Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP DNS, GTM
Known Affected Versions:
14.0.0
Fixed In:
14.0.0, 13.1.0.2
Opened: Jun 01, 2017 Severity: 2-Critical
If DNS Express sends an IXFR query to a DNS server, and that server responds with an IXFR update that is larger than one DNS message, DNS Express processes only the first message. DNS Express then updates the SOA serial number to match that of the IXFR, marks the IXFR as successful and the Zone as 'Green'. There is no indication that the IXFR was incomplete. DNS Express might then have, and might serve, incorrect data for that Zone.
This might result in incomplete or otherwise inaccurate Zone data, which DNS Express will serve.
An IXFR response from a DNS server spans multiple DNS messages. Note: This is not a common condition, but it is possible.
Note: Although this does have a workaround, there is no way for you to determine that the Zone is complete other than to query the entire zone and compare it to the zone from the master DNS server. To workaround this issue: 1. Stop zxfrd. 2. Remove the database /var/db/zxfrd.bin. 3. Restart zxfrd. This triggers a full transfer (AXFR) of the zone, as well as all the other zones.
The system now continues the processing of DNS messages until the closing SOA RR is encountered.