Bug ID 821589: DNSSEC does not insert NSEC3 records for NXDOMAIN responses

Last Modified: Sep 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP DNS, GTM, LTM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6, 14.1.2

Opened: Sep 05, 2019
Severity: 3-Major

Symptoms

DNSSEC does not insert NSEC3 records for NXDOMAIN responses.

Impact

DNSSEC does not respond NSEC3 for non-existent domain.

Conditions

-- "process-xfr yes" is set for the dns profile associated with the listener; And -- There is no "Zone Transfer Clients" nameserver configured for that zone. And -- There is no wideip configured.

Workaround

1. Change this setting for dns profile from "process-xfr yes" to "process-xfr no"; Or 2. Add a nameserver for "Zone Transfer Clients" of that zone. Or 3. Add a wideip.

Fix Information

None

Behavior Change