Bug ID 550782: Cache Lookups for Validating Resolvers ignore the query's DNSSEC OK (DO) bit

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.4.1, 11.6.0, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.1.0, 12.0.0 HF3, 11.6.1, 11.5.4 HF2

Opened: Oct 06, 2015

Severity: 3-Major

Symptoms

RRSIG present when not asked for, and RRSIG and AD drop from response upon expiration from the cache.

Impact

RRSIG present when not asked for, and RRSIG and AD drop from response upon expiration from the cache

Conditions

If standard DNS requests are made against a Validating Resolver DNS cache that points to a second BIG-IP which in turn contains a wideip in a signed zone

Workaround

N/A

Fix Information

Update message encoding to depend on client DO bit.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips