Bug ID 422107: Responses from DNS transparent cache will no longer contain RRSIG for queries without DO bit set

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.0.0, 12.0.0, 12.0.0, 11.6.0 HF6, 11.5.3 HF2

Opened: May 29, 2013

Severity: 3-Major

Related Article: K17415

Symptoms

DNS transparent cache may have RRSIG in the responses for queries without DO bit set.

Impact

Responses contain unnecessary RR sets. Not RFC compliant.

Conditions

DNS transparent cache receives a DNS query without DO bit set. If the query is answered by a DNSSEC zone of a pool member. The response returned to the client will contain RRSIG.

Workaround

None.

Fix Information

Queries answered by DNS transparent cache will no longer add RRSIG to the response if DO bit is not set in the query.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips