Bug ID 821589: DNSSEC does not insert NSEC3 records for NXDOMAIN responses

Last Modified: Oct 13, 2023

Affected Product(s):
BIG-IP DNS, GTM, LTM(all modules)

Known Affected Versions:,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 15.1.9,, 15.1.10,

Opened: Sep 05, 2019

Severity: 3-Major


DNSSEC does not insert NSEC3 records for NXDOMAIN responses.


DNSSEC does not respond NSEC3 for non-existent domain.


-- "process-xfr yes" is set for the dns profile associated with the listener; And -- There is no "Zone Transfer Clients" nameserver configured for that zone. And -- There is no wideip configured.


1. Change this setting for dns profile from "process-xfr yes" to "process-xfr no"; Or 2. Add a nameserver for "Zone Transfer Clients" of that zone. Or 3. Add a wideip.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips