Last Modified: Nov 27, 2025
Affected Product(s):
BIG-IP DNS
Known Affected Versions:
17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.1.3, 17.5.0, 17.5.1, 17.5.1.2, 17.5.1.3
Fixed In:
21.0.0
Opened: Mar 13, 2025 Severity: 3-Major
According to DNS64 RFC6147, AAAA NXDomain responses should be passed directly to the client without generating an A query. Authoritative name servers should not return NXDomain for the AAAA query when an A resource record exists for the same domain name. When misconfigured authoritative name server return NXDomain for the AAAA query when an A resource record exists, proper DNS64 operation is prevented.
DNS64 does not work properly due to a misconfigured authoritative name server.
- DNS64 is configured. - The authoritative server is misconfigured to return NXDomain to the AAAA query even though an A resource record exists.
None
New DB variable, DNS.DNS64NXDomainAsNoError, controls DNS64 handling of AAAA NXDomain errors. When enabled, NXDomain errors, like other errors, are treated like NoError and an A query is issued. The default, disabled, follows RFC6147 and returns the NXDomain error immediately to the client.