Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5
Fixed In:
12.0.0, 12.0.0, 12.0.0, 11.6.0 HF6, 11.5.3 HF2
Opened: May 29, 2013 Severity: 3-Major Related Article:
K17415
DNS transparent cache may have RRSIG in the responses for queries without DO bit set.
Responses contain unnecessary RR sets. Not RFC compliant.
DNS transparent cache receives a DNS query without DO bit set. If the query is answered by a DNSSEC zone of a pool member. The response returned to the client will contain RRSIG.
None.
Queries answered by DNS transparent cache will no longer add RRSIG to the response if DO bit is not set in the query.