Bug ID 1671545: BIND no longer follows CNAME to populate A records in the reply

Last Modified: Dec 18, 2024

Affected Product(s):
BIG-IP DNS, GTM(all modules)

Known Affected Versions:
15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2

Opened: Sep 17, 2024

Severity: 3-Major

Symptoms

When answering authoritative queries, the named process (also known as 'bind') does not return the target (for example, 'A' records) related to a cross-zone CNAME between two locally served zones. For example, if BIG-IP is configured with a wideip such as www.gslb.example.org, and a DNS query is sent to it for 'A' records for www.example,org, that query falls through to, and is handled by bind, and bind responds with a CNAME to www.gslb.example,org, then the previous behaviour was that bind would also include the related A records that the CNAME pointed to. When the 'A' record in the reply pass back through BIG-IP DNS, they are rewritten to match the wideip's pool state, so the result passed to the client is the same as if the wideip was the query. A code fix for security improvements in bind version 9.12 and later alters this behaviour so that the 'A' records are no longer populated into the reply, which means the rewrite logic in BIG-IP does not take place, and the CNAME alone is passed back to the DNS client.

Impact

Incomplete DNS resolution.

Conditions

DNS query resolution of CNAME records via BIND.

Workaround

Instead of using bind to resolve the CNAME, configure BIG-IP to do it. Option 1: Configure the wideip with an alias that it will also respond to. This will return a response (for example an A record) to the client, as if the client had queried the gslb record. tmsh modify gtm wideip a www.gslb.example.org aliases add { www.example.org } Option 2: Create a wideip for the 'www.example.org' record, which points to a CNAME pool, which contains the www.gslb.example.org record, and disable minimal-responses. This method is more complicated, but also more flexible, for example it could be used as a fallback if other 'A' record pools associated with the wideip are unavailable. This method will cause BIG-IP to return both the CNAME and A record in the DNS reply. tmsh create gtm wideip a www.gslb.example.org pools add { gtmpool } tmsh create gtm pool cname CNAME_www.example.org members add { www.gslb.example.org } tmsh create gtm wideip a www.example.org pools-cname add { CNAME_www.example.org } minimal-response disabled

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips