Bug ID 550782: Cache Lookups for Validating Resolvers ignore the query's DNSSEC OK (DO) bit

Last Modified: Dec 10, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.4.1, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 12.0.0, 12.0.0 HF1, 12.0.0 HF2

Fixed In:
12.1.0, 12.0.0 HF3, 11.6.1, 11.5.4 HF2

Opened: Oct 06, 2015
Severity: 3-Major

Symptoms

RRSIG present when not asked for, and RRSIG and AD drop from response upon expiration from the cache.

Impact

RRSIG present when not asked for, and RRSIG and AD drop from response upon expiration from the cache

Conditions

If standard DNS requests are made against a Validating Resolver DNS cache that points to a second BIG-IP which in turn contains a wideip in a signed zone

Workaround

N/A

Fix Information

Update message encoding to depend on client DO bit.

Behavior Change