feat(dns): serve forward A/AAAA for overlay instance addresses

[chet]

Overlay (DPU-managed) instances allocate their addresses from a segment's pool into instance_addresses -- addresses that never reach machine_interface_addresses, so the forward DNS views never published them and a tenant could not resolve an overlay instance by name. This serves them: each overlay instance address now answers a forward A/AAAA record, named by its address under the segment's forward zone -- the same IP-derived form the host-naming strategy uses elsewhere.

The name is derived once in Rust by the same address_to_hostname helper machine interfaces use, and stored on instance_addresses; the dns_records view just reads the column, exactly as the shortname view reads machine_interfaces.hostname. One source of truth for the IP-to-name rule, and no hostname logic in SQL.

• Store a Rust-derived hostname on instance_addresses (populated at allocation) and add a dns_records_instance arm to the served view that reads it, joined to the segment's forward zone (network_segments.subdomain_id).
• Skip host_inband segments: those addresses are the host's own and are already published by the shortname view.

New addresses pick up DNS as they are allocated; instance forward DNS had been unserved for over a year, so there is no existing state to retrofit.

Tests added!

This supports #2408

[chet]

@coderabbitai PTAL, thanks!

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 53eddb03-4741-4372-b404-f550f9be407a

📥 Commits

Reviewing files that changed from the base of the PR and between 47b693a and c95a802.

📒 Files selected for processing (4)

• crates/api-db/migrations/20260623054901_serve_overlay_instance_forward_dns.sql
• crates/api-db/src/dns/resource_record.rs
• crates/api-db/src/host_naming/mod.rs
• crates/api-db/src/instance_address.rs

🚧 Files skipped from review as they are similar to previous changes (4)

• crates/api-db/src/instance_address.rs
• crates/api-db/src/host_naming/mod.rs
• crates/api-db/migrations/20260623054901_serve_overlay_instance_forward_dns.sql
• crates/api-db/src/dns/resource_record.rs

---

Summary by CodeRabbit

• New Features

  • Overlay-managed instances can now resolve forward DNS records (A/AAAA) using their instance hostnames.
  • Instance addresses now carry DNS-friendly hostnames, enabling direct name lookups from forward zones.

• Bug Fixes

  • Excludes host-in-band addresses from this DNS path to avoid duplicate DNS responses.
  • Improved IPv6 handling so mapped IPv4 addresses resolve consistently.

Walkthrough

Adds a persisted hostname for instance addresses, serves forward DNS records from a new dns_records_instance view, includes that view in dns_records, and updates allocation plus tests to store and verify the new behavior.

Changes

Overlay Instance Forward DNS

Layer / File(s)	Summary
Database schema extension and DNS record views crates/api-db/migrations/20260623054901_serve_overlay_instance_forward_dns.sql	Adds hostname varchar(63) to instance_addresses, creates dns_records_instance to emit forward records from stored hostnames and zone names while filtering NULL hostnames and host_inband segments, and recreates dns_records with a FULL JOIN that includes instance records.
Hostname derivation and allocation-time persistence crates/api-db/src/host_naming/mod.rs, crates/api-db/src/instance_address.rs	Makes address_to_hostname crate-visible, adds a unit test for IPv4-mapped IPv6 hostname rendering, and updates allocation to compute and bind the derived hostname into instance_addresses.
Integration tests for overlay DNS record serving and exclusion crates/api-db/src/dns/resource_record.rs	Adds SQLx helpers for seeding domains, instances, and addresses, then verifies forward A/AAAA records are served for overlay instance addresses and omitted for host_inband segments.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• DNS: reverse (PTR) for overlay instance IPs — extend find_ptr_record to instance_addresses #2776: The change touches the same instance DNS path and adds forward serving for overlay instance addresses, while the related issue concerns the complementary reverse PTR lookup for those addresses.

Possibly related PRs

• NVIDIA/infra-controller#2749: Strong code-level overlap on dns_records_instance and hostname handling; that PR removed the instance forward-DNS path and associated hostname function/tests, while this PR restores and persists the hostname at allocation time.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the DNS change for overlay instance addresses and the new forward A/AAAA serving behavior.
Description check	✅ Passed	The description directly matches the implemented migration, hostname persistence, DNS view changes, and tests.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Get PR details
gh pr view 2786 --repo NVIDIA/infra-controller --json title,body,files,additions,deletions

# Get the diff
gh pr diff 2786 --repo NVIDIA/infra-controller

Length of output: 13488

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Look for existing dns_records view migrations to check resource_record types
fd '\.sql$' crates/api-db/migrations --exec grep -l 'dns_records' {} \; | sort

# Check dns_records_shortname and related view definitions
rg -n 'resource_record' crates/api-db/migrations/ -A2 -B2 | head -120

Length of output: 1325

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Read the most recent dns_records view migrations before this PR
cat -n crates/api-db/migrations/20260622072105_remove_unused_instance_dns_view.sql
echo "---"
cat -n crates/api-db/migrations/20260607120000_ipv6_dns_hostname_normalization.sql
echo "---"
cat -n crates/api-db/migrations/20260218000000_ipv6_dns_aaaa_support.sql | head -120
echo "---"
# Check the dns_records view definition for resource_record types in the combined views
grep -n 'resource_record' crates/api-db/migrations/20260607120000_ipv6_dns_hostname_normalization.sql
grep -n 'resource_record' crates/api-db/migrations/20260512120000_link_bmc_machine_interfaces.sql
grep -n 'resource_record' crates/api-db/migrations/20250113220120_dns_record_views_update.sql
grep -n 'resource_record' crates/api-db/migrations/20260218000000_ipv6_dns_aaaa_support.sql

Length of output: 12926

---

---

@chet: This is a clean, well-motivated change. The implementation is consistent with the established migration patterns, the resource_record column type is inet across all arms (confirmed from prior migrations), and the DROP VIEW IF EXISTS pattern is pre-existing. Two items worth addressing:

---

1. Untested embedded-IPv4 branch in nico_inet_to_dns_hostname (migration Line 40–51)

The IPv4-mapped IPv6 path (e.g., ::ffff:192.168.1.1) contains the most complex logic in the function — a multi-step hex conversion with to_hex(octet_pair_1) || ':' || to_hex(octet_pair_2) — but the contract test nico_inet_to_dns_hostname_matches_host_naming_contract covers only three vectors (192.168.1.0, 2001:db8:abcd::2, ::1). None exercise this branch. Given that the function's stated purpose is to match the Rust address_to_hostname contract, this is the most important gap to close before the function encounters production traffic.

Suggested addition to the test vectors in resource_record.rs:

(
    "::ffff:192.168.1.1",
    "0000-0000-0000-0000-0000-ffff-c0a8-0101",
),

Verify against the Rust address_to_hostname helper's own output for ::ffff:192.168.1.1 to confirm the SQL and Rust sides agree.

---

2. NULL::integer AS ttl is undocumented (migration Line 97)

All other arms derive TTL via LEFT JOIN dns_record_metadata meta ON meta.id = mi.id. The new arm hard-codes NULL::integer AS ttl. This is correct — instance_addresses rows have no corresponding dns_record_metadata entry — but a brief inline comment would clarify the intent and prevent a future author from "fixing" it by adding an unnecessary metadata join:

NULL::integer AS ttl,  -- instance_addresses have no dns_record_metadata rows

---

Everything else looks well-constructed: the FULL JOIN type compatibility is confirmed (resource_record is consistently inet across all arms), the function body is identical to its prior incarnation in 20260607120000_ipv6_dns_hostname_normalization.sql, the host_inband guard is correct, and the test structure is solid.

[github-actions]

🔍 Container Scan Summary

Service	Total	Critical	High	Medium	Low	Other
boot-artifacts-aarch64	3	0	0	3	0	0
boot-artifacts-x86_64	3	0	0	3	0	0
forge-admin-cli-x86_64	264	6	24	98	6	130
machine-validation-runner	712	32	184	267	35	194
machine_validation	712	32	184	267	35	194
nvmetal-carbide	712	32	184	267	35	194
TOTAL	2406	102	576	905	111	712

Per-CVE detail lives in the per-service grype-* artifacts (JSON + SARIF). Severity counts only — no CVE IDs published here.

[ianderson-nvidia]

Overlay (DPU-managed) instances allocate their addresses from a segment's pool into instance_addresses -- addresses that never reach machine_interface_addresses, so the forward DNS views never published them and a tenant could not resolve an overlay instance by name. This serves them: each overlay instance address now answers a forward A/AAAA record, named by its address under the segment's forward zone -- the same IP-derived form the host-naming strategy uses elsewhere.

When you say "Overlay (DPU-managed)," are you referring to instances that are allocated on a machine with a DPU?

[chet]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

crates/api-db/migrations/20260623054901_serve_overlay_instance_forward_dns.sql (1)

27-27: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Document the intentional NULL TTL in the instance DNS arm.

Line 27 sets ttl to NULL intentionally; add a short inline comment so future edits do not add an unnecessary metadata join.

Suggested patch

-    NULL::integer AS ttl,
+    NULL::integer AS ttl, -- falls back to default TTL via find_record COALESCE(ttl, 300)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@crates/api-db/migrations/20260623054901_serve_overlay_instance_forward_dns.sql`
at line 27, The NULL::integer AS ttl assignment on line 27 of the
serve_overlay_instance_forward_dns migration is intentionally set to NULL but
lacks documentation. Add an inline SQL comment (using -- syntax) immediately
before or after the NULL::integer AS ttl expression to explain that the NULL
value is intentional and document why metadata joins should not be added for
this field in future edits. This prevents future developers from misinterpreting
the NULL as an oversight that needs correction.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@crates/api-db/src/dns/resource_record.rs`:
- Around line 268-325: The test overlay_instance_addresses_are_served_forward
currently validates native IPv4 and IPv6 addresses but omits IPv4-mapped IPv6
addresses. Add a third call to add_address with an IPv4-mapped IPv6 address
(such as ::ffff:192.168.1.1) paired with an appropriate subnet before the
backfill_missing_hostnames calls, update the assertion expecting 2 filled
addresses to expect 3 instead, and then add corresponding validation logic after
the IPv6 check that calls find_record with the appropriate hostname for the
mapped address and verifies it returns one AAAA record with the correct q_type
and parsed address matching the IPv4-mapped IPv6 address.

---

Nitpick comments:
In
`@crates/api-db/migrations/20260623054901_serve_overlay_instance_forward_dns.sql`:
- Line 27: The NULL::integer AS ttl assignment on line 27 of the
serve_overlay_instance_forward_dns migration is intentionally set to NULL but
lacks documentation. Add an inline SQL comment (using -- syntax) immediately
before or after the NULL::integer AS ttl expression to explain that the NULL
value is intentional and document why metadata joins should not be added for
this field in future edits. This prevents future developers from misinterpreting
the NULL as an oversight that needs correction.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2c7a156e-150b-4dfe-bf96-53a7b6d0ba77

📥 Commits

Reviewing files that changed from the base of the PR and between dfbad97 and 3cac0aa.

📒 Files selected for processing (6)

• crates/api-core/src/db_init.rs
• crates/api-core/src/setup.rs
• crates/api-db/migrations/20260623054901_serve_overlay_instance_forward_dns.sql
• crates/api-db/src/dns/resource_record.rs
• crates/api-db/src/host_naming/mod.rs
• crates/api-db/src/instance_address.rs

✅ Files skipped from review due to trivial changes (1)

• crates/api-db/src/host_naming/mod.rs

[chet]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[chet]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[chet]

@coderabbitai Not sure why you didn't re-review? I did push up changes?

[coderabbitai]

@chet: My apologies for the confusion. I operate as an incremental system — @coderabbitai review only processes commits that have not yet been reviewed in a given session. If the system has already marked those commits as seen (or automatic reviews are paused), subsequent invocations become a no-op.

I will trigger a full re-review of the PR now to ensure all newly pushed changes are captured.

(ᵔ◡ᵔ)🐇

✅ Action performed

Full review finished.

[chet]

@coderabbitai Got it, thank you! So if I squash + force-push, it won't trigger you to re-run, and I'd need to be more obvious thank "PTAL" or "review"? Like I should say something like "@coderabbitai Addressed/made some changes and pushed them back up. Can you PTAL again? Thank you!" -- would that work?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@chet: Good question — here is the precise behavior:

Squash + force-push and automatic reviews: A force-push replaces the branch's commit SHAs. If automatic reviews are enabled for the repo, CodeRabbit should fire automatically on the new push event (since the SHAs are new). If automatic reviews are paused, the push is silently ignored.

@coderabbitai review vs. @coderabbitai full_review: After a squash + force-push, @coderabbitai review processes commits that have not been reviewed yet — the rewritten SHAs should qualify. However, the safest and most unambiguous command after a squash is:

`@coderabbitai` full_review

This forces a complete re-review of all current changes regardless of the internal tracking state, which is the correct hammer for rewritten history.

Natural language like "PTAL" or your proposed phrasing: That will not reliably trigger a review. CodeRabbit parses explicit @coderabbitai <command> invocations, not free-form prose. Your proposed message would work only if you append the explicit command, e.g.:

"Addressed the feedback and squash-pushed. @coderabbitai full_review please."

That combination — explicit command + natural language context — is the most reliable pattern after history rewrites.

