Bug ID 674074: Failure to regenerate DNSSEC key during BIG-IP initialization can result in syncing empty DNSSEC keys to GTM sync group

Last Modified: Jan 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP DNS, GTM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2

Fixed In:
14.0.0

Opened: Jul 13, 2017
Severity: 3-Major

Symptoms

A DNSSEC key generation event is scheduled to occur (for example an expiration or rollover) while the Master Key is not yet initialized and mcpd is not in a full running state. The DNSSEC key generation fails because of the unavailability of the Master Key, but uninitialized mcpd may be unable to roll-back the transaction, resulting in syncing an empty DNSSEC key to the GTM sync group.

Impact

It is possible that empty DNSSEC keys could be synced to the GTM sync group, over-writing previously valid key generations.

Conditions

A DNSSEC key generation event is scheduled to occur (for example an expiration or rollover) during the time in which he Master Key is not yet initialized and mcpd is not in a full running state. This could be when a BIG-IP is being rebooted, performing a bigstart restart, or has been powered-off for some time and is being powered back up.

Workaround

When powering off a GTM for an extended period of time, it is advisable to first remove the GTM from the sync group, so that whenever it is powered on again, it does not attempt sync before it is in a healthy state. You can also avoid this issue by performing reboot or bigstart restart during a window of time in which DNSSEC keys are not scheduled to expire or rollover.

Fix Information

Now if a DNSSEC key generation event occurs (for example an expiration or rollover) while the Master Key is not yet initialized, BIG-IP will delay all DNSSEC key generation events until the Master Key becomes available. A message will be logged in /var/log/ltm to inform the user that BIG-IP is delaying DNSSEC key generations for this reason.

Behavior Change