Release Notes : 3-DNS Controller, PTF Note 4.2 PTF-07

Applies To:

Show Versions Show Versions

3-DNS Controller versions 1.x - 4.x

  • 4.2 PTF-07, 4.2.0
Release Notes
Updated Date: 04/18/2019

Summary:

This product temporary fix (PTF) provides enhancements and fixes for the 3-DNS Controller, version 4.2. The PTF includes all fixes released since version 4.2, including fixes originally released in prior PTFs.  T.

Contents:

Installing the PTF

The current PTF installs fixes from all PTFs released after 3-DNS Controller, version 4.2. (For details, see the following section, Software enhancements and fixes.)  The latest version of the PTF note is available at http://tech.f5.com.

Note:  If you are updating the 3-DNS Controller module on a BIG-IP system, do not use the following installation instructions.  Instead, refer to the BIG-IP, version 4.2PTF07 note for installation instructions.

Use the following instructions to apply the PTF to the 3-DNS Controller, version 4.2. 

Note:  If you have installed prior PTFs, this installation does not overwrite any configuration changes that you made for prior PTFs.

Apply the PTF to the 3-DNS Controller, version 4.2 using the following process.  Note that the installation script saves your current configuration.

  1. Change to the /var/tmp/ directory by typing:
    cd /var/tmp/


  2. Connect to the F5 Networks FTP site (ftp.f5.com).
    Use FTP in passive mode from the 3-DNS Controller to download the file.  To place FTP in passive mode, type pass at the command line before transferring the file.


  3. Download the following PTF file to the /var/tmp/ directory on the target 3-DNS Controller.
    PTF-4.2-7-BSD_OS-4.1.im


  4. To install the PTF, type the following command:
    im PTF-4.2-7-BSD_OS-4.1.im

    The 3-DNS Controller automatically reboots once it completes installation.


Updating the big3d agent

WARNING:  For this PTF only, do not update the big3d agent for any BIG-IP system running version 4.2 and later. If you do, all virtual servers on the BIG-IP are marked down, and you will have to re-install an older version of the big3d agent, as described in SOL2071 on the AskF5 website (http://www.askf5.com).

After the PTF installation has completed, you need to install the new version of the big3d agent on all BIG-IP, EDGE-FX Cache, and GLOBAL-SITE systems known to the 3-DNS Controller, as follows:

  1. Log on to the 3-DNS Controller at the command line.


  2. Type 3dnsmaint to open the 3-DNS Maintenance menu.


  3. Select Install and Start big3d, and press Enter.
    The 3-DNS Controller detects all BIG-IP systems, EDGE-FX Caches, and GLOBAL-SITE systems in the network, and updates their big3d agents with the appropriate version of the agent.


  4. Press Enter to return to the 3-DNS Maintenance menu.


  5. Type Q to quit.
For more information about the big3d agent, see the 3-DNS Reference Guide, Chapter 3, The big3d Agent.

[ Top ]

Software enhancements and fixes

What’s fixed in this PTF

CERT Advisory CA-2002-23, Multiple Vulnerabilities In OpenSSL
The security vulnerabilities that are outlined in CERT Advisory CA-2002-23, Multiple Vulnerabilities In OpenSSL, have been fixed.

CERT Advisory CA-2002-18, OpenSSH Vulnerabilities in Challenge Response Handling
The OpenSSH software running on the 3-DNS Controller has been upgraded to version 3.4p1 to address the security vulnerability that is outlined in CERT Advisory CA-2002-18.

BSDI security vulnerability (CR16430)
A potential denial of service vulnerability in the C library (libc) of BSDI has been addressed. For information about the vulnerability, see Vulnerability Note VU#808552, Multiple ftpd implementations contain buffer overflows, which is available on the CERT website at http://www.cert.org.

Manually re-enabling virtual servers when they change status from down to up (CR21894)
Previously, when a virtual server changed status from down to up, the virtual server was immediately available for load balancing. You can now choose to manually re-enable virtual servers for load balancing availability when their status changes from down to up by activating the Manual Resume setting. If you activate the Manual Resume setting, when a virtual server changes status from up to down, the controller also disables the virtual server. When the virtual server’s status changes back to up, you have to re-enable the virtual server before it is actually available for load balancing.

For details on configuring the Manual Resume setting, see the Optional configuration changes section of this PTF note.

The named daemon no longer experiences fatal errors when there are more than 500 IP addresses configured on a BIG-IP system running the 3-DNS Controller module (CR22075, CR22911)
The named daemon no longer experiences fatal errors under the following conditions:

  • You are running the 3-DNS module on a BIG-IP system
  • You have more than 500 IP addresses in the BIG-IP configuration

The 3dns_action script and deleting action commands on the local system (CR22108, CR22109)
The 3dns_action script now deletes action commands, which are generated by the local system’s 3dnsd daemon, from the /tmp/sync_wideip_cmds directory on the local system. There is also a cron job that deletes files and action commands that are older than one day from the /tmp directory.

Updating persistence records when the 3dnsd daemon restarts (CR22380)
In situations where the 3dnsd daemon restarts, for example, when you reboot the 3-DNS Controller, the controller now synchronizes any persistent connections with another controller in the sync group.

The Return to DNS load balancing mode and floating self IP addresses (CR22570)
The Return to DNS load balancing mode now works properly with floating self IP addresses. Previously, the 3-DNS Controller was unable to properly use the Return to DNS load balancing mode to route packets when the controller had a floating self IP address.

New SNMP OIDs for enable and disable actions (CR22631)
When you enable or disable an object in the 3-DNS configuration, this action now generates an SNMP trap based on new object identifiers (OIDs) in the 3-DNS MIB. You can view the 3-DNS MIB from the home screen of the Configuration utility.

EDNS0 requests from BIND 8.3.3 and BIND 9 name servers (CR22697)
The 3-DNS can now process EDNS0 requests that originate from BIND 8.3.3 and BIND 9 name servers. When the 3-DNS receives an EDNS0 request, the controller embeds the additional EDNS0 record in the DNS response packet.

Synchronizing among sync group members when a controller reboots (CR22912)
When a 3-DNS Controller that is a member of a sync group reboots, the controller no longer loses the ability to synchronize with the other controllers in the sync group.

[ Top ]

Enhancements and fixes released in prior PTFs

Version 4.2PTF06

CERT Advisory CA-2002-17, Apache Web Server Chunk Handling Vulnerability
The security vulnerability that is outlined in CERT Advisory CA-2002-17, Apache Web Server Chunk Handling Vulnerability, has been fixed.

The named daemon and memory usage (CR21420)
The named daemon no longer stops running when it uses more than 16MB of RAM.

Unexpectedly closed TCP connections with outstanding path probes (CR21530)
When the TCP connection for a large number of active iQuery path probes is unexpectedly closed or dropped, the big3d agent no longer stops running.

SNMP trap IDs and 3-DNS MIB descriptions for server status changes (CR21590)
The descriptions in the 3-DNS MIB for changes in server status (for example, RED to GREEN, or GREEN to RED) now correspond correctly to the SNMP trap IDs.

SNMP traps for server status and virtual server status have been improved (CR21591)
The SNMP traps for server status and virtual server status now properly inherit their status from threednsTraps in the 3-DNS MIB.

big3d agent SNMP probing failures and misconfigured Alteon switches (CR21638)
On an Alteon switch that is misconfigured with a group that doesn't exist in the MIB, the big3d agent no longer fails when probing for virtual server status using SNMP.

Updated version of BIND (CR21639)
BIND has been updated from version 8.2.3 to version 8.3.1.

big3d argument with missing values and server errors (CR21647)
When a big3d argument requires a value, and you do not define a value, the 3-DNS Controller no longer experiences server errors.

Version 4.2PTF05

There are no fixes or enhancements for 3-DNS Controller in version 4.2PTF05.

Version 4.2PTF04

SNMP versions and host probing (CR19784, CR20916)
The 3-DNS Controller now uses the correct version of SNMP (1 or 2) depending on which version is supported by the SNMP agent on the host.

Support for iControl, version 2.1 (CR19847, CR20178)
This PTF includes support for iControl, version 2.1.

New command argument for 3ndc (CR19886)
You can now monitor DNS transactions without using tcpdump by using the 3ndc querylog command.  For additional information, refer to the 3ndc man page.

Using snmpwalk and the 3-DNS MIB (CR19989, CR19994)
You no longer receive an OID error when you use snmpwalk on the 3-DNS MIB, and the following condition exists:  the string length (shorter to longer) and the lexicographic sort (a to z) of wide IP names and/or data center names in the MIB are in opposite order.

Synchronization and viewing server status (CR20170)
When you make configuration changes on a receiver 3-DNS Controller in a sync group, and then view server and virtual server status on the principal 3-DNS Controller, the servers and virtual servers are no longer inaccurately marked as down (red ball).

IP Application Switch platform and probing hosts using TCP (CR20244)
Host probing no longer fails when you are running the 3-DNS Controller module on the IP Application Switch platform, and the big3d agent’s probe protocol is set to TCP.

Configuring default settings for SNMP (CR20258)
You can now reset the SNMP timeouts and retries to their default values.

Compilation errors in 3-DNS MIB (CR20466)
The 3-DNS MIB no longer causes compilation errors with some SNMP management tools.

Netmask on the public IP address when the 3-DNS Controller is behind a firewall (CR20792)
When the 3-DNS Controller is behind a firewall, and the public IP address is defined on the external VLAN, the netmask is now applied correctly; the public IP address is no longer improperly associated with the loopback device.

Removing virtual servers (CR20814)
Removing a virtual server that belongs to a pool that uses the Round Robin load balancing mode no longer causes server errors.

Getting up or down status for 3-DNS, GLOBAL-SITE, and EDGE-FX Cache systems from SNMP (CR21041)
You can now get the proper up or down status from the 3-DNS MIB for 3-DNS, BIG-IP, GLOBAL-SITE, and EDGE-FX Cache systems.

iQuery and backward compatibility for encryption (CR21270)
iQuery encryption between 3-DNS Controller, version 4.2 and 3-DNS Controller, version 4.0.1 now works properly.

Version 4.2PTF03

There are no fixes or enhancements for 3-DNS Controller in version 4.2PTF03.

Version 4.2PTF02

There are no fixes or enhancements for 3-DNS Controller in version 4.2PTF02.

Version 4.2PTF01

There are no fixes or enhancements for 3-DNS Controller in version 4.2PTF01.

[ Top ]

Configuration changes

The following section provides information about both required and optional configuration changes.

Required configuration changes

There are no required configuration changes in this PTF.

[ Top ]

Optional configuration changes

Working with the Manual Resume setting

Use following instructions to activate the Manual Resume setting. Note that this setting affects all of the virtual servers in a wide IP.

To activate the Manual Resume setting using the Configuration utility

  1. In the navigation pane, click Wide IPs.
    The Wide IP List screen opens.


  2. In the Wide IP Name column, click the name of the wide IP that you want to modify.
    The Modify Wide IP screen opens.


  3. Check the Manual Resume box.


  4. Click Update.
    The Configuration utility updates the configuration with the changes.


When you activate the Manual Resume setting on a wide IP, all of the virtual servers in that wide IP’s pools are affected. When a virtual server changes status from up to down, the virtual server remains disabled even after it changes status from down to up. The following instructions describe how to determine whether a virtual server is disabled by the Manual Resume setting, and how to re-enable the virtual server.

To determine how a virtual server is disabled using the Configuration utility

  1. On the navigation pane, expand the Statistics item, and then click Disabled.
    The Disabled Objects screen opens.


  2. Using the Object Type and ID columns, locate the virtual server that you are reviewing.


  3. The Disabled By column for the virtual server that you want to review displays the method by which the virtual server was disabled. For example, if you see manual_resume, the virtual server is disabled by the Manual Resume setting, and will remain disabled indefinitely.


The following instructions describe how to re-enable a virtual server that has been disabled by the Manual Resume setting. Note that you re-enable the virtual server in the context of the pool and wide IP that it belongs to, not in the context of the server that it belongs to.

To re-enable a virtual server that is disabled by the Manual Resume setting using the Configuration utility

  1. In the navigation pane, click Wide IPs.
    The Wide IP List screen opens.


  2. In the Pools column, click # Pools for the wide IP that disabled the virtual server you want to re-enable.
    The Modify Pools screen opens.


  3. In the Virtual Servers column, click # Virtual Servers for the pool that disabled the virtual server you want to re-enable.
    The Modify Virtual Servers screen opens.


  4. Click the Status button for the virtual server that you want to re-enable.
    A popup screen appears to confirm that you want to enable the virtual server.


  5. Click OK.
    The screen refreshes and the virtual server is enabled.


[ Top ]

Known issues

The following items are known issues in the current release.

Updating the Return to DNS counter (CR20139)
The Return to DNS counter does not update when none of the specified load balancing methods for a wide IP are able to select a pool and virtual server to respond to a query.

CPU usage statistics for EDGE-FX Caches (CR21325)
On the EDGE-FX Cache Statistics screen, in the Configuration utility, the 3-DNS Controller incorrectly reports the CPU usage statistic for the EDGE-FX Cache.

The Tomcat package is binding to multiple ports (CR21652)
The Tomcat package is binding to *:8080 as well as to 127.0.0.1:8007. To work around this issue, open the following file, /usr/local/tomcat/conf/server.xml, and comment out the <Connector> ... "8080"...</Connector> statement.

Time-to-live (TTL) values for resource records (CR22025)
If you set the pool TTL to a value that is different than the wide IP TTL, the dig command displays the wide IP TTL rather than the pool TTL in the answer packet. This occurs only when all the virtual servers in the pool are unavailable. Resource records in the DNS configuration are set with the wide IP TTL instead of the pool TTL. If you change the pool TTL, the TTL for the resource records does not change to the updated TTL. Therefore, when the 3-DNS Controller is unable to load balance a request, and returns the request to DNS, the resource record contains the wide IP TTL rather than the pool TTL.

Modifying wide IPs and errors in the Configuration utility (CR22038)
When you modify a wide IP using the Configuration utility, you may see error 331845. The error is benign, and occurs only if the NameSurfer application is not enabled. Note that this known issue is not applicable to the 3-DNS Controller module on a BIG-IP system.

Syntax errors on the big3d man page (CR22071)
The syntax is incorrect for the following arguments on the command line version of the big3d man page:

  • -max-active-scanners
  • -max-active-probers
  • -max-active-hops
  • -max-active-snmp
The correct syntax for these arguments is as follows:
  • -max_active_scanners
  • -max_active_probers
  • -max_active_hops
  • -max_active_snmp
Note that the HTML version of the big3d man page contains the correct syntax, and is available from the home screen of the 3-DNS Configuration utility.

UDP checksums and TFTP packets (CR22113)
In rare instances, the checksums for TFTP packets are incorrect.

Setting the Quality of Service load balancing mode and the QOS coefficients (CR22131)
In the Configuration utility, when you change the load balancing mode within a pool to Quality of Service, occasionally the Configuration utility may not properly update the QOS coefficients. Instead, you may see very large values for some of the coefficients, or you may see new values for coefficients that you did not change. To work around this issue, see the Setting the Quality of Service load balancing mode section of this PTF note.

Disabling Round Robin LDNS and synchronization (CR22324)
If you have 3-DNS Controllers in a sync group, and you disable Round Robin LDNS (RR LDNS) in a pool on one of the controllers, the disable operation does not synchronize properly to the other members of the sync group. To work around this issue, after you have disabled RR LDNS on one controller, on the remaining controllers in the sync group, type 3ndc restart from the command line.

Resetting the base configuration before you run the Setup utility causes fatal errors at the Configure Interfaces step (CR22331)
When you reset the base configuration (with the command bigpipe base reset), and then run the Setup utility (by typing setup), the controller experiences fatal errors when you get to the Configure Interfaces step in the utility. To avoid the errors, do not reset the base configuration before you run the Setup utility.

Spikes in the system’s CPU usage (CR22561)
The Java daemon, javad, may cause the CPU usage for the 3-DNS Controller to occasionally spike to 90%. Note that the 3-DNS Controller does not currently use the javad daemon. To disable the javad daemon, review Solution 1895 (SOL1895) on the AskF5 website, http://tech.f5.com.

Setup utility may fail when the system’s broadcast address is not compatible with the system’s IP address/netmask (CR22675)
When you configure the system's IP address and netmask, and you change the broadcast address so that it does not match the IP address/netmask combination, the Setup utility may experience fatal errors when you enter a default route. To avoid this error, we recommend that you accept the default broadcast address.

SNMP traffic is passing through a vlan that has port lockdown enabled (CR22677)
A VLAN configured with port lockdown enabled allows SNMP traffic regardless of whether you have explicitly enabled the SNMP port using the open_snmp_port global setting.

Disabling SNMP and rebooting the controller (CR22762)
When you disable SNMP using the Configuration utility, the utility renames the SNMP configuration file, snmpd.conf, to /etc/snmpd.conf.disabled. When you reboot the controller, the bigstart script checks for the snmpd.conf file before trying to start the SNMP daemon. Because the file has been renamed, however, the bigstart script assumes that the file does not exist and generates a new snmp.conf file.

NEW Updating the big3d agent (CR23458)
The big3d agent in this PTF is not compatible with any BIG-IP systems running version 4.2 and later. (Note that software versions prior to 4.2 are not affected by this issue.) Do not update the big3d agent on any BIG-IP 4.2 systems, as described in the Updating the big3d agent section of the PTF installation instructions. If you do update the big3d agent any BIG-IP system running version 4.2 or later, then all of the virtual servers are marked as down, and the 3-DNS Controller does not load balance to them. You can use the instructions in Solution 2071 (SOL2071), available on the AskF5 website (http://www.askf5.com), to re-install an older version of the big3d agent in the event that you have updated a BIG-IP system, version 4.2 or later, with the big3d agent in this PTF.


[ Top ]

Setting the Quality of Service load balancing mode

In the Configuration utility, if you change the load balancing mode in a pool to Quality of Service and the values for the QOS coefficients do not maintain your settings, use the following instructions.

  1. In the navigation pane, click Wide IPs.
    The Wide IP List screen opens.


  2. In the Wide IP Name column, select the wide IP that contains the pool that you want to modify.
    The Modify Wide IP screen opens.


  3. From the toolbar, click Modify Pool.
    The Modify Wide IP Pools screen opens.


  4. In the Pool Name column, click the pool that you want to modify.
    The Modify Load Balancing for [pool name] screen opens.


  5. In the Load Balancing Modes, Preferred box, select Quality of Service.


  6. Click Update.
    Note: Do not change the values of the QOS coefficients at this time.


  7. In the Quality of Service coefficients section of the screen, type the values that you want to set for the QOS coefficients.


  8. Click Update.
    The QOS coefficients should remain at the values that you typed.


[ Top ]