(ᵔ◡ᵔ)🐇

[coderabbitai]

🧹 Nitpick comments (2)

crates/api-db/src/host_naming/mod.rs (1)

413-424: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Add a mapped-IPv6 hostname test to lock the contract.

address_to_hostname now feeds persisted DNS labels across modules; please add a case for ::ffff:192.168.1.1 to prevent drift in this edge-path format.

Suggested test addition

@@
     fn address_to_hostname_v6_is_fully_expanded() {
         let address: IpAddr = "2001:db8:abcd::2".parse().unwrap();
         assert_eq!(
             "2001-0db8-abcd-0000-0000-0000-0000-0002",
             address_to_hostname(&address).unwrap()
         );
     }
+
+    #[test]
+    fn address_to_hostname_v4_mapped_ipv6_is_stable() {
+        let address: IpAddr = "::ffff:192.168.1.1".parse().unwrap();
+        assert_eq!(
+            "0000-0000-0000-0000-0000-ffff-c0a8-0101",
+            address_to_hostname(&address).unwrap()
+        );
+    }

As per coding guidelines, “Prefer table-driven tests … for test coverage in Rust,” and as per path instructions, “Prefer findings about behavior … and missing tests over style-only comments.”

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@crates/api-db/src/host_naming/mod.rs` around lines 413 - 424, Add a
table-driven test for the address_to_hostname function to lock down the contract
for the IPv6-mapped IPv4 address edge case. Create test cases that verify the
behavior for both standard IPv4 and IPv6 addresses, and specifically include a
test case for the mapped-IPv6 format (::ffff:192.168.1.1) to prevent behavioral
drift. Since address_to_hostname now feeds persisted DNS labels across modules,
this test will ensure the hostname transformation remains consistent as the code
evolves.

Sources: Coding guidelines, Path instructions

crates/api-db/src/dns/resource_record.rs (1)

274-320: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Prefer table-driven assertions for the address-family matrix.

This block repeats the same operation/assertion pattern for multiple address inputs. Refactoring to value_scenarios! (or check_values) will make future coverage expansion cheaper and less error-prone.

As per coding guidelines, "Prefer table-driven tests using the carbide-test-support crate with scenarios!/value_scenarios! and check_cases/check_values."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@crates/api-db/src/dns/resource_record.rs` around lines 274 - 320, The test
function overlay_instance_addresses_are_served_forward repeats the same
assertion pattern twice for IPv4 and IPv6 addresses. Refactor this test to use
table-driven assertions with value_scenarios! or check_values from the
carbide-test-support crate. Define a test case table that includes the address,
expected DNS name, expected record type (A or AAAA), and the parsed address
value, then iterate through these scenarios using the appropriate macro instead
of duplicating the add_address and find_record/assertion blocks for each address
family. This will make the test more maintainable and easier to extend with
additional address test cases.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@crates/api-db/src/dns/resource_record.rs`:
- Around line 274-320: The test function
overlay_instance_addresses_are_served_forward repeats the same assertion pattern
twice for IPv4 and IPv6 addresses. Refactor this test to use table-driven
assertions with value_scenarios! or check_values from the carbide-test-support
crate. Define a test case table that includes the address, expected DNS name,
expected record type (A or AAAA), and the parsed address value, then iterate
through these scenarios using the appropriate macro instead of duplicating the
add_address and find_record/assertion blocks for each address family. This will
make the test more maintainable and easier to extend with additional address
test cases.

In `@crates/api-db/src/host_naming/mod.rs`:
- Around line 413-424: Add a table-driven test for the address_to_hostname
function to lock down the contract for the IPv6-mapped IPv4 address edge case.
Create test cases that verify the behavior for both standard IPv4 and IPv6
addresses, and specifically include a test case for the mapped-IPv6 format
(::ffff:192.168.1.1) to prevent behavioral drift. Since address_to_hostname now
feeds persisted DNS labels across modules, this test will ensure the hostname
transformation remains consistent as the code evolves.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 90542313-7d21-4d40-bcd8-50b9b305f207

📥 Commits

Reviewing files that changed from the base of the PR and between 89c0b75 and cc822c3.

📒 Files selected for processing (4)

• crates/api-db/migrations/20260623054901_serve_overlay_instance_forward_dns.sql
• crates/api-db/src/dns/resource_record.rs
• crates/api-db/src/host_naming/mod.rs
• crates/api-db/src/instance_address.rs

[chet]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pull-request-2786.docs.buildwithfern.com/infra-controller

[chet]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[chet]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.