Last Modified: Oct 17, 2023
BIG-IP GTM, LTM
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 11.6.4, 11.6.5, 126.96.36.199, 188.8.131.52, 184.108.40.206, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
12.0.0, 11.6.0 HF5, 11.5.3 HF2, 11.4.1 HF9
Opened: Dec 18, 2014 Severity: 3-Major Related Article:
Related Article: K17308
Under some circumstances, the recursion available (RA) bit may be unset in responses from DNS cache.
The impact of this issue is that recursion available is not signaled to clients so they may not treat the DNS cache as an available resolver.
If the system caches a message from the authoritative server without the rd bit, and subsequent queries with rd set find that message, the first message will not be used because the rd bit is not set. In this case, the operation falls back to the rrset cache and composes a message, but leaves the RA bit unset. This is appropriate for the transparent cache, but not the non-transparent cache.
To work around this issue, write an iRule to set the RA bit when the cache is a resolver. Must also check origin for CACHE.
The RA bit is set for the response when the cache resolver answers the query from the fast path.