Bug ID 639606: If MCPD fails to load DNSSEC keys, then signing does not happen and no error is logged.

Last Modified: Jun 08, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP DNS, GTM, LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6

Fixed In:
16.0.0

Opened: Jan 16, 2017
Severity: 3-Major

Symptoms

MCPD successfully loads the configuration when it is not able to decrypt DNSSEC key generation.

Impact

The configuration successfully loads but BIG-IP is not able to sign Resource Records.

Conditions

MCPD loads the configuration with DNSSEC key generation encrypted by master-key, after the master-key has been changed.

Workaround

Whenever possible, you should try to avoid a master-key change when you may be affected by this issue. A common trigger for this issue is a BIG-IP Administrator running the "tmsh modify sys crypto master-key prompt-for-password" command prior to taking a UCS archive (see K9420/K82540512). Rather than doing this, simply read the current master-key on the source system, and apply the same key on the receiving system prior to restoring the UCS archive on said system. This can be achieved by running the following commands: # obtain the current master-key f5mku -K # install a new master-key f5mku -r <key_value> Important: If you have not performed this procedure before and require assistance, please contact F5 Support.

Fix Information

MCPD now throws an error if it is not able to decrypt the private text of DNSSEC key generation with the current master-key.

Behavior Change