Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP DNS
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7
Fixed In:
14.1.0, 14.0.0, 13.1.0.8, 12.1.3.6
Opened: Feb 20, 2018 Severity: 2-Critical
It is possible that when performing a sufficiently large DNSSEC signed zone transfer (e.g., ~1 KB records) that the final packet (or several packets) of NSEC3s and RRSIGs could be missing from the zone. This issue can be detected using a free third-party tool such as ldns-verify-zone or some other DNSSEC validating tool.
The DNSSEC signed zone transfer could be incomplete, that is missing some NSEC3s and RRSIGs. An incomplete DNSSEC zone is considered an invalid zone.
-- Dynamic DNSSEC signing of zone transfers is configured for a given zone from an authoritative DNS Server (this could be on-box BIND, off-box BIND, etc.), or from DNS Express.
There is no workaround at this time.
DNSSEC signed zone transfers from general authoritative DNS Servers as well as from DNS Express are now complete regardless of the number of records in the zone.