Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP GTM
Known Affected Versions:
11.4.1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 12.0.0
Fixed In:
12.1.0, 12.0.0 HF1, 11.6.1, 11.5.4, 11.4.1 HF10
Opened: Jun 09, 2015 Severity: 3-Major
When a DNSSEC zone has an unsigned delegation to a child zone, responses to the queries on the unsigned child zone do not include proper delegation records.
DNSSEC tools are unable to verify that the child subdomain is properly delegated to an insecure authoritative name server.
A DNSSEC zone configured on BIG-IP for a zone that delegates to an unsigned child zone.
None
Queries for an unsigned child zone of a DNSSEC zone on a BIG-IP are now sent to the backend nameserver. DNSSEC-OK flag is observed when processing the response and attaching and/or responding to DNSSEC resource records.