Bug ID 422107: Responses from DNS transparent cache will no longer contain RRSIG for queries without DO bit set

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5

Fixed In:
12.0.0, 12.0.0, 12.0.0, 11.6.0 HF6, 11.5.3 HF2

Opened: May 29, 2013
Severity: 3-Major
Related AskF5 Article:


DNS transparent cache may have RRSIG in the responses for queries without DO bit set.


Responses contain unnecessary RR sets. Not RFC compliant.


DNS transparent cache receives a DNS query without DO bit set. If the query is answered by a DNSSEC zone of a pool member. The response returned to the client will contain RRSIG.



Fix Information

Queries answered by DNS transparent cache will no longer add RRSIG to the response if DO bit is not set in the query.

Behavior Change