Applies To:
Show Versions3-DNS Controller versions 1.x - 4.x
- 4.6.3
Updated Date: 04/18/2019
Summary:
This release note documents version 4.6.3 of the 3-DNS® Controller. You can apply the software upgrade to version 4.5 and later. For information about installing the software, please refer to the instructions below.
F5 now offers both maintenance and feature releases. Version 4.6.3 is a feature release that is based on version 4.5.12 code. For more information on our new release polices, please see Description of the F5 Networks software version number format.
Warning: This is a feature release, not a maintenance release. Unless you need specific features that are new to this feature release, please upgrade to the latest maintenance release instead.
Contents:
Minimum system requirements and supported browsers
The minimum system requirements for this release are:
- Intel® Pentium® III 550MHz processor
- 512MB disk drive or CompactFlash® card
- 256MB RAM
The supported browsers for the Configuration utility are:
- Microsoft® Internet Explorer 5.0, 5.5, and 6.0
- Netscape® Navigator 4.7x
Note: The IM package for this release is quite large. If the disk drive in your platform does not meet the minimum requirement, you may not be able to successfully install this release.
Installing the software
Important: If you are upgrading a 3-DNS Controller that belongs to a sync group, you must remove the controller from the sync group before you apply the upgrade. Failure to do so may cause irrevocable damage to the controllers in the sync group that are running older versions of the software. Once you have upgraded all controllers to the same version, you can then re-create the sync group. For details on removing a controller from a sync group, see Removing a controller from a sync group. Once you have removed the controller from the sync group, you can proceed with the upgrade installation.
Note: If you are updating the 3-DNS Controller module on a BIG-IP system, refer to the BIG-IP version 4.6.3 note for instructions on installing the upgrade. Applying the upgrade for BIG-IP version 4.6.3 also applies the upgrade to the 3-DNS module. The enhancements, fixes, and known issues for the 3-DNS Controller, however, are available only in the 3-DNS Controller version 4.6.3 release note.
The following instructions explain how to install the 3-DNS Controller version 4.6.3 onto existing systems running version 4.5 PTF-03 and later. The installation script saves your current configuration.
- Go to the Downloads site and locate the 3-DNS version 4.6.3 upgrade file, BIGIP_4.6.3_Upgrade.im.
3-DNS is not listed as a product line on the Downloads site; the image file is listed under the BIG-IP 4.x product line.
- Download the software image and the BIGIP_4.6.4_Upgrade.md5 file.
For information about how to download software, refer to SOL167: Downloading software from F5 Networks.
- If you downloaded the image file to a directory other than /var/tmp, copy the image file to the /var/tmp/ directory on your 3-DNS system.
- Check the md5 of the upgrade file by typing the following command:
md5 BIGIP_4.6.3_Upgrade.im
cat BIGIP_4.6.3_Upgrade.md5The two md5 values should be identical.
Note: If the sums do not match, download the BIGIP_4.6.4_Upgrade.im file again and recheck the md5 for the file.
- Install the upgrade by typing the following command:
im BIGIP_4.6.3_Upgrade.im.
The 3-DNS Controller automatically reboots once it completes installation.
Updating the big3d agent
After the PTF installation has completed, you need to install the new version of the big3d agent on all BIG-IP systems known to the 3-DNS Controller, as follows:
- Log on to the 3-DNS Controller at the command line.
- Type 3dnsmaint to open the 3-DNS Maintenance menu.
- Select Install and Start big3d, and press Enter.
The 3-DNS Controller detects all BIG-IP systems in the network, and updates their big3d agents with the appropriate version of the agent. - Press Enter to return to the 3-DNS Maintenance menu.
- Type Q to quit.
For more information about the big3d agent, see the 3-DNS Reference Guide.
Activating the license
Once you install the upgrade and connect the controller to the network, you need a valid license certificate to activate the software. To obtain a license certificate, you need to provide two items to the license server: a registration key and a dossier. The registration key is a 25-character string. You should have received the key by email. The registration key lets the license server know which F5 products you are entitled to license. The dossier is obtained from the software, and is an encrypted list of key characteristics used to identify the platform. If you do not have a registration key, please contact your vendor.
You can obtain a license certificate using one of the following methods:
- Automatic license activation
You perform automatic license activation from the command line or from the web-based Configuration utility of an upgraded controller. This method automatically retrieves and submits the dossier to the F5 Networks license server, as well as installs the signed license certificate. In order for you to use this method, the controller must be installed on a network with Internet access. - Manual license activation
You perform manual license activation from the Configuration utility, which is the browser-based user interface. With this method, you submit the dossier to, and retrieve the signed license file from, the F5 Networks license server manually. In order for you to use this method, the administrative work station must have Internet access.
Note: You can open the Configuration utility using either Netscape Navigator 4.7x, or Microsoft Internet Explorer 5.0, 5.5, or 6.0.
To automatically activate a license from the command line for first time installation
- Type the user name root and the password default at the logon prompt.
- At the prompt, type license. The following prompts appear:
IP:
Netmask:
Default Route:
Select interface to use to retrieve license:
The 3-DNS Controller uses this information to make an Internet connection to the license server. - After you type the Internet connection information, continue to the following prompt:
The Registration Key should have been included with the software or given when the order was placed. Do you have your Registration Key? [Y/N]:
Type Y, and the following prompt displays:
Registration Key: - Type the 25-character registration key you received. If you received more than one key, enter all of the keys, separating each with a space.
The controller retrieves and sends the dossier to the F5 Networks license server, and the F5 Networks license server returns and installs a signed license file. A message displays indicating the process was successful. - You are asked to accept the End User License Agreement (EULA). Note that the system is not fully functional until you accept the EULA.
- Press Enter to reboot the system. The system is not fully functional until you reboot.
- If the licensing process is not successful, contact your vendor's technical support team.
To automatically activate a license from the command line for upgrades
- Type your user name and password at the logon prompt.
- At the prompt, type setup.
- Choose menu option (L) License Activation.
- The following prompt displays:
Number of keys: 1
If you have more than one registration key, enter the appropriate number, and press Enter. - The following prompt displays:
Registration Key:
Type the 25-character registration key you received. If you received more than one key, enter all of the keys, separating each with a space.
The controller retrieves and sends the dossier to the F5 Networks license server, and the F5 Networks license server returns and installs a signed license file. A message displays indicating