Bug ID 2138273

Bug Tracker
ID 2138273

Bug ID 2138273: Named service fails to start after an upgrade due to unsupported attributes in the named.conf file

Last Modified: Nov 25, 2025

Affected Product(s):
BIG-IP Install/Upgrade, SSLO, TMOS(all modules)

Known Affected Versions:
17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.1.3

Opened: Oct 22, 2025

Severity: 3-Major

Symptoms

Named fails to start with the following error after upgrading from older versions to 17.0 or newer releases due to the dnssec-lookaside and dnssec-enable options in the named.conf configuration file, which have been deprecated and are no longer supported in the latest BIND versions. Logs in /var/log/daemon.log : Oct 22 14:08:00 localhost.localdomain err named[16313]: /config/named.conf:35: option 'dnssec-lookaside' no longer exists Oct 22 14:08:00 localhost.localdomain crit named[16313]: loading configuration: failure Oct 22 14:08:00 localhost.localdomain crit named[16313]: exiting (due to fatal error) Oct 22 14:08:00 localhost.localdomain notice systemd[1]: named.service: main process exited, code=exited, status=1/FAILURE Oct 22 14:08:00 localhost.localdomain notice systemd[1]: Unit named.service entered failed state. Oct 22 14:08:00 localhost.localdomain warning systemd[1]: named.service failed.

Impact

SSL Orchestrator will fail to resolve hostnames for the L3 Explicit topology causing end-to-end traffic to fail.

Conditions

-- SSL Orchestrator System Settings >> DNS settings have been specified. -- SSL Orchestrator L3 Explicit Topology Configured using the default SSL Orchestrator DNS resolver. -- Check the BIND Version: Use the following command: Example: For example : # named -v BIND 9.11.36 (Extended Support Version) <id:68dbd5b> Notes: -- Starting with BIND 9.9, the dnssec-lookaside validation (DLV) feature was deprecated. By BIND 9.11, this feature was removed entirely. -- Beginning with BIND 9.16, the dnssec-enable option was deprecated and subsequently removed.

Workaround

- Redeploy the affected L3 Explicit topology - this will use the native DNS resolver implementation and will no longer rely on BIND or named service, ensuring that end-to-end SSL Orchestrator traffic functions properly. To fix the named service: -- Remove the deprecated directives dnssec-lookaside and dnssec-enable from the BIND configuration file located at: /var/named/config/named.conf. -- After making these changes, restart the named service to apply the updated configuration by running the following command: bigstart restart named

Fix Information

None

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips