---

Installing the upgrade

The following instructions explain how to install the 3-DNS Controller, version 4.0.1 onto existing crypto systems that are running version 3.0 and later.

Important:  If you are running 3-DNS Controller, version 2.1.2 or earlier, you must first upgrade to version 3.0.  You can then upgrade to version 4.0.1.

Important:  If you upgraded the controller to version 3.0 from a previous release, and the network interface cards in the controller are not from the Intel® 82559 series, we strongly recommend that you run config_ssh before you upgrade to version 4.0.1.  If you do not see all of the configured interfaces when you run config_ssh, contact Support for assistance before proceeding with the upgrade.

1. On the 3-DNS Controller, change to the /var/tmp/ directory:
   cd /var/tmp/
2. Connect to the F5 Networks FTP site at ftp.f5.com.
3. Download the upgrade file, 3dns4.0.1upgrade.tgz, to the /var/tmp/ directory on the target 3-DNS Controller.
4. Download the sum file to the /var/tmp/ directory on the target 3-DNS Controller.
5. Verify the integrity of the upgrade file by typing the sum command where <file name> is the name of the upgrade file:
   sum <file name>

   If the checksum numbers match, the upgrade file is valid.  If they do not match, open a new FTP connection, and try to download the upgrade file again.

6. Extract the kit file in the /var/tmp/ directory by typing the following command:
   tar -xvzf 3dns4.0.1upgrade.tgz
   
7. Verify the integrity of the extracted files by typing the following command:
   ./checksum

   Note:  The upgrade_install script verifies that you have enough available disk space to perform the upgrade, as follows:  the / directory needs 24 MB, and the /var directory needs 500 MB.  If the upgrade script does not find the required available space in these directories, you need to delete files.  If you need to create more available disk space, look in the following directories for files you can delete:  /var/save, /var/backup, and /var/tmp. If the upgrade still does not have enough available disk space after you have cleaned up these directories, contact Support for assistance.

8. Run the upgrade_install script in the /var/tmp/ directory:
   ./upgrade_install

   The upgrade_install script performs a backup of your critical system files and executables.  When the script is done, it automatically reboots your system.

9. Once you install the 3-DNS Controller software, you need to install the new version of the big3d agent on all BIG-IP Controllers, EDGE-FX Caches, and GLOBAL-SITE Controller managed by the 3-DNS Controller, as follows:
   
   
   1. Log in to the 3-DNS Controller.
   2. Type 3dnsmaint to open the 3-DNS Maintenance menu.
   3. Select Install and Start big3d, and press Enter.
      The 3-DNS Controller detects all BIG-IP Controllers and EDGE-FX Caches in the network and updates their big3d agents.
   4. Press the Enter key to return to the 3-DNS Maintenance menu.
   5. Press the Q key to quit.

Once you install the software update, refer to the Configuring and using the new software section, which contains important information about required configuration changes and new configuration options.

New features and enhancements

3-DNS Documentation CD-ROM
The 3-DNS Controller now includes the 3-DNS Documentation CD-ROM, which contains PDF files of the 3-DNS Installation Guide, the 3-DNS Administrator Guide, and the 3-DNS Reference Guide.  The CD-ROM also contains the Release Note and the optional software downloads for the 3-DNS Controller.  When you insert the 3-DNS Documentation CD-ROM into your work station?s CD-ROM drive, you can view any of the documents.

The 3-DNS module on the BIG-IP platform
Some versions of the BIG-IP platform are available with the 3-DNS software module installed on them.  In the 3-DNS Controller configuration, you treat the BIG-IP platform and the 3-DNS module as if they were separate devices.  For more information, see the Configuring a BIG-IP running the 3-DNS module section of this release note.

3dpipe utility
Using the 3dpipe utility, you can perform the following tasks, at the command line:

• View lists of configured data centers, server types, virtual servers, wide IPs, and pools
• View the status (enabled or disabled) of configured data centers, server types, virtual servers, wide IPs, and pools
• Enable configured data centers, server types, virtual servers, wide IPs, and pools
• Disable, for a specific time period, configured data centers, server types, virtual servers, wide IPs, and pools
• View summary statistics for the 3-DNS Controller itself

For more information on using the 3dpipe utility, review the supplemental PDF file, 3dpipe Command Reference.  (This file opens in a separate browser window.)

Note: There are additional syntax options in the Additions to the 3dpipe utility syntax section of this release note.

BIG-IP IP Application Switch
The 3-DNS Controller is fully integrated with the BIG-IP IP Application Switch.  You add the IP Application Switch to the 3-DNS Controller configuration exactly the same way that you add a BIG-IP Controller to the 3-DNS Controller configuration.  For more information on adding a BIG-IP Controller to the configuration, refer to the Defining BIG-IP Controllers  section in the 3-DNS Administrator Guide, Chapter 2, Essential Configuration Tasks.

ECV prober IP address
For BIG-IP Controller ECV probes, you can now specify the IP address of the prober you want the 3-DNS Controller to use when you have set up ECV service monitors.  For more information, see the online help for the Modify BIG-IP screen in the Configuration utility.

ECV prober factories
The following server types now support extended content verification (ECV) factories:  3-DNS Controllers, BIG-IP Controllers, EDGE-FX Caches, and GLOBAL-SITE Controllers.  When you have set up ECV service monitors for wide IPs, an ECV factory performs a more extensive availability check than the other factories.  By default, five ECV factories are enabled.

You configure ECV factories when you add a new server to the 3-DNS configuration.  You can also add ECV factories to existing servers on each server's Modify screen.  For more information on configuring ECV factories, review the online help for the Add or Modify screens for any of these server types:  3-DNS Controllers, BIG-IP Controllers, EDGE-FX Caches, or GLOBAL-SITE Controllers.

EDGE-FX Cache, version 2.0
The 3-DNS Controller now supports the EDGE-FX Cache, version 2.0.

GLOBAL-SITE Controller
The 3-DNS Controller can now collect path and metrics data from the GLOBAL-SITE Controller using iQuery and the big3d agent.  The GLOBAL-SITE Controller is a unique global data management appliance that manages and automates the task of publishing, distributing, and synchronizing file-based content and applications to multiple servers at local and geographically-distributed Internet sites.  Note that the GLOBAL-SITE Controller does not manage virtual servers.

For more information on configuring the GLOBAL-SITE Controller, please refer to the 3-DNS online help for the GLOBAL-SITE Controller server type.  You can also review the Defining GLOBAL-SITE Controllers section in Chapter 2, Essential Configuration Tasks, in the 3-DNS Administrator Guide.

iControl, version 2.0
The 3-DNS Controller now supports the global load balancing components of the iControl SDK.  For more information on iControl and the iControl SDK, see that product?s documentation.

Internet Weather Map Statistics screen
The Internet Weather Map Statistics screen, in the Configuration utility, provides real-time data for average round trip time, average completion rate, and average router hops from all data centers in your network to each continent.  To view the Internet Weather Map Statistics screen, expand the Statistics item in the navigation pane, and then click Weather Map.  For information on working with the Internet Weather Map Statistics screen, view the online help.

New global variables
The 3-DNS Controller has two new global variables:  probe_from_distance and drain_requests.

• The probe_from_distance variable
  The probe_from_distance variable, when set to yes, specifies that ECV probes, and server and virtual server availability checks, should be initiated from a big3d agent that is on a remote device in a data center other than the initiating data center.  If no remote big3d agent is available, then the probes and availability checks are initiated by any available big3d agent.  You can configure the probe_from_distance variable in either the Configuration utility, or in the wideip.conf file.  To turn on the probe_from_distance variable in the Configuration utility, check the Probe From Distance box on the System - General screen.
  
  
• The drain_requests variable
  The drain_requests variable, when set to yes, specifies that load-balanced persistent connections are allowed to remain connected, until the TTL expires, when you disable a pool.  When you set the drain_requests variable to no, the connections are terminated immediately when the pool is disabled.  This variable affects the persist variable in the wide IP sub-statement.  You can only configure the drain_requests variable in the wideip.conf file, by adding it to the globals statement.  For more information, see Chapter 13, wideip.conf Configuration, in the 3-DNS Reference Guide.

Quality of Service values
We have changed the default values for the RTT and Packet Rate coefficients for the Quality of Service load balancing mode.  The default value for RTT is now 50, and the default value for Packet Rate is now 1.

Split from BIND
The 3-DNS Controller DNS engine no longer relies on BIND for DNS resolution.  The benefits are as follows:

• You can upgrade the version of BIND independently of 3-DNS Controller upgrades.
• You can use the 3-DNS Controller to load balance DNS queries to your wide IPs, and redirect other DNS requests to an alternate DNS server.
• You can now configure the 3-DNS Controller in one of three modes:  node, bridge, router
  • In node mode, the 3-DNS Controller becomes the authoritative DNS for your domains.  Node mode is how the 3-DNS Controller has functioned until now.
  • In bridge mode, the 3-DNS Controller resolves DNS queries that match wide IPs, and forwards the remaining DNS queries to an authoritative DNS.  Bridge mode does not require BIND files on the controller.
  • In router mode, the 3-DNS Controller resolves DNS queries that match wide IPs, and directs the remaining DNS queries between separate IP subnets, or to an authoritative DNS.  Router mode does not require BIND files on the controller.
• You can now add an unlimited number of wide IP aliases to your configuration.
• You can use the following wildcard characters in wide IP names and aliases:
  
  • The asterisk character ( * ) can replace multiple characters in a wide IP name or alias.
  • The question mark character ( ? ) can replace a single character in a wide IP name or alias.

For more information about configuring the 3-DNS Controller modes, see the Configuring the 3-DNS Controller mode section of this release note.  Refer also to the Configuring the 3-DNS Controller mode  section in the 3-DNS Installation Guide , Chapter 3, Working with the First-Time Boot Utility.

For more information about using wildcard characters, see the Using wildcard characters section of this release note.  See also the online help for either the Add a New Wide IP screen or the Modify a Wide IP Alias screen, in the Configuration utility.

User administration
The 3-DNS Controller now has a partial read/write user level.  When you assign the partial read/write level to a user, he or she can enable or disable data centers, servers, virtual servers, wide IPs, and pools, but cannot add or delete any part of the configuration.  For more information on configuring user administration in the Configuration utility, see the online help for the User Administration screen.  For more information on user administration, see Chapter 6, Monitoring and Administration, in the 3-DNS Administrator Guide.

Configuring and using the new software

Required configuration changes

Configuring access for Support

After the upgrade, if you want F5 Support to have access to your 3-DNS Controller, you must update the Support IP address in the /etc/hosts.allow file.

To edit the Support IP address

1. From the command line, use a text editor (either vi or pico) to open the /etc/hosts.allow file:
   vi /etc/hosts.allow
   
   
2. Make the following changes in the hosts.allow file.
   
   • Delete the following IP addresses:
     207.17.117.200 and 207.17.117.0/24
   • Add the following IP address:
     65.197.145.244
   
   
3. Save and close the /etc/hosts.allow file.

F5 Support can now access your 3-DNS Controller if you have specified that you want Support to have access.

Important:  You grant access to Support either when you run the First-Time Boot utility or when you run the config utility.  It is not possible for Support to gain access to your controller if you do not grant them access.

Configuring a data center

The 3-DNS Controller no longer creates a default data center when you configure the controller for the first time.  Therefore, if the controller you are configuring is not a member of a sync group, and you are configuring the controller for the first time, you need to add a data center to the configuration before you continue with any other portion of the configuration.  For details on how to add a data center to your configuration, refer to the Setting up a data center  section of Chapter 2, Essential Configuration Tasks, in the 3-DNS Administrator Guide.

Optional configuration changes

Additions to the 3dpipe utility syntax

Configuring the 3-DNS Controller mode

You configure the 3-DNS Controller mode when you run the First-Time Boot utility.  When you select the node mode, the First-Time Boot utility also asks you if you want to configure NameSurfer to manage the DNS zone files.  If you select the bridge mode or the router mode, you do not configure NameSurfer.  For more information, refer to Chapter 3, Working with the First-Time Boot Utility, in the 3-DNS Installation Guide.

---

Configuring a BIG-IP running the 3-DNS module

In the 3-DNS Controller configuration, you treat the BIG-IP platform and the 3-DNS software module as if they were separate devices.  You can add the two server types either by using the Configuration utility or by editing the wideip.conf file.  The following instructions describe how to add a BIG-IP with the 3-DNS software module with the name combo.domain.net and the IP address 192.168.100.100.

To add a BIG-IP with the 3-DNS software module using the Configuration utility

1. In the navigation pane, expand the Servers item, and then click BIG-IP Controllers.
   The BIG-IP Controllers screen opens.
2. On the toolbar, click Add BIG-IP Controller.
   The Add BIG-IP Controller screen opens.
3. In the BIG-IP Controller Name box, type combo.domain.net.
4. In the BIG-IP IP Address box, type 192.168.100.100.
5. Add the rest of the settings as needed.

When you have finished configuring the BIG-IP Controller, you can add the 3-DNS module to the configuration.

1. In the navigation pane, expand the Servers item, and then click 3-DNS Controllers.
   The 3-DNS Controllers screen opens.
2. On the toolbar, click Add 3-DNS Controller.
   The Add 3-DNS Controller screen opens.
3. In the 3-DNS Controller Name box, type combo.domain.net.
4. In the 3-DNS IP Address box, type 192.168.100.100.
5. Add the rest of the settings as needed.

Note that both server types use the same name and IP address, as indicated by the highlighted text in the following example.  If you are configuring a redundant system, you use the shared IP address.  For assistance, contact technical support.

To add the BIG-IP Controller with the 3-DNS module from the command line

1. At the command line, type 3dnsmaint.
   The 3-DNS Maintenance menu opens.
2. Using the arrow keys, choose Edit 3-DNS Configuration.
3. Add the following syntax to the wideip.conf file:

   server { // datacenter=DC1, #VS=1
      type     bigip
      address    192.168.100.68
      name    "birch.win.net"
      limit { /* none */ }
      iquery_protocol udp
      remote {
        secure    yes
        user    "root"
      }
      factories {
        snmp    1
      }
      prober    127.0.0.1
   }
   
   
   server { // datacenter=DC1, #VS=0
      type     3dns
      address    192.168.100.68
      name    "birch.win.net"
      limit { /* none */ }
      iquery_protocol udp
      remote {
        secure    yes
        user    "root"
      }
      factories {
        snmp    1
      }
   }

---

Updating the snmpd.conf file

The ./upgrade_install script installs an updated version of the UC-Davis SNMP daemon, updates the snmpd.conf file, and saves the existing snmpd.conf file in the /etc directory with the name snmpd.conf.save.  If you monitor the 3-DNS Controller using SNMP, and you have customized the snmpd.conf file, you must migrate the customizations from the snmpd.conf.save file to the newer snmpd.conf file.

Using wildcard characters

The 3-DNS Controller now supports wildcard characters in wide IP names and wide IP aliases.  You can use the wildcard characters to simplify your maintenance tasks if you have a large quantity of wide IP names and/or wide IP aliases.  The wildcard characters you can use are:  the question mark ( ? ), and the asterisk ( * ).  The guidelines for using the wildcard characters are as follows:

• The question mark ( ? )
  • You can use the question mark to replace a single character, with the exception of dots ( . ).
  • You can use more than one question mark in a wide IP name or alias.
  • You can use both the question mark and the asterisk in the same wide IP name or alias.
• The asterisk ( * )
  • You can use the asterisk to replace multiple consecutive characters, with the exception of dots ( . ).
  • You can use more than one asterisk in a wide IP name or alias.
  • You can use both the question mark and the asterisk in the same wide IP name or alias.

The following examples are all valid uses of the wildcard characters for the wide IP name, www.mydomain.net.

• ???.mydomain.net
• www.??domain.net
• www.my*.net
• www.??*.net
• www.my*.*
• ???.my*.*
• *.*.net
• www.*.???

Note:  There are two important things to keep in mind when you use wildcard characters.  First, wildcard characters are not inserted into NameSurfer.  Second, if you are using ECV service monitors, they do not scan wide IP names or aliases that contain wildcard characters.

Fixes

The following issues are resolved in the current release.

The 3dnsd daemon and the IP classifier (CR10556)
When you restart the 3dnsd daemon, you no longer experience a delay due to the size of the IP classifier.

WAN persistence scaling (CR10685)
The requests.inc file has been removed from the list of files that are synchronized automatically to improve the WAN persistence scalability of the 3-DNS Controller.  Persistence is now synchronized using iQuery and has much better scalability than previous versions.

ECV status changes (CR12394)
The 3-DNS Controller now issues a message to the 3-DNS Log when the status of an ECV service check changes from up to down, or down to up.

