Bug ID 517556: DNSSEC unsigned referral response is improperly formatted

Last Modified: Apr 28, 2025

Affected Product(s):
BIG-IP GTM(all modules)

Known Affected Versions:
11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5

Fixed In:
12.0.0, 11.6.0 HF6, 11.5.3 HF2, 11.4.1 HF9

Opened: Apr 10, 2015

Severity: 3-Major

Related Article: K17486

Symptoms

When DNSSEC signs an unsigned referral response, the contained NSEC3 resource record has an empty type bitmap. Type bitmap should contain an NS type.

Impact

DNSSEC referral response is not RFC compliant.

Conditions

DNSSEC processing an unsigned referral response from DNS server.

Workaround

None.

Fix Information

NS type added to NSEC3 type bitmap, so that DNSSEC unsigned referral response is properly formatted.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips