Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP GTM, LTM
Known Affected Versions:
11.6.0, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.1.0, 12.0.0 HF3, 11.6.1, 11.5.4 HF2
Opened: Sep 25, 2015 Severity: 3-Major Related Article:
K21579003
When a transparent cache stores a message with DNSSEC OK (DO) bit TRUE and its TTL expires, the message is only updated when a new message arrives with DO-bit TRUE.
When the DO-bit TRUE's cached message TTL expires, the general impact is DO-bit FALSE queries will be proxied until the message cache is updated with DO-bit TRUE.
Running a DNS transparent cache with clients requesting DNSSEC messages.
None.
The message cache is updated regardless of DO-bit state after TTL expiration. However, the cache prefers DO-bit TRUE messages, and will update the cached message if a newer one arrives with DNSSEC OK.