Bug ID 724292: RRSIG might expire without incrementing external-facing zone SOA serial

Last Modified: May 23, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP DNS(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 15.0.0

Opened: Jun 15, 2018
Severity: 3-Major

Symptoms

When a zone that is DNSSEC signed is copied to a slave via AXFR, each RRSET gets an RRSIG that has an expiration time. If the zone is otherwise static and the default expiration and publication times are configured, the RRSIGs on the slave will expire before the xfr-soa-serial gets updated by a key rollover event.

Impact

DNSSEC signed zones fail verification if any clients use a slave DNS server for a static zone.

Conditions

xfr-soa-serial is updated when RRSIGs expire, so that slave servers get a new copy of the zone when the RRSIG expires.

Workaround

Set RRSIG validity time equal to or greater than the ZSK rollover time.

Fix Information

None

Behavior Change