Bug ID 497584: The RA bit on DNS response may not be set

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP GTM, LTM(all modules)

Known Affected Versions:
11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4

Fixed In:
12.0.0, 11.6.0 HF5, 11.5.3 HF2, 11.4.1 HF9

Opened: Dec 18, 2014
Severity: 3-Major
Related Article:
K17308

Symptoms

Under some circumstances, the recursion available (RA) bit may be unset in responses from DNS cache.

Impact

The impact of this issue is that recursion available is not signaled to clients so they may not treat the DNS cache as an available resolver.

Conditions

If the system caches a message from the authoritative server without the rd bit, and subsequent queries with rd set find that message, the first message will not be used because the rd bit is not set. In this case, the operation falls back to the rrset cache and composes a message, but leaves the RA bit unset. This is appropriate for the transparent cache, but not the non-transparent cache.

Workaround

To work around this issue, write an iRule to set the RA bit when the cache is a resolver. Must also check origin for CACHE.

Fix Information

The RA bit is set for the response when the cache resolver answers the query from the fast path.

Behavior Change