Bug ID 589256: DNSSEC NSEC3 records with different type bitmap for same name.

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP GTM(all modules)

Known Affected Versions:
11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.4.1, 11.6.0, 11.6.1, 11.6.2, 11.6.3,,,,, 11.6.4, 11.6.5,,,, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1

Fixed In:
13.0.0, 12.1.2, 11.6.1 HF2, 11.5.4 HF3

Opened: Apr 22, 2016

Severity: 3-Major

Related Article: K71283501


For a delegation from a secure zone to an insecure zone, the BIG-IP system returns different type of bitmaps in the NSEC3 record depending on the query type. This causes BIND9's validator to reject the secure delegation to the insecure zone.


DNS lookups may fail if BIND9's validator rejects the delegation.


For insecure delegations, the DNSSEC implementation does not support the DS record. Those queries are forwarded to the backend, BIND, if selected as fallback. Without ZSK/KSK for an insecure child zone, BIND responds SOA which the system dynamically signs.



Fix Information

If response is a NODATA from either the proxy or a transparent cache, and the query is a DS, set the types bitmap to NS.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips