Last Modified: Jan 13, 2026
Affected Product(s):
BIG-IP DNS
Known Affected Versions:
16.1.6, 16.1.6.1, 17.5.1.3, 21.0.0
Opened: Jan 09, 2026 Severity: 3-Major
DNSSEC validation failures occur when querying child zones despite proper DNSSEC configuration, caused by missing DS records in parent zone transfers. The issue affects child zone delegations that use nameservers located outside the child zone itself, such as external nameservers or nameservers under the parent zone. Only delegations where nameservers are within the child zone's own domain hierarchy work correctly. This breaks the DNSSEC chain of trust between parent and child zones, preventing secure DNS resolution for affected delegations.
DNSSEC chain of trust broken.
- DNSSEC is enabled on both parent and child zones. - Child zones have DS records configured in the system. - Child zone delegations use nameservers that are either external or located under the parent zone. -Zone transfers are being performed for the parent zone.
None
None