Last Modified: Apr 17, 2024
Affected Product(s):
BIG-IP DNS, GTM, LTM
Known Affected Versions:
12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4
Fixed In:
16.0.0
Opened: Jan 16, 2017 Severity: 3-Major
MCPD successfully loads the configuration when it is not able to decrypt DNSSEC key generation.
The configuration successfully loads but BIG-IP is not able to sign Resource Records.
MCPD loads the configuration with DNSSEC key generation encrypted by master-key, after the master-key has been changed.
Whenever possible, you should try to avoid a master-key change when you may be affected by this issue. A common trigger for this issue is a BIG-IP Administrator running the "tmsh modify sys crypto master-key prompt-for-password" command prior to taking a UCS archive (see K9420/K82540512). Rather than doing this, simply read the current master-key on the source system, and apply the same key on the receiving system prior to restoring the UCS archive on said system. This can be achieved by running the following commands: # obtain the current master-key f5mku -K # install a new master-key f5mku -r <key_value> Important: If you have not performed this procedure before and require assistance, please contact F5 Support.
MCPD now throws an error if it is not able to decrypt the private text of DNSSEC key generation with the current master-key.