Path probe scaling (CR12752)
The path probe scalability of the 3-DNS Controller has been greatly improved.

Prober statistics screen (CR12863)
The NAN (not a number) error no longer randomly appears in the Probers statistics screen.

3-DNS Console (CR12878)
In the Configuration utility, the 3-DNS Console has been renamed to the MindTerm SSH Client.

Prober factories (CR13155)
The maximum number of prober factories was 56.  You can now specify up to 255 prober factories.

Adding hosts and virtual server quantity (CR13643)
When you add a host using the Configuration utility, the virtual server quantity now displays correctly on the Host Servers screen.

Server names and IP addresses (CR13789)
The 3-DNS Controller, version 4.0.1 allows you to use the same name for more than one server type in your configuration.  For example, if you are adding a BIG-IP HA Controller (that has the 3-DNS module enabled) to your configuration, you can use the same name for both the BIG-IP Controller and the 3-DNS Controller.  You cannot, however, use the same name for two servers that are the same server type.

Secure/Non-secure warnings in the Configuration utility (CR13878)
When you are using Internet Explorer 5.X, the Configuration utility no longer displays a popup screen with a warning message about secure and non-secure items.

Generic data center (CR14738)
The 3-DNS Controller no longer generates a generic data center in the configuration after you run the First-Time Boot utility.

Global Availability and Ratio load balancing modes in the Configuration Utility (CR14978)
On the Modify Load Balancing for [pool name] screen, when you select the Global Availability or Ratio load balancing modes, the popup screens where you configure either the order (for Global Availability) or the ratio (for Ratio) now appear as they should.

The hosts.allow file and SSH access (CR15550)
When you are configuring SSH access, the 3-DNS Controller now converts administrative IP addresses with asterisks in them, for example, 192.168.16.*, to the IP address/netmask format that is required by the hosts.allow file.

System error log rotation (CR15573)
The log rotation for the system error log, syserr.log, now functions properly.

A Distributed Application Manager, version 1.0 support (CR15963, CR16062)
The 3-DNS Controller now supports the Distributed Application Manager, version 1.0.

big3d agent probes (CR15983)
The big3d agent no longer causes internal errors when probing Foundry servers and Alteon servers with SNMP probers.

The 3dnsd daemon memory leak (CR16237)
The memory leak in the 3dnsd daemon has been fixed.

Enabling disabled objects in the Configuration utility (CR16410)
You can now re-enable disabled objects using the Configuration utility.

Sync groups and renaming pools or wide IPs (CR16457)
When you have three or more 3-DNS Controllers in a sync group, and you rename a pool or wide IP more than once, the renamed pools or wide IPs now synchronize properly.

The telnetd utility (CR16682)
The telnetd utility has been upgraded to the most recent version to eliminate a security vulnerability.  Note that, by default, the telnetd utility in disabled on 3-DNS Controllers.

Disabling virtual servers with wildcard ports (CR16747)
You can disable BIG-IP virtual servers that use wildcard ports.

Stopping and starting the iControl portal (CR17378, CR17415)
Stopping and starting the iControl portal no longer causes system errors.

Default values for the iControl portal (CR17446)
The 3-DNS Controller database now contains default values for the iControl portal. You can view the default values by running the config portal script.

Non-external ports bound to the loopback address (CR17513)
All non-external ports are now bound to the loopback address. The affected non-external ports are:

• 8053 and 8054 (NameSurfer)
• 2121 and 1616 (Portal Real Servers)

Adding virtual servers to pools that have port lists configured (CR17691)
If you have pools configured with port lists, and you are adding additional virtual servers to those pools, the Configuration utility now lists only those virtual servers that use the same ports as those in the pool's port list.

The named utility and upgrading 3-DNS Controllers (CR17793)
The named utility now restarts when you reboot a 3-DNS Controller that has been upgraded from a previous version to version 4.0.1. Note that the named utility runs only on 3-DNS Controllers that are in node mode.

Restarting the 3-DNS Controller web server (CR17854)
The Restart 3-DNS Configuration Utility, on the 3-DNS Maintenance Menu, now correctly restarts the 3-DNS web server.

Rerunning the config command (CR17855)
Rerunning the config command after you initially configure the 3-DNS Controller no longer overwrites the /etc/named.conf file.

Syntax changes for the syncgroup command in the 3dpipe utility (CR17905)
The syncgroup_name parameter in the syncgroup command is now optional. For more information on the 3dpipe utility, refer to the 3-DNS Controller, version 4.0.1 release notes.

Drop packets when there is a Last Resort pool specified and the fallback load balancing mode is Null (CR18080)
The 3-DNS Controller no longer uses the Return to DNS load balancing mode when the following criteria are met:

• No virtual servers are available to resolve the request
• You have at least two pools configured, and one pool is designated as the last resort pool
• The fallback load balancing mode for the last resort pool is Null

Rather than returning the request to DNS for resolution, the 3-DNS Controller now drops the packet.

The upgrade installation for the 3-DNS Controller, version 4.0.1 and the bigdba command (CR18117)
If you upgraded the 3-DNS Controller to version 4.0.1 from version 2.1.2 or earlier, the controller may have an obsolete version of the bigdba command. The PTF installer for PTF-02 correctly deletes /sbin/bigdba and reloads the bigdba database if the following conditions are met:

• The /config/user.db file does not already exist on the controller
• The /config/user.db.txt file exists on the controller

Wide IP names in the database (CR18260)
Wide IP names are now stored in all-lowercase format in the 3-DNS Controller configuration. Converting the wide IP names to lowercase in the configuration ensures that the 3-DNS Controller remains compliant with the DNS RFC (RFC 1035), which specifies that domains not be case-sensitive.

Static Persist load balancing mode (CR18274)
When you have configured the 3-DNS Controller to use the Static Persist load balancing mode, and a local DNS server is repeatedly requesting a domain on the 3-DNS Controller, the 3-DNS Controller no longer issues an incorrect response.

Disabling data centers with 3dpipe and proper virtual server status display (CR18341)
When you use the 3dpipe utility to disable a data center, the status for any virtual servers in that data center now correctly displays as disabled by parent.

Deleting objects using the Configuration utility and synchronization (CR18858)
When you use the Configuration utility to delete objects, such as servers and virtual servers, the resulting changes are now properly synchronized to sync group members.

The bigpipe failover active command and error messages (CR18865)
The bigpipe failover active command no longer returns a label not found message. Note that this command is valid only when you have a redundant system.

The big3d agent and iQuery compatibility (CR18870)
The big3d agent for version 4.0.1 is now forward-compatible with 3-DNS, version 4.2.

Upgrading from version 3.0 to version 4.0.1 and zone files (CR18876)
When you upgrade from 3-DNS Controller, version 3.0 to version 4.0.1 PTF03, the upgrade script now properly migrates the zone files that are managed by NameSurfer.

The 3-DNS Controller now searches for a directory entry in /etc/named.conf that points to /var/namedb, and changes it to /config/3dns/namedb. The 3-DNS Controller also attempts to move zone files from /var/namedb to /config/3dns/namedb. There are two circumstances, which combined, would cause this attempt to fail: first, if your 3-DNS Controller was purchased with version 4.0.1 pre-installed, your /config directory is a partition. If you manage enough separate zones that the zone file data does not fit in the /config directory, the 3-DNS Controller attempts to put the zone files under /3dns, another separate partition, and makes a link from /config/3dns/namedb to /3dns/namedb. If there is not enough room in the /3dns directory, the 3-DNS Controller gives up and makes a link from /config/3dns/namedb to /var/namedb.

Using TCP as the iQuery protocol with firewalls or switches (CR19034)
When you use TCP as the iQuery protocol, and you have a firewall or switch between the 3-DNS Controller and any big3d agents, the connection between the 3-DNS Controller and the remote big3d agents is no longer shut off improperly by the firewall or switch. This issue arose when the switch or firewall was configured for short-lived TCP connections, and stopped passing packets before the iQuery connection was closed.

Using data center server location endpoints in a topology statement and the Topology load balancing mode within a pool (CR19037)
When you specify a data center as a server location endpoint in a topology statement, and you use the Topology load balancing mode within a pool, the 3-DNS Controller now load balances as expected.

Dynamic persistence functionality (CR19045)
Dynamic persistence now works as expected.

The local DNS server IP don?t fragment setting and 3-DNS load balancing (CR19061)
When a local DNS server has set the IP don?t fragment bit to yes, the 3-DNS Controller no longer forwards the packets straight to named for a response.

Corrupted authority record section of the DNS response from a CDN pool (CR19137)
When the DNS response is from a CDN pool, the authority record section of the DNS response is no longer corrupted.

Using the Configuration utility to change the pool order when the pool load balancing mode is Global Availability (CR19151)
You can now use the Configuration utility to change the pool order when the pool load balancing mode (Pool LB Mode) is set to Global Availability.

Using TCP iQuery connections and modifying the configuration using the Configuration utility (CR19212)
When you set the iQuery protocol to TCP, and you use the Configuration utility to modify any configuration settings, the 3-DNS Controller no longer unnecessarily marks the servers and virtual servers as down (red ball), and it no longer breaks the TCP/IP connection.

Renaming existing wide IPs, wide IP aliases, or data centers and synchronization (CR19296, CR19691)
Renaming an existing wide IP, wide IP alias or data center no longer causes problems with synchronization.

Renaming existing wide IPs or wide IP aliases and NameSurfer (CR19486)
When you rename an existing wide IP or alias that is in a 3-DNS sync group, the change is now properly migrated to NameSurfer.

Getting up or down status for 3-DNS, GLOBAL-SITE, and EDGE-FX Cache systems from SNMP (CR19633)
You can now get the proper up or down status, using SNMP, for 3-DNS, GLOBAL-SITE, and EDGE-FX Cache systems.

Upgrading to 3-DNS Controller, version 4.0.1, and interface configuration issues (CR19649)
When you upgrade to version 4.0.1, the upgrade process no longer deletes your interface configuration information. Note that this error occurred only if you are using network interface cards other than the defaults, fxp0, fxp1, or you have more than two interfaces in the 3-DNS.

Creating pools of type A with no virtual servers (CR19839)
If you create a wide IP pool of type A, and the pool contains no virtual servers, 3dparse now issues a warning message.

CERT Advisory CA-2002-03, Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP) (CR19922)
The security vulnerability that is outlined in CERT Advisory CA-2002-03, Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP), has been fixed.

Using snmpwalk and the 3-DNS MIB (CR19989)
You no longer receive and OID error when you use snmpwalk on the 3-DNS MIB, and the following condition exists: the string length (shorter to longer) and the lexicographic sort (a to z) of wide IP names and/or data center names in the MIB are in opposite order.

Known issues

The following items are known issues in the current release.

The 3-DNS Maintenance menu and new installations (CR14777)
When you are working with a new 3-DNS Controller, before you can use the Edit 3-DNS Configuration command on the 3-DNS Maintenance menu, you need to add a data center and a 3-DNS Controller to the configuration using the Configuration utility.

The 3-DNS Maintenance menu: the Restore a 3-DNS from a backup command and the 3dnsd daemon (CR20024)
When you use the Restore a 3-DNS from a backup command on the 3-DNS Maintenance menu, you must manually restart the 3dnsd daemon after the restore process has completed. To restart the 3dnsd daemon, type 3ndc restart from the command line.

The 3-DNS Maintenance menu: the Dump 3-DNS Statistics command and viewing EDGE-FX Cache statistics (CR20000)
When you use the Dump 3-DNS Statistics command on the 3-DNS Maintenance menu, and you choose EDGE-FX, the command exits without a warning when you have no EDGE-FX Caches defined in your configuration.

The 3dpipe utility and sync group names (CR16672)
When you use the syncgroup commands in the 3dpipe utility, you need to know the name of the sync group beforehand because tbe syncgroup command does not have the show all functionality.

A Distributed Application Manager (ADAM) and user permissions (CR18162)
If you are attempting to use A Distributed Application Manager (ADAM) with the 3-DNS Controller, in some cases you may not be able to log in as the 3-DNS Controller administrative user that was defined in the Configuration utility when you set up the 3-DNS Controller. To correct this, run the 3dnsmaint command line utility and select Change/Add users for 3-DNS Configuration Utility. Re-enter the administrative user name and password. You can then log in through ADAM as the administrative user.

Adding host servers in the Configuration utility (CR17431)
If you add a host server with the same IP address more than once, in the Configuration utility, you get an Internal Server Error.  To avoid this error, do not add a host server with a single IP address more than once.  To work around this error, click anything in the navigation pane.

Adding servers using the Configuration utility and the Back button in Internet Explorer (CR17504)
Occasionally, when you are running the Configuration utility in a Microsoft® Internet Explorer browser session and you add a new server to the 3-DNS Controller configuration, you may get an error when you use the Back button to return to a previous screen. The error is benign, and you can click any item in the navigation screen to clear the error.

ArrowPoint CS150 and metrics collection (CR10361)
The 3-DNS Controller collects metrics on packets per second and kilobytes per second only for HTTP traffic on the current ArrowPoint CS150 server. 

The kilobytes per second rate as displayed for the ArrowPoint CS150 is approximately 16 times smaller than it should be.  The total byte counts returned from the ArrowPoint MIB are 16 times smaller than the number of bytes that were actually handled.

BIG-IP Controllers with the 3-DNS module and copying iQuery keys (CR14926)
When you use the Generate and Copy iQuery Encryption Key command on the 3-DNS Maintenance menu, the command sometimes fails to copy the key from a previously configured BIG-IP Controller on to a newly configured BIG-IP Controller with the 3-DNS module.  The command may also copy the key to the local controller and fail to copy the key to any remote controller.  If the copy fails (in either instance), re-run the command, and select either the Keep option (which retains the local system's key and copies it out to the other systems), or the Build option (which creates a new key and copies it out to the other systems). 

The bigpipe command and rerunning the config utility (CR16788)
Occasionally when you rerun the config utility, you may see the following error before the license screen appears:
bigpipe: "bigpipe " not understood

The error is benign and does not affect the functionality of the controller.

Cisco CSS series (formerly ArrowPoint) servers and metrics collection
The 3-DNS Controller cannot collect the packets per second and the kilobytes per second metrics on Cisco CSS series (formerly ArrowPoint) software versions prior to 4.0.

Crypto 3-DNS Controllers and CD upgrades
(This applies only to crypto 3-DNS Controllers.)  When you rebuild a 3-DNS Controller (or a BIG-IP) using a CD, the SSH key is changed.  This breaks the trust relationship between the updated controller and any devices with which it interacts.  As a result, synchronization between the controllers in the sync group stops, and you cannot update the big3d agent.  You can correct this situation by removing the newer SSH key and synchronizing the updated controller with other 3-DNS Controllers or BIG-IP units.  Refer to the Resetting the SSH key work-around to reset the SSH key and synchronize the controllers in your network.

Data center names in the Configuration utility (CR14990)
In the Configuration utility, you may get an internal server error if you use special characters in the data center names.  To avoid this error, use only alphanumeric, space, underscore ( _ ), or hyphen ( - ) characters in the data center names.

The drain_requests variable (CR17316)
The drain_requests variable is incorrectly named bleed_requests in Chapter 13, wideip.conf Configuration, in the 3-DNS Reference Guide.

Fully qualified domain names in wide IPs (CR12314)
When you add or modify a wide IP definition, either by using the Configuration utility or by editing the wideip.conf file, you cannot use the same fully-qualified domain name (FQDN) more than once.  If you try to use the same FQDN as a wide IP name in one definition, and as an alias in another definition, the Configuration utility stops working.

Global Availability load balancing within a pool (CR13112)
When you create a pool for a new or for an existing wide IP, and you use the Global Availability load balancing method, you may experience problems under the following circumstances:

• You are using Internet Explorer 5.0 or 5.5.
• You select Global Availability in the Load Balancing Modes, Preferred list on the Configure Load Balancing for New Pool screen.
• You have a large quantity of virtual servers in your configuration.

If you want to use the Global Availability load balancing method, and you meet the previous criteria, please see the Using the Global Availability load balancing mode within a pool work-around following this table.

iControl Portal (CR17415)
To restart the iControl Portal, you must reboot the 3-DNS Controller.

Java applets and the Configuration utility (CR10381)
Parts of the Configuration utility for the 3-DNS Controller use Java applets and require the presence of the Java Virtual Machine (JVM) on your local machine.  However, some default installations of Internet Explorer do not contain the JVM.  If your version of Internet Explorer does not contain a JVM, you can obtain a JVM by going to the Tools menu, choosing the Windows Update link, selecting PRODUCT UPDATES, and looking in the Additional Windows Features section.  Alternately, you can go to the Internet Explorer section of Microsoft's web site.

MindTerm SSH Client and multiple Netscape browser sessions (CR12121)
If you have more than one MindTerm SSH Client session open, and you are running Netscape, you can close only one session.  We recommend that you open only one instance of the MindTerm SSH Client.

Modify Virtual Server Translations screen and proper data display (CR14029)
If you have configured more than one virtual server translation using the Configuration utility (for BIG-IP Controller virtual servers only), the Modify Virtual Server Translations screen does not refresh properly when you remove a virtual server translation.  To view the correct information on the Modify Virtual Server Translations screen, after you have removed a virtual server translation, click the Refresh button on the browser toolbar, and then go back to the Modify Virtual Server Translations screen.

Netscape Navigator 6.0 (CR12116)
The Configuration utility does not currently support Netscape 6.0.

Netscape Navigator on UNIX systems (CR12132)
If you are running Netscape on a UNIX (Linux, *BSD, Solaris) system, the MindTerm SSH Client item is not available in the navigation pane of the Configuration utility.  Instead you can access the 3-DNS Controller command line utility using a standard SSH connection.

Netscape Navigator and the Network Map (CR11161)
The Network Map does not display large configurations properly when you run Netscape on a UNIX or Linux platform.  We recommend that you use a Windows-based browser to view large network configurations with the Network Map.

Network Map and multiple browser sessions (CR11173)
When you view the Network Map, you might get an error when you open additional browser sessions with Internet Explorer or Netscape.  This error only occurs if the additional browser sessions use Java applets.  We recommend that you close any additional browser sessions before viewing the Network Map.

Non-crypto controllers and RSH (CR14832)
If you have non-crypto controllers, you must configure RSH from the command line to establish secure communications between the controller and other F5 devices.  If you have a mixed environment, with crypto and non-crypto controllers, you must configure RSH as well as SSH on the crypto controllers, so that they can communicate with the non-crypto controllers.  For details on how to configure the rsh utility, see the Configuring RSH on non-crypto controllers work-around.

Non-crypto EDGE-FX Caches (CR11035)
When using an RSH session to connect to an EDGE-FX Cache that does not have SSH available (a non-crypto EDGE-FX Cache), you may get a connection refused error message.
To use an RSH session with a non-crypto EDGE-FX Cache

1. Use Telnet or a terminal console to connect to the EDGE-FX Cache.
2. In the /etc/inetd.conf file, remove the comment (#) character from the line:
   #shell stream tcp nowait root /usr/libexec/rshd rshd
3. Type the following command:
   kill -HUP `cat /var/run/inetd.pid`
   This causes the inetd daemon to re-read its configuration.

NTP configuration and the /etc/rc.conf file (CR15764)
When you configure NTP (network time protocol) using the config ntpclocks command, the command does not properly update the /etc/rc.conf file.

Probe protocol for local DNS servers
We recommend that you use the ICMP, DNS_REV, or DNS_DOT probing methods, and that you do not use the Port Discovery probing method, to probe local DNS servers.

Prober statistics and Internet Explorer 5.0 and later (CR10153)
When you are viewing Histograms or Metrics on the Prober Statistics screen, you might encounter errors if you are using Microsoft Internet Explorer 5.0 or later.  We recommend using the following procedure to view the Histograms or Metrics:

1. In the navigation pane, expand the Statistics item, and click Probers.
2. In the Prober Statistics screen, click either Metrics or Histogram.
   A dialog box appears.
3. Select Save this file to disk and click OK.

The browser saves the file, and you can now open the file using Microsoft Excel.

Random data in the Configuration utility screens (CR 14895, CR15320)
On rare occasions, you may see random data at the end of the tables in the Configuration utility.

RSH configuration and the hosts.allow file (CR15549)
The config_rshd script, which configures the rshd utility, writes specific IP addresses (for the hosts that are allowed RSH access) in the CIDR format.  For example, if you enter the following IP address, 192.168.10.10, the config_rshd script converts the IP address to the following format:  192.168.10.10/32.  The hosts.allow file (where the IP addresses are stored) does not understand IP addresses in the CIDR format.  The work-around for this issue is to edit the specific IP addresses in the hosts.allow file by removing the /32 CIDR netmask.

Screen resolution and the Configuration utility (CR10518)
If the screen resolution on your monitor is set to less than 1024 x 768 pixels, you may not see the entire 3-DNS Controller toolbar in the Configuration utility.  If your monitor allows it, we recommend that you set your screen resolution to 1024 x 768 pixels.

Solstice SNMP agent and metrics collection
The Solstice SNMP agent, which runs on some Sun systems, delays the updating of some metrics for longer than 30 seconds.  As a result, in the 3-DNS Controller SNMP Statistics screen, the packet rates and kilobytes per second rates can fluctuate from a zero value to a real value.  If you are polling Sun Solaris servers in your network, you may want to set the SNMP polling time on the 3-DNS Controller to an interval greater than 60 seconds.

The snmpd.conf file and the 3dns.log file
If you have SNMP configured on the 3-DNS Controller, the 3dns.log file may fill up quickly.  To correct this, you must edit the snmpd.conf file from the command line, as explained in the Editing the snmpd.conf file work-around.

Statistics screens and viewing 3-DNS Controller status (CR9452)
When you disable a 3-DNS Controller that is a member of a sync group, the 3-DNS Statistics and Sync Group Statistics screens in the disabled controller's Configuration utility display an inaccurate status (a red ball) for all of the other 3-DNS Controllers in the same sync group.  You can see the correct status of the controllers in the 3-DNS Statistics and Sync Group Statistics screens of any enabled 3-DNS Controller in the sync group.

Sync group names in the Configuration utility (CR14955)
In the Configuration utility, you may get an internal server error if you use special characters in the sync group names.  To avoid this error, use only alphanumeric, space, underscore ( _ ), or hyphen ( - ) characters in the sync group names.

Synchronization and 3-DNS Controller versions (CR11186)
The 3-DNS Controller, version 4.0.1 does not synchronize with 3-DNS Controllers that are running versions prior to 4.0.1.

Virtual server dependencies entries (CR11414)
If you remove seven or more entries at one time from a Virtual Server Dependencies List and you are running Internet Explorer 5.0, you may get an error.  To avoid this error, remove fewer entries at a time.

Wide IP production rules (CR11710)
When you create a wide IP production rule with a Date/Time time variable, the production rule action does not stop in the time frame that you specify in the Stop Time box.  We recommend that you do not configure a production rule with the Date/Time time variable.

Wide IP production rules (CR11202)
When you create a wide IP production rule using the Configuration utility, in the Select Local DNS screen, you must type the IP address and subnet mask in the appropriate boxes.  You cannot use the CIDR format (for example, 192.168.10.10/24) in these boxes.

Work-arounds for known issues

The following sections describe work-arounds for some of the known issues listed in the previous section.

Configuring RSH on non-crypto controllers

The following instructions describe how to configure the rsh utility from the command line. You need to configure the rsh utility on all the non-crypto systems for which you want to establish secure communications, as well as crypto systems that communicate with non-crypto systems.

To set up the rsh utility from the command line

1. Change to the /root directory.
   
   
2. In the /root directory, create an .rhosts file.
   
   
3. Add the IP address for the remote system to the newly-created .rhosts file.
   
   
4. Save and close the file.
   
   
5. For the .rhosts file, set the file permissions using the chmod 600 command.
   
   

You can now use the rsh utility to run commands on the remote system.

Editing the snmpd.conf file

Use the following instructions to edit the snmpd.conf file so the the 3dns.log file no longer fills up too quickly.

To edit the snmpd.conf file

1. At the command line, change to the /etc/snmpd.conf directory.
2. Using the text editor of your choice, locate the following line in the file:
   trapsink 192.168.101.62
3. Comment out the line by adding the comment (#) character in front of trapsink.

Resetting the SSH key

The following instructions describe how to reset the SSH key for a controller that you have upgraded using a CD.

To reset the SSH key for an updated 3-DNS Controller

1. From the command line of each controller in the sync group that has not been upgraded, change to the /root/.ssh/ directory.
2. In either the known_hosts file or the known_hosts2 file, remove the SSH key for the upgraded controller.
3. On the controller that you upgraded, type 3dnsmaint at the command line to open the 3-DNS Maintenance menu.
4. Choose Configure SSH communication with remote devices, and press Enter. 
   The 3-DNS Controller updates all sync group members with the SSH key of the upgraded controller.
5. Press Enter to return to the 3-DNS Maintenance menu.
6. Press Q to quit.

Using the Global Availability load balancing mode within a pool

The following instructions describe how to configure the Global Availability load balancing mode within a pool.  You need to use these instructions only if you meet the criteria listed in the Using the Global Availability load balancing mode within a pool item in the Known Issues section.

To configure Global Availability load balancing within a pool in a new wide IP

1. In the navigation pane, click Wide IPs.
   The Wide IP List screen opens.
2. On the toolbar, click Add Wide IP.
   The Add a New Wide IP screen opens.
3. Type the settings for the new wide IP, and click Next.
   The Configure Load Balancing for New Pool screen opens.
4. Select a load balancing mode other than Global Availability in all of the following lists:
   • Load Balancing Modes, Preferred
   • Load Balancing Modes, Alternate
   • Load Balancing Modes, Fallback
   
   Note that you can accept the default settings, rather than changing the settings.
5. Click Next.
   The Select Virtual Servers screen opens.
6. Once you have finished configuring the virtual servers for the pool, click Finish to save your changes.
7. On the Wide IP List screen, select the wide IP that you just created.
8. On the toolbar, click Modify Pool.
   The Modify Wide IP Pools screen opens.
9. Click the pool that you just created.
   The Modify Load Balancing for [pool name] screen opens.
10. Select Global Availability, as appropriate, in the Load Balancing Modes, Preferred, or the Load Balancing Modes, Alternate, or the Load Balancing Modes, Fallback list, and click Update.
    The Modify Virtual Servers screen opens, where you can determine the order in which the 3-DNS Controller load balances to the virtual servers in the pool.

To configure Global Availability load balancing within a pool in an existing wide IP

1. In the navigation pane, click Wide IPs.
   The Wide IP List screen opens.
2. On the toolbar, click Add Pool.
   The Configure Load Balancing for New Pool screen opens.
3. Select a load balancing mode other than Global Availability in the following lists:
   • Load Balancing Modes, Preferred
   • Load Balancing Modes, Alternate
   • Load Balancing Modes, Fallback
   
   Note that you can accept the default settings; you do not have to change the settings.
4. Once you have finished configuring the pool, click Finish to save your changes.
   The Wide IP List screen opens.
5. In the Pools column, select the pools for the wide IP that you just modified.
   The Modify Wide IP Pools screen opens.
6. In the Pool Name column, click the name of the pool that you just created.
   The Modify Load Balancing for [pool name] screen opens.
7. Select Global Availability, as appropriate, in the Load Balancing Modes, Preferred list, or the Load Balancing Modes, Alternate list, or the Load Balancing Modes, Fallback list, and click Update.
   The Modify Virtual Servers screen opens, where you can determine the order in which the 3-DNS Controller load balances to the virtual servers in the pool.

---