does not looks like a bug to me. The error message is clear.

RRSet of type CNAME with DNS name whoami.loc. is not permitted as it creates a CNAME loop in the zone.

Unless missing something here, this looks like contstraints on the infrastructure layer

[stefan-korchahin]

I'm using external-dns version: v0.14.2

Current version is 0.20. Make sure to test using latest version first.

Does not looks like a bug to me. The error message is clear.

RRSet of type CNAME with DNS name whoami.loc. is not permitted as it creates a CNAME loop in the zone.

Unless missing something here, this looks like contstraints on the infrastructure layer

Okay, I updated now till 1.19.0
Can't understand what exactly is missconfiguring.

    spec:
      project: default
      source:
        chart: external-dns
        repoURL: https://kubernetes-sigs.github.io/external-dns/
        targetRevision: 1.19.0
        helm:
          values: |
            domainFilters: ["loc"]
            env:
            - name: AWS_SHARED_CREDENTIALS_FILE
              value: /.aws/credentials
            - name: AWS_DEFAULT_REGION
              value: "eu-west-3"
            extraVolumeMounts:
            - name: aws-credentials
              mountPath: /.aws
            extraVolumes:
            - name: aws-credentials
              secret:
                secretName: external-dns
            provider: aws
            interval: "10s"
            txtOwnerId: "devops"
            extraArgs:
              - "--exclude-record-types=AAAA"
            sources:
              - service
              - ingress
              - traefik-proxy

time="2025-12-12T13:15:56Z" level=info msg="Domain whoami.loc. contains conflicting record type candidates; discarding CNAME record"

[stefan-korchahin]

When trying with Ingress it's simply creates A alias record at all and it's working, by the way, why without TXT records?

time="2025-12-12T13:19:51Z" level=info msg="Desired change: CREATE whoami.loc A" profile=default zoneID=/hostedzone/Z101849311FUIK2Q5S5EG zoneName=loc.
time="2025-12-12T13:19:51Z" level=info msg="1 record(s) were successfully updated" profile=default zoneID=/hostedzone/Z101849311FUIK2Q5S5EG zoneName=loc.

when after that creating IngressRoute, then deleting previous record, getting this:

time="2025-12-12T13:22:11Z" level=info msg="Applying provider record filter for domains: [loc. .loc. svc.loc. .svc.loc.]"
time="2025-12-12T13:22:11Z" level=info msg="Desired change: CREATE cname-whoami.loc TXT" profile=default zoneID=/hostedzone/Z101849311FUIK2Q5S5EG zoneName=loc.
time="2025-12-12T13:22:11Z" level=info msg="Desired change: CREATE whoami.loc CNAME" profile=default zoneID=/hostedzone/Z101849311FUIK2Q5S5EG zoneName=loc.
time="2025-12-12T13:22:11Z" level=error msg="Failure in zone loc. when submitting change batch: operation error Route 53: ChangeResourceRecordSets, https response error StatusCode: 400, RequestID: 9bf8f691-4004-4e26-baa8-4444687bb153, InvalidChangeBatch: [RRSet of type CNAME with DNS name whoami.loc. is not permitted as it creates a CNAME loop in the zone.]" profile=default zoneID=/hostedzone/Z101849311FUIK2Q5S5EG zoneName=loc.
time="2025-12-12T13:22:12Z" level=error msg="Failed to do run once: soft error\nfailed to submit all changes for the following zones: [/hostedzone/Z101849311FUIK2Q5S5EG] (consecutive soft errors: 4)"

[ivankatliarchuk]

In regards an error for CNAME, it's clear. What yout trying to achieve is not possible technically.

In error message there is an explanation

Failure in zone loc. when submitting change batch.....

There is a problem...
The target of the CNAME equals the record’s own FQDN. Which is not suppose to work

Example bad config:

whoami.loc. 300 IN CNAME whoami.loc.

This is the simplest loop — and DNS providers reject it immediately.

Or it could be a hidden chain loop.
Example

whoami.loc.        CNAME A.loc.
A.loc.             CNAME B.loc.
B.loc.             CNAME whoami.loc.

Even though whoami.loc. does not directly reference itself, during validation the provider detects a circular reference → loop → record rejected.

External-DNS usually shows this error because the provider API rejects the update.

It could be as well an A/AAAA record for the same name. And a CNAME cannot coexist with any other record at that same name.

whoami.loc. 300 IN A 1.2.3.4

I'm not sure which one of the hypotesis is not correct, but the issue is in your infrastructure setup.

[ivankatliarchuk]

The issue with TXT record not created for apex record, is described here #5924.

Historically, external-dns is not able to reliably manage apex domains with certain providers/registries.

[ivankatliarchuk]

The issue with TXT record not created for apex record, is described here #5924.

Historically, external-dns is not able to reliably manage apex domains/records with certain providers/registries.

[stefan-korchahin]

In regards an error for CNAME, it's clear. What yout trying to achieve is not possible technically.

In error message there is an explanation

Failure in zone loc. when submitting change batch.....

There is a problem... The target of the CNAME equals the record’s own FQDN. Which is not suppose to work

Example bad config:

whoami.loc. 300 IN CNAME whoami.loc.

This is the simplest loop — and DNS providers reject it immediately.

Or it could be a hidden chain loop. Example

whoami.loc.        CNAME A.loc.
A.loc.             CNAME B.loc.
B.loc.             CNAME whoami.loc.

Even though whoami.loc. does not directly reference itself, during validation the provider detects a circular reference → loop → record rejected.

External-DNS usually shows this error because the provider API rejects the update.

It could be as well an A/AAAA record for the same name. And a CNAME cannot coexist with any other record at that same name.

whoami.loc. 300 IN A 1.2.3.4

I'm not sure which one of the hypotesis is not correct, but the issue is in your infrastructure setup.

one more time, for Ingress resource for .loc domain works auto creation of record, why it totally not working for IngressRoute of Traefik?

[u-kai]

Hi @stefan-korchahin

If you use AWS Load Balancer Controller, an ALB or NLB is provisioned for Ingress.

Because of that, External-DNS can detect the AWS Load Balancer DNS name and treat it as an Alias target, resulting in an A (ALIAS) record instead of a CNAME.

In this setup:

• A CNAME is not involved, so CNAME-related DNS restrictions do not apply
• If the record is an apex record, TXT records may not be created due to External-DNS limitations unless txt-prefix is configured (for example, %{record_type}.)

In this working Ingress case, is external-dns.alpha.kubernetes.io/target explicitly set, or is the ALB/NLB DNS name used automatically by External-DNS?

Your IngressRoute set external-dns.alpha.kubernetes.io/target: whoami.loc annotation.

As a result, External-DNS attempts to create a CNAME record pointing to whoami.loc.

This leads to an invalid DNS configuration:

• A CNAME cannot point to the same FQDN
• A CNAME cannot coexist with other record types at the same name
• Apex records cannot be CNAMEs in Route53