Last Modified: May 29, 2024
Affected Product(s):
BIG-IP DNS
Fixed In:
17.1.0
Opened: Jul 12, 2022 Severity: 3-Major
- A DNS Validating resolver returns SERVFAIL responses to clients, despite the BIG-IP system receiving a valid (albeit delayed) response from upstream servers. - When this happens, the BIG-IP system rejects the responses from the upstream servers with following ICMP error: Destination unreachable - Port unreachable. - If the db key dnscacheresolver.loglevel is set to debug5, the following error message is visible in the /var/log/ltm file when this issue occurs: debug tmm[13147]: DNScache: request example.com. has exceeded the maximum number of glue fetches 17 to a single delegation point
Clients of the BIG-IP DNS Validating Resolver are not returned an answer. As a result, application failures may occur.
This issue occurs when the following conditions are met: - A DNS Validating resolver is in use on the BIG-IP system. - The aforementioned object is configured with a forward-zone that uses multiple servers to perform resolutions. - The RTT of the servers fluctuates. For example, the servers are generally fast to reply for most domains, but take extra time to reply for a given domain. - 'Randomize Query Character Case' is enabled in the DNS Validating resolver. - If the requests for the domain take a long time to resolve, BIG-IP may reply with SERVFAIL.
You can work around this issue by changing 'Randomize Query Character Case' to 'No' in the DNS Validating resolver settings.
The nameserver-min-rtt now has a setting of unbound which sets the minimum RTT with upstream servers for validating resolver cache. Increase this value if using forwarders need more time to perform recursive name resolution. The default value is 50 ms.
The nameserver-min-rtt setting is now available. This setting sets the minimum RTT with upstream servers for DNS Validating resolver objects. Increase the value if using forwarders need more time to perform recursive name resolution. The default value is 50 ms.