Bug ID 547815: Potential DNS Transparent Cache Memory Leak

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP GTM(all modules)

Known Affected Versions:
11.5.1, 11.5.2, 11.5.3, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.1.0, 12.0.0 HF1, 11.5.4

Opened: Sep 23, 2015

Severity: 3-Major

Related Article: K57983796

Symptoms

When a transparent cache is populated with messages where the DNSSEC OK-bit is true, and a query with that bit true, arrives at or after the expiration of the message TTL, the system leaks all subsequent queries with DNSSEC OK set to false, up through the TTL of that message.

Impact

A few hundred bytes can leak on each clientside query, leading to a massive leak over a short period of time.

Conditions

Running a DNS transparent cache with clients requesting DNSSEC messages.

Workaround

Disable DNSSEC on all cached messages by disabling DNSSEC on pool members.

Fix Information

This release fixes a potential DNS transparent cache memory leak.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips