Bug ID 744937: BIG-IP DNS and GTM DNSSEC security exposure

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP DNS(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 15.0.0

Fixed In:
15.1.0, 15.0.1, 14.1.2, 14.0.1, 13.1.3, 12.1.5, 11.6.5

Opened: Sep 24, 2018
Severity: 3-Major
Related AskF5 Article:
K00724442

Symptoms

For more information please see: https://support.f5.com/csp/article/K00724442

Impact

For more information please see: https://support.f5.com/csp/article/K00724442

Conditions

For more information please see: https://support.f5.com/csp/article/K00724442

Workaround

None.

Fix Information

For more information please see: https://support.f5.com/csp/article/K00724442

Behavior Change

Note: After installing a version of the software that includes the fix for this issue, you must set the following db variables: -- dnssec.nsec3apextypesbitmap -- dnssec.nsec3underapextypesbitmap. These two db variables are used globally (i.e., not per-DNSSEC zone) to configure the NSEC3 types bitmap returned in one-off NODATA responses for apex and under-apex responses, respectively. When the BIG-IP system is queried for a DNS name in which the DNS name exists and is not of the RR type requested, the NSEC3 types bitmap on the response reflects what you configure for the db variable, minus the queried-for type. When using these variables: -- Configure type values as all lowercase. -- Enclose multiple types in quotation marks (e.g., "txt rrsig"). -- Understand that there is likely no need to change the apex type setting; do so with extreme care. The under-apex settings are what you will find helpful in addressing the negative caching issue.