Last Modified: Nov 05, 2025
Affected Product(s):
BIG-IP DNS
Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 16.1.6, 16.1.6.1, 17.0.0, 17.0.0.1, 17.0.0.2, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.1.3, 17.5.0, 17.5.1, 17.5.1.2, 17.5.1.3
Fixed In:
21.0.0
Opened: Feb 22, 2025 Severity: 3-Major
When a DNS profile is configured with both Secondary DNS64 (with a prefix) and a resolver cache, any response from an authoritative server to a AAAA query with RCODEs such as SERVFAIL or SERVFAIL(Timeout due to no response from external resolver), FORMERR, NOTIMP, REFUSED, YXRRSET, NXRRSET, YXDOMAIN , NOTAUTH, or NOTZONE will be cached as SERVFAIL and sent directly to the client.
SERVFAIL response is directly send back to the client
- DNS64 enabled in the DNS profile - DNS resolver cache configured
None
When a DNS profile is configured with both Secondary DNS64 (and Prefix) and a resolver cache, a response from an authoritative server of SERVFAIL to a AAAA query now triggers an A query back to the authoritative server. The response is then Synthetized and cached before the AAAA response is sent back to the client. Two counters have been added to the dns_cache_resolver_stat stat table available through tmctl. mesh.dns64error counts the number of non-zero rcode responses from the authoritative server for both the AAAA and A queries. mesh.dns64timeout counts the number of timeouts from the authoritative server for both the AAAA and A queries.