Last Modified: Apr 11, 2024
Affected Product(s):
BIG-IP DNS, GTM
Known Affected Versions:
11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1
Fixed In:
14.0.0
Opened: Jul 13, 2017 Severity: 3-Major
A DNSSEC key generation event is scheduled to occur (for example an expiration or rollover) while the Master Key is not yet initialized and mcpd is not in a full running state. The DNSSEC key generation fails because of the unavailability of the Master Key, but uninitialized mcpd may be unable to roll-back the transaction, resulting in syncing an empty DNSSEC key to the GTM sync group.
It is possible that empty DNSSEC keys could be synced to the GTM sync group, over-writing previously valid key generations.
A DNSSEC key generation event is scheduled to occur (for example an expiration or rollover) during the time in which he Master Key is not yet initialized and mcpd is not in a full running state. This could be when a BIG-IP is being rebooted, performing a bigstart restart, or has been powered-off for some time and is being powered back up.
When powering off a GTM for an extended period of time, it is advisable to first remove the GTM from the sync group, so that whenever it is powered on again, it does not attempt sync before it is in a healthy state. You can also avoid this issue by performing reboot or bigstart restart during a window of time in which DNSSEC keys are not scheduled to expire or rollover.
Now if a DNSSEC key generation event occurs (for example an expiration or rollover) while the Master Key is not yet initialized, BIG-IP will delay all DNSSEC key generation events until the Master Key becomes available. A message will be logged in /var/log/ltm to inform the user that BIG-IP is delaying DNSSEC key generations for this reason.