Bug ID 821589: DNSSEC does not insert NSEC3 records for NXDOMAIN responses

Last Modified: Sep 29, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP DNS, GTM, LTM(all modules)

Known Affected Versions:
14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7

Opened: Sep 05, 2019
Severity: 3-Major


DNSSEC does not insert NSEC3 records for NXDOMAIN responses.


DNSSEC does not respond NSEC3 for non-existent domain.


-- "process-xfr yes" is set for the dns profile associated with the listener; And -- There is no "Zone Transfer Clients" nameserver configured for that zone. And -- There is no wideip configured.


1. Change this setting for dns profile from "process-xfr yes" to "process-xfr no"; Or 2. Add a nameserver for "Zone Transfer Clients" of that zone. Or 3. Add a wideip.

Fix Information


Behavior Change