Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP DNS, GTM
Known Affected Versions:
11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7
Fixed In:
12.1.4, 11.6.3.4, 11.5.8
Opened: Nov 20, 2018 Severity: 3-Major
DNS Cache drops a DNS query that contains an EDNS OPT Record that it does not understand.
DNS Cache drops the request. Clients (such as a DNS Flag Day compliance tool) or upstream DNS server will experience a timeout for that query. This is occurring now because of the changes coming that remove certain workarounds on February 1st, 2019. This is known as DNS Flag Day. All network configurations on the internet will be affected by this change, but only some DNS servers will be negatively impacted. Fixes for this issue handle the conditions that were once handled by those workarounds.
If a client (such as a DNS Flag Day compliance tool) or upstream DNS Server sends an invalid ENDS OPT record.
None.
When a query with an invalid EDNS OPT version is received by DNS Cache, the system now sends a response with the BADVERS error code, as stipulated by the RFC. Note: Any NOSOA and NOAA results from the EDNS Compliance Tester used for DNS Flag Day are false positives and are expected when testing against DNS Cache. The EDNS Compliance Tester assumes an authoritative server, and makes non-recursive queries. For example, you might see a Resolver response similar to the following: example1.com. @10.10.10.126 (ns.example1.com.): dns=nosoa,noaa edns=nosoa,noaa edns1=ok edns@512=noaa ednsopt=nosoa,noaa edns1opt=ok do=nosoa,noaa ednsflags=nosoa,noaa optlist=nosoa,noaa,subnet signed=nosoa,noaa,yes ednstcp=noaa These types of responses are expected when running the validation tool against DNS Cache.