Bug ID 527024: DNSSEC Unsigned Delegations Respond with Parent Zone Information

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP GTM(all modules)

Known Affected Versions:
11.4.1, 11.6.0, 12.0.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.1.0, 12.0.0 HF1, 11.6.1, 11.5.4, 11.4.1 HF10

Opened: Jun 08, 2015

Severity: 3-Major

Symptoms

When a DNSSEC zone has an unsigned delegation to a child zone, responses to the queries on the unsigned child zone do not include proper delegation records.

Impact

DNSSEC tools are unable to verify that the child subdomain is properly delegated to an insecure authoritative name server.

Conditions

A DNSSEC zone configured on BIG-IP for a zone that delegates to an unsigned child zone.

Workaround

None

Fix Information

Queries for an unsigned child zone of a DNSSEC zone on a BIG-IP are now sent to the backend nameserver. DNSSEC-OK flag is observed when processing the response and attaching and/or responding to DNSSEC resource records.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips