Bug ID 437398: edns0 max udp payload size not honored when DNS msg is signed from pool member

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP GTM, LTM(all modules)

Known Affected Versions:
11.2.0, 11.2.1, 11.4.1

Fixed In:
11.6.0, 11.4.1 HF4, 11.2.1 HF11

Opened: Nov 11, 2013
Severity: 3-Major
Related AskF5 Article:
K15393

Symptoms

DNSSEC may add additional bytes to a response. If the response from the pool member is not truncated and needs to be signed, but is just under the max udp payload size requested by the client, adding the DNSSEC records may cause the packet to be larger than requested.

Impact

The client may get responses it cannot handle or the response may be dropped between the BIG-IP and the client (for example, a firewall).

Conditions

Client must be setting a non-standard (standard is 4096) edns0 max udp payload size and the response from the pool member must be near the client's set size.

Workaround

None

Fix Information

When datagram-load-balance mode is enabled on the UDP profile, the client's max udp payload size is "remembered" for the responses. If the BIG-IP system alters the response (e.g., DNSSEC signing) and increases its size beyond the max, before sending the response to the client, the response will be properly truncated (per the RFC).

Behavior Change

When datagram-load-balance mode is enabled on the UDP profile, the client's max udp payload size is "remembered" for the responses. If the BIGIP alters the response (e.g. DNSSEC signing) and increases its size beyond the max, before sending the response to the client, the response will be properly truncated (per the RFC).