Last Modified: Apr 17, 2024
Affected Product(s):
BIG-IP DNS
Known Affected Versions:
13.1.4.1, 13.1.5, 13.1.5.1, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4
Opened: Jul 15, 2021 Severity: 3-Major
If GTM sync is broken around DNSSEC key rollover time and two devices generate a DNSSEC key independently, the key is still used for generating a DNSSEC signature after DNS config sync resumes.
-- TMM continues using the old key for DNSSEC signatures -- Different key in the running config than what is used for generating DNSSEC signatures. -- Possibly invalid DNSSEC data in DNS caching resolvers.
-- iQuery connection broken between BIG-IP DNS devices during DNSSEC key rollover -- A DNSSEC key is generated independently on the two affected devices -- iQuery connection re-established, config sync resumes, and the DNSSEC key is overwritten on one device
Restart tmm on the affected device: tmsh restart sys service tmm
None