Applies To:Show Versions
3-DNS Controller versions 1.x - 4.x
- 4.0.1 PTF-04
Software enhancements and fixes
What's fixed in this PTF
CERT Advisory CA-2002-03, Multiple Vulnerabilities in Many
Implementations of the Simple Network Management Protocol (SNMP)
The security vulnerabilities that are outlined in CERT Advisory CA-2002-03, Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP), have been fixed.
CERT Advisory CA-2002-17, Apache Web Server Chunk Handling Vulnerability
The security vulnerability that is outlined in CERT Advisory CA-2002-17, Apache Web Server Chunk Handling Vulnerability, has been fixed.
CERT Advisory CA-2002-18, OpenSSH Vulnerabilities in Challenge Response Handling
The OpenSSH software running on the 3-DNS Controller has been upgraded to version 3.4p1 to address the security vulnerability that is outlined in CERT Advisory CA-2002-18.
CERT Advisory CA-2002-19, Buffer Overflow in Multiple DNS Resolver Libraries
The buffer overflow vulnerability in DNS resolver libraries that is outlined in CERT Advisory CA-2002-19 has been fixed.
Denial of service (DOS) attacks and the UDP protocol for iQuery (CR20195)
The 3dnsd daemon no longer marks the big3d agent (running on the same system) as down, under the following conditions:
- The iQuery protocol is set to UDP (the default)
- The DNS port experiences a DOS attack
- The DNS attack generates more than 50,000 requests per second
The 3dns_action script has been updated (CR22011)
We have modified the 3dns_action script so that it now performs the following tasks:
- Cleans up files that fail to parse or are otherwise damaged
- Keeps only ten files per sync group member for historical data, rather than 100
The syncd daemon staging files in the /tmp directory (CR22012)
A cron job now deletes files the /tmp directory that are older than one day, which cleans up after the syncd daemon when the daemon leaves old staging files in that directory.
Enhancements and fixes released in prior PTFs
The following issues were resolved in the previous releases.
Version 4.0.1 PTF-03
Disabling data centers with 3dpipe and proper virtual server status display (CR18341)
When you use the 3dpipe utility to disable a data center, the status for any virtual servers in that data center now correctly displays as disabled by parent.
Deleting objects using the Configuration utility and synchronization (CR18858)
When you use the Configuration utility to delete objects, such as servers and virtual servers, the resulting changes are now properly synchronized to sync group members.
The bigpipe failover active command and error messages (CR18865)
The bigpipe failover active command no longer returns a label not found message. Note that this command is valid only when you have a redundant system.
The big3d agent and iQuery compatibility (CR18870)
The big3d agent for version 4.0.1 is now forward-compatible with 3-DNS, version 4.2.
Upgrading from version 3.0 to version 4.0.1 and zone files (CR18876)
When you upgrade from 3-DNS Controller, version 3.0 to version 4.0.1 PTF03, the upgrade script now properly migrates the zone files that are managed by NameSurfer.
The 3-DNS Controller now searches for a directory entry in /etc/named.conf that points to /var/namedb, and changes it to /config/3dns/namedb. The 3-DNS Controller also attempts to move zone files from /var/namedb to /config/3dns/namedb. There are two circumstances, which combined, can cause this attempt to fail: first, if your 3-DNS Controller was purchased with version 4.0.1 pre-installed, your /config directory is a partition. If you manage enough separate zones that the zone file data does not fit in the /config directory, the 3-DNS Controller attempts to put the zone files under /3dns, another separate partition, and makes a link from /config/3dns/namedb to /3dns/namedb. If there is not enough room in the /3dns directory, the 3-DNS Controller gives up and makes a link from /config/3dns/namedb to /var/namedb.
Using TCP as the iQuery protocol with firewalls or switches (CR19034)
When you use TCP as the iQuery protocol, and you have a firewall or switch between the 3-DNS Controller and any big3d agents, the connection between the 3-DNS Controller and the remote big3d agents is no longer shut off improperly by the firewall or switch. This issue arose when the switch or firewall was configured for short-lived TCP connections, and stopped passing packets before the iQuery connection was closed.
Using data center server location endpoints in a topology statement and the Topology load balancing mode within a pool (CR19037)
When you specify a data center as a server location endpoint in a topology statement, and you use the Topology load balancing mode within a pool, the 3-DNS Controller now load balances as expected.
Dynamic persistence functionality (CR19045)
Dynamic persistence now works as expected.
The local DNS server IP dont fragment setting and 3-DNS load balancing (CR19061)
When a local DNS server has set the IP dont fragment bit to yes, the 3-DNS Controller no longer forwards the packets straight to named for a response.
Using TCP iQuery connections and modifying the configuration using the Configuration utility (CR19212)
When you set the iQuery protocol to TCP, and you use the Configuration utility to modify any configuration settings, the 3-DNS Controller no longer unnecessarily marks the servers and virtual servers as down (red ball), and it no longer breaks the TCP/IP connection.
Corrupted authority record section of the DNS response from a CDN pool (CR19137)
When the DNS response is from a CDN pool, the authority record section of the DNS response is no longer corrupted.
Using the Configuration utility to change the pool order when the pool load balancing mode is Global Availability (CR19151)
You can now use the Configuration utility to change the pool order when the pool load balancing mode (Pool LB Mode) is set to Global Availability.
Renaming existing wide IPs, wide IP aliases, or data centers and synchronization (CR19296, CR19691)
Renaming an existing wide IP, wide IP alias, or data center no longer causes problems with synchronization.
Renaming existing wide IPs or wide IP aliases and NameSurfer (CR19486)
When you rename an existing wide IP or alias that is in a 3-DNS sync group, the change is now properly migrated to NameSurfer.
Getting up or down status for 3-DNS, GLOBAL-SITE, and EDGE-FX Cache systems from SNMP (CR19633)
You can now get the proper up or down status, using SNMP, for 3-DNS, GLOBAL-SITE, and EDGE-FX Cache systems.
Upgrading to 3-DNS Controller, version 4.0.1, and interface configuration issues (CR19649)
When you upgrade to version 4.0.1, the upgrade process no longer deletes your interface configuration information. Note that this error occurred only if you renamed your interfaces from the default (fxp0, fxp1), or if your 3-DNS has more than two interfaces.
Creating pools of type A with no virtual servers (CR19839)
If you create a wide IP pool of type A, and the pool contains no virtual servers, you now receive a warning message that you are about to create a pool with no virtual servers in it.
CERT Advisory CA-2002-03, Multiple Vulnerabilities in Many
Implementations of the Simple Network Management Protocol (SNMP) (CR19922)
The security vulnerability that is outlined in CERT Advisory CA-2002-03, Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP), has been fixed.
Using snmpwalk and the 3-DNS MIB (CR19989)
You no longer receive an OID error when you use snmpwalk on the 3-DNS MIB, and the following condition exists: the string length (shorter to longer) and the lexicographic sort (a to z) of wide IP names and/or data center names in the MIB are in opposite order.
Synchronization and viewing server status (CR20173)
When you make configuration changes on a receiver 3-DNS Controller in a sync group, and then view server and virtual server status on the principal 3-DNS Controller, the servers and virtual servers are no longer inaccurately marked as down (red ball).
A Distributed Application Manager, version 1.0 support (CR15963, CR16062)
The 3-DNS Controller now supports the Distributed Application Manager, version 1.0.
Sync groups and renaming pools or wide IPs (CR16457)
When you have three or more 3-DNS Controllers in a sync group, and you rename a pool or wide IP more than once, the renamed pools or wide IPs now synchronize properly.
Stopping and starting the iControl portal (CR17378, CR17415)
Stopping and starting the iControl portal no longer causes system errors.
Default values for the iControl portal (CR17446)
The 3-DNS Controller database now contains default values for the iControl portal. You can view the default values by running the config portal script.
Non-external ports bound to the loopback address (CR17513)
All non-external ports are now bound to the loopback address. The affected non-external ports are:
- 8053 and 8054 (NameSurfer)
- 2121 and 1616 (Portal Real Servers)
Adding virtual servers to pools that have port lists configured (CR17691)
If you have pools configured with port lists, and you are adding additional virtual servers to those pools, the Configuration utility now lists only those virtual servers that use the same ports as those in the pool's port list.
Syntax changes for the syncgroup command in the 3dpipe utility (CR17905)
The syncgroup_name parameter in the syncgroup command is now optional. For more information on the 3dpipe utility, refer to the 3-DNS Controller, version 4.0.1 release notes.
Drop packets when there is a Last Resort pool specified and the fallback load balancing mode is Null (CR18080)
The 3-DNS Controller no longer uses the Return to DNS load balancing mode when the following criteria are met:
- No virtual servers are available to resolve the request
- You have at least two pools configured, and one pool is designated as the last resort pool
- The fallback load balancing mode for the last resort pool is Null
The upgrade installation for the 3-DNS Controller, version 4.0.1 and the bigdba command (CR18117)
If you upgraded the 3-DNS Controller to version 4.0.1 from version 2.1.2 or earlier, the controller may have an obsolete version of the bigdba command. The PTF installer for PTF-02 correctly deletes /sbin/bigdba and reloads the bigdba database if the following conditions are met:
- The /config/user.db file does not already exist on the controller
- The /config/user.db.txt file exists on the controller
Wide IP names in the database (CR18260)
Wide IP names are now stored in all-lowercase format in the 3-DNS Controller configuration. Converting the wide IP names to lowercase in the configuration ensures that the 3-DNS Controller remains compliant with the DNS RFC (RFC 1035), which specifies that domains not be case-sensitive.
Static Persist load balancing mode (CR18274)
When you have configured the 3-DNS Controller to use the Static Persist load balancing mode, and a local DNS server is repeatedly requesting a domain on the 3-DNS Controller, the 3-DNS Controller no longer issues an incorrect response.
The named utility and upgrading 3-DNS Controllers (CR17793)
The named utility now restarts when you reboot a 3-DNS Controller that has been upgraded from a previous version to version 4.0.1. Note that the named utility runs only on 3-DNS Controllers that are in node mode.
Restarting the 3-DNS Controller web server (CR17854)
The Restart 3-DNS Configuration Utility, on the 3-DNS Maintenance Menu, now correctly restarts the 3-DNS web server.
Rerunning the config command (CR17855)
Rerunning the config command after you initially configure the 3-DNS Controller no longer overwrites the /etc/named.conf file.
The following section provides information about both required and optional configuration changes.
Required configuration changes
The current release has no required configuration changes.
Optional configuration changes
The following new configuration options are available on the 3-DNS Controller.
Additions to the 3dpipe utility syntax
The following commands have been added to the 3dpipe utility:
- 3dpipe wideip <wide_IP_name> dc <data_center_name> disable
You can use this command to disable a wide IP, in the context of a data center.
- 3dpipe wideip <wide_IP_name> dc <data_center_name> enable
You can use this command to enable a wide IP, in the context of a data center.
- 3dpipe wideip <wide_IP_name> dc <data_center_name> status
You can use this command to get the status (enabled or disabled) of a wide IP, in the context of a data center.
- 3dpipe wideip <wide_IP_name> pool <pool_name> vs show all
You can use this command to get the following information for each virtual server in a wide IP pool:
- enabled or disabled status
- availability status: green (available), blue (unknown), red (down), or yellow (unavailable)
- IP address
- ratio value (for the Ratio load balancing mode)
The following items are known issues in the current release.
Adding servers using the Configuration utility and the Back button in Internet Explorer (CR17504)
Occasionally, when you are running the Configuration utility in a Microsoft® Internet Explorer browser session and you add a new server to the 3-DNS Controller configuration, you may get an error when you use the Back button to return to a previous screen. The error is benign, and you can click any item in the navigation screen to clear the error.
Using A Distributed Application Manager with the 3-DNS Controller
If you are attempting to use A Distributed Application Manager (ADAM) with the 3-DNS Controller, in some cases you may not be able to log in as the 3-DNS Controller administrative user that was defined in the Configuration utility when you set up the 3-DNS Controller. To correct this, run the 3dnsmaint command line utility and select Change/Add users for 3-DNS Configuration Utility. Re-enter the administrative user name and password. You can then log in through ADAM as the administrative user.
SNMP probes and host servers (CR19784)
SNMP probes to host servers always use SNMP, version 1.
The Dump 3-DNS Statistics command on the 3-DNS Maintenance menu and viewing EDGE-FX Cache statistics (CR20000)
When you use the Dump 3-DNS Statistics command on the 3-DNS Maintenance menu, and you choose EDGE-FX, the command exits without a warning when you have no EDGE-FX Caches defined in your configuration.
The Restore a 3-DNS from a backup command on the 3-DNS Maintenance menu and the 3dnsd daemon (CR20024)
When you use the Restore a 3-DNS from a backup command on the 3-DNS Maintenance menu, you must manually restart the 3dnsd daemon after the restore process has completed. To restart the 3dnsd daemon, type 3ndc restart from the command line.
The 3-DNS Maintenance menu: the Dump 3dnsd Statistics command and wide IP statistics (CR20140)
When you select Wide IPs on the Dump 3dnsd Statistics command in the 3-DNS Maintenance menu, the statistics you see are not the same as the statistics that you see on the Wide IP Statistics screen in the Configuration utility.
Topology load balancing within in a pool when two or more topology records get the same score (CR20161)
When you set the load balancing mode within a pool to Topology, and two or more topology records get the same score for virtual servers in that pool, the 3-DNS Controller load balances only to the first virtual server that has the matching topology score.
The 3dpipe utility and pool names (CR20182, CR20183)
The 3dpipe utility does not properly parse pool names that contain numbers only, or pool names that contain hyphens.
Synchronization and deleting virtual server dependencies and virtual server translations (CR20208)
Deleting virtual server translations and virtual server dependencies is not properly synchronized when your 3-DNS systems are in a sync group. To avoid this error, you can delete the virtual server dependencies and virtual server translations on one member of the sync group, and then run 3ndc restart, from the command line, on the other members of the sync group.
The 3dns_action script does not delete action commands on the local system (CR22108)
The 3dns_action script does not delete action commands, that are generated by the local systems 3dnsd daemon, from the /tmp/sync_wideip_cmds directory on the local system. There is a cron job, however, that deletes files that are older than one day from the /tmp directory. The cron job also deletes any action commands that are older than one day.