4cd5806fd0
Pods in this cluster inherit ndots=5. External FQDNs with <5 dots (like api.anthropic.com) are expanded through the search path first, and the 4th suffix `api.anthropic.com.iamworkin.lan` matches CoreDNS' `template IN A iamworkin.lan` wildcard — resolves to Traefik VIP 10.0.56.200. TLS connect lands on Traefik's default cert and the AnthropicClient rejects with RemoteCertificateNameMismatch/RemoteCertificateChainErrors. Setting ndots=2 makes the resolver try the bare FQDN first (3 dots in api.anthropic.com), so the search path never fires. Reference: memory feedback_coredns_ndots_template_collision. Wider follow-up: the CoreDNS template plugin should add fallthrough for external public suffixes, so every FC service calling external HTTPS APIs stops hitting this trap. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
9.5 KiB
9.5 KiB