Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP GTM
Known Affected Versions:
11.5.1, 11.5.2, 11.5.3, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.1.0, 12.0.0 HF1, 11.5.4
Opened: Sep 23, 2015 Severity: 3-Major Related Article:
K57983796
When a transparent cache is populated with messages where the DNSSEC OK-bit is true, and a query with that bit true, arrives at or after the expiration of the message TTL, the system leaks all subsequent queries with DNSSEC OK set to false, up through the TTL of that message.
A few hundred bytes can leak on each clientside query, leading to a massive leak over a short period of time.
Running a DNS transparent cache with clients requesting DNSSEC messages.
Disable DNSSEC on all cached messages by disabling DNSSEC on pool members.
This release fixes a potential DNS transparent cache memory leak.