Bug ID 639606: If MCPD fails to load DNSSEC keys, then signing does not happen and no error is logged.

Last Modified: Jul 13, 2024

Affected Product(s):
BIG-IP DNS, GTM, LTM(all modules)

Known Affected Versions:
12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,,,, 15.0.0, 15.0.1,,,,, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 15.1.9,, 15.1.10,,,

Fixed In:

Opened: Jan 16, 2017

Severity: 3-Major


MCPD successfully loads the configuration when it is not able to decrypt DNSSEC key generation.


The configuration successfully loads but BIG-IP is not able to sign Resource Records.


MCPD loads the configuration with DNSSEC key generation encrypted by master-key, after the master-key has been changed.


Whenever possible, you should try to avoid a master-key change when you may be affected by this issue. A common trigger for this issue is a BIG-IP Administrator running the "tmsh modify sys crypto master-key prompt-for-password" command prior to taking a UCS archive (see K9420/K82540512). Rather than doing this, simply read the current master-key on the source system, and apply the same key on the receiving system prior to restoring the UCS archive on said system. This can be achieved by running the following commands: # obtain the current master-key f5mku -K # install a new master-key f5mku -r <key_value> Important: If you have not performed this procedure before and require assistance, please contact F5 Support.

Fix Information

MCPD now throws an error if it is not able to decrypt the private text of DNSSEC key generation with the current master-key.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips