Behavior Change

Note: After installing a version of the software that includes the fix for this issue, you must set the following db variables: -- dnssec.nsec3apextypesbitmap -- dnssec.nsec3underapextypesbitmap. These two db variables are used globally (i.e., not per-DNSSEC zone) to configure the NSEC3 types bitmap returned in one-off NODATA responses for apex and under-apex responses, respectively. When the BIG-IP system is queried for a DNS name in which the DNS name exists and is not of the RR type requested, the NSEC3 types bitmap on the response reflects what you configure for the db variable, minus the queried-for type. When using these variables: -- Configure type values as all lowercase. -- Enclose multiple types in quotation marks (e.g., "txt rrsig"). -- Understand that there is likely no need to change the apex type setting; do so with extreme care. The under-apex settings are what you will find helpful in addressing the negative caching issue.