Bug ID 767989: DNSSEC RRSIG Inception Offset

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP DNS(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,, 15.0.0, 15.0.1,,,,

Fixed In:

Opened: Apr 03, 2019
Severity: 4-Minor


When a DNSSEC key is used to generate an RRSIG record for the first time, the inception time of the record is set to the current BIG-IP system time. If the system that validates that signed DNS response has a clock skew towards the past relative to the BIG-IP system, then that system will see the RRSIG as if it was generated for a future timestamp and is not yet valid.


This may cause validation of a DNSSEC response to fail if the validator finds that there are no valid RRSIG records signing the response.


-- DNSSEC is used to sign responses for a particular DNS zone. -- The clock of the validating resolver is running behind the clock of the BIG-IP system.



Fix Information

This fix causes all generated RRSIG records to have their inception time backdated by exactly 1 hour.

Behavior Change

The inception time of all RRSIG records is backdated by exactly 1 hour. The time that the RRSIG record is generated and the time it expires is unchanged. The RRSIG inception time will appear as 1 hour before the RRSIG was generated.