Bug ID 1186789: DNSSEC keys stored on an internal FIPS card do not work after upgrading to versions >= 16.x

Last Modified: Jul 24, 2024

Affected Product(s):
BIG-IP DNS, GTM, LTM(all modules)

Known Affected Versions:
16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 17.0.0, 17.0.0.1, 17.0.0.2, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3

Fixed In:
17.1.1, 16.1.5

Opened: Nov 07, 2022

Severity: 4-Minor

Symptoms

DNSSEC signatures are not generated after the upgrade.

Impact

DNSSEC signing will not work.

Conditions

DNSSEC key stored on FIPS card; and Upgrade to versions >= 16.x.

Workaround

Edit bigip_gtm.conf and update the key generation handles to match the first 32-hex characters of the key modulus and then run these commands: # tmsh load sys config gtm-only # bigstart restart gtmd (OR) Before the upgrade, modify the key handle as mentioned above and then reload the config with 'tmsh load sys config gtm-only'

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips