Bug ID 724292: RRSIG might expire without incrementing external-facing zone SOA serial

Last Modified: Aug 04, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP DNS(all modules)

Known Affected Versions:
13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,, 15.0.0, 15.0.1,,,,

Fixed In:

Opened: Jun 15, 2018
Severity: 3-Major


When a zone that is DNSSEC signed is copied to a slave via AXFR, each RRSET gets an RRSIG that has an expiration time. If the zone is otherwise static and the default expiration and publication times are configured, the RRSIGs on the slave will expire before the xfr-soa-serial gets updated by a key rollover event.


DNSSEC signed zones fail verification if any clients use a slave DNS server for a static zone.


xfr-soa-serial is updated when RRSIGs expire, so that slave servers get a new copy of the zone when the RRSIG expires.


Set RRSIG validity time equal to or greater than the ZSK rollover time.

Fix Information


Behavior Change