Last Modified: Sep 23, 2025
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6
Fixed In:
17.5.0, 17.1.1, 16.1.5
Opened: Jun 21, 2023 Severity: 4-Minor
DNS response is not signed for DNSSEC zone for DNSSEC request.
DNS response is not signed.
1. A DNSSEC zone exists. 2. Return Code on Failure is enabled and SOA Negative Caching TTL is set to 0. 3. A query hits that wideIP and does not get a pool member selected.
SOA Negative Caching TTL set to a number larger than 0.
DNSSEC response is signed when failure-rcode-response is enabled, and relevant records are returned.
SOA records are included in the DNS response even for queries with a negative TTL (failure-rcode-response) from a WideIP that has no pools attached. Additionally: 1. NSEC3 and RRSIG records are correctly generated and signed for DNSSEC validation. 2. DNS validating clients no longer reject the response; the query completes successfully with DNSSEC validation.