Last Modified: Apr 17, 2024
Affected Product(s):
BIG-IP GTM
Known Affected Versions:
12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4
Fixed In:
16.0.0
Opened: Jul 18, 2019 Severity: 3-Major
DNSSEC Key generation expires when new generation failed to be created.
The last DNSSEC Key generation expires and the Key does not have any generation. As a result, BIG-IP fails to sign RRs with the DNSSEC Key.
BIG-IP configured with rolling DNSSEC Key and following conditions are met: 1. New DNSSEC Key generation not created due to failure, so only one generation remains for the DNSSEC Key. 2. The old DNSSEC Key generation is nearly expired.
New DNSSEC Key can be created to trigger creation of new generation.
DNSSEC Key generation never expires if that generation is the last one for the DNSSEC Key.