Bug ID 744937: BIG-IP DNS and GTM DNSSEC security exposure

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP DNS(all modules)

Known Affected Versions:
15.0.0

Fixed In:
15.1.0, 15.0.1, 14.1.2, 14.0.1, 13.1.3, 12.1.5, 11.6.5

Opened: Sep 24, 2018

Severity: 3-Major

Related Article: K00724442

Symptoms

For more information please see: https://support.f5.com/csp/article/K00724442

Impact

For more information please see: https://support.f5.com/csp/article/K00724442

Conditions

For more information please see: https://support.f5.com/csp/article/K00724442

Workaround

None.

Fix Information

For more information please see: https://support.f5.com/csp/article/K00724442

Behavior Change

Note: After installing a version of the software that includes the fix for this issue, you must set the following db variables: -- dnssec.nsec3apextypesbitmap -- dnssec.nsec3underapextypesbitmap. These two db variables are used globally (i.e., not per-DNSSEC zone) to configure the NSEC3 types bitmap returned in one-off NODATA responses for apex and under-apex responses, respectively. When the BIG-IP system is queried for a DNS name in which the DNS name exists and is not of the RR type requested, the NSEC3 types bitmap on the response reflects what you configure for the db variable, minus the queried-for type. When using these variables: -- Configure type values as all lowercase. -- Enclose multiple types in quotation marks (e.g., "txt rrsig"). -- Understand that there is likely no need to change the apex type setting; do so with extreme care. The under-apex settings are what you will find helpful in addressing the negative caching issue.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips