Last Modified: Jun 28, 2025
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2
Fixed In:
16.1.6
Opened: Mar 11, 2025 Severity: 3-Major
The directives dnssec-lookaside and dnssec-enable previously used in the named.conf configuration file are now deprecated and no longer supported by latest BIND versions. If these directives are present in the named.conf file: Error messages appear in DNS server logs when starting the named service. The DNS server fails to start or exhibit unexpected behaviour due to the presence of unsupported directives.
DNS queries will fail if the BIND configuration (named.conf) contains unsupported directives (e.g., dnssec-lookaside, dnssec-enable). As a result: The DNS resolver will fail to process queries. This will cause traffic relying on name resolution to fail, leading to potential disruptions in services that depend on DNS.
1. SSL Orchestrator L3 explicit topology 2. Check bind version with below command # named -v BIND 9.18.28 (Extended Support Version) <id:f77fadb> This version of BIND is not supporting mentioned dns tokens.
1. Remove the deprecated directives dnssec-lookaside and dnssec-enable from the BIND configuration file located at: /var/named/config/named.conf 2. After making the changes, restart the named service to apply the updated configuration: bigstart restart named
The fix ensures that deprecated DNS directives (dnssec-lookaside and dnssec-enable) are no longer added to the named.conf file when using the SSL Orchestrator guided configuration. This prevents configuration issues caused by unsupported tokens in the BIND DNS server.