Bug ID 1311169: DNSSEC response is not signed when failure-rcode-response is enabled and no record is returned

Last Modified: Jun 12, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Fixed In:
17.1.1

Opened: Jun 21, 2023

Severity: 4-Minor

Symptoms

DNS response is not signed for DNSSEC zone for DNSSEC request.

Impact

DNS response is not signed.

Conditions

1. A DNSSEC zone exists. 2. Return Code on Failure is enabled and SOA Negative Caching TTL is set to 0. 3. A query hits that wideIP and does not get a pool member selected.

Workaround

SOA Negative Caching TTL set to a number larger than 0.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips