Bug ID 644192: Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN

Last Modified: Sep 14, 2023

Affected Product(s):
BIG-IP DNS, GTM, LTM(all modules)

Known Affected Versions:
11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1

Fixed In:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1, 13.1.5, 11.6.5.3

Opened: Feb 09, 2017

Severity: 3-Major

Related Article: K23022557

Symptoms

Query of "MX" "any" RR of CNAME wide IP results in NXDOMAIN.

Impact

Cache resolvers will remember NXDOMAIN for the entire name. So clients talking to those caches asking for A/AAAA records may actually get NXDOMAIN responses until the negative cache expires.

Conditions

A CNAME wide IP and a dns express zone with parent zone. For example, CNAME wide IP for "www.siterequest.com" and a dns express zone for "siterequest.com"

Workaround

Option 1: Create a dummy "www.siterequest.com" TXT record in ZoneRunner with the same name. Option 2: Create a ltm virtual server iRule, similar to this: when DNS_RESPONSE { if { [DNS::question name] eq "www.siterequest.com" } { if { [DNS::header rcode] eq "NXDOMAIN" } { DNS::header rcode NOERROR DNS::authority clear return } } }

Fix Information

In 16.1.0 and later, a 'gtm global-settings general allow-nxdomain-override' configuration setting has been added to allow configuring the BIG-IP DNS system to respond with a NOERROR response. In versions below 16.1.0 where this issue is fixed, there is a new DB key, 'gtm.allownxdomainoverride', which enables this configuration. Note that this feature is not available for wildcard wideips.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips