Bug ID 2228789: IPS ID10008 triggered by large ADDITIONAL SECTION in DNS response

Last Modified: Mar 03, 2026

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
17.1.3, 17.1.3.1

Opened: Feb 24, 2026

Severity: 3-Major

Symptoms

IPS violation ID10008 drops DNS-over-TCP responses larger of 6948 bytes

Impact

DNS traffic blocked

Conditions

DNS responses with large ADDITIONAL sections (multiple NS records + DNSSEC keys) exceeding MAX_DNSSEC_SIZE byte IPS parsing limit

Workaround

Modify ID10008 action from "drop" to required in IPS profile

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips