Last Modified: Nov 22, 2021
Affected Product(s):
BIG-IP GTM, LTM
Known Affected Versions:
11.2.0, 11.2.1, 11.4.1
Fixed In:
11.6.0, 11.4.1 HF4, 11.2.1 HF11
Opened: Nov 11, 2013 Severity: 3-Major Related Article:
K15393
DNSSEC may add additional bytes to a response. If the response from the pool member is not truncated and needs to be signed, but is just under the max udp payload size requested by the client, adding the DNSSEC records may cause the packet to be larger than requested.
The client may get responses it cannot handle or the response may be dropped between the BIG-IP and the client (for example, a firewall).
Client must be setting a non-standard (standard is 4096) edns0 max udp payload size and the response from the pool member must be near the client's set size.
None
When datagram-load-balance mode is enabled on the UDP profile, the client's max udp payload size is "remembered" for the responses. If the BIG-IP system alters the response (e.g., DNSSEC signing) and increases its size beyond the max, before sending the response to the client, the response will be properly truncated (per the RFC).
When datagram-load-balance mode is enabled on the UDP profile, the client's max udp payload size is "remembered" for the responses. If the BIGIP alters the response (e.g. DNSSEC signing) and increases its size beyond the max, before sending the response to the client, the response will be properly truncated (per the RFC).