Bug ID 724292: RRSIG might expire without incrementing external-facing zone SOA serial

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP DNS(all modules)

Known Affected Versions:
13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,,,, 15.0.0, 15.0.1,,,,

Fixed In:

Opened: Jun 15, 2018

Severity: 3-Major


When a zone that is DNSSEC signed is copied to a slave via AXFR, each RRSET gets an RRSIG that has an expiration time. If the zone is otherwise static and the default expiration and publication times are configured, the RRSIGs on the slave will expire before the xfr-soa-serial gets updated by a key rollover event.


DNSSEC signed zones fail verification if any clients use a slave DNS server for a static zone.


xfr-soa-serial is updated when RRSIGs expire, so that slave servers get a new copy of the zone when the RRSIG expires.


Set RRSIG validity time equal to or greater than the ZSK rollover time.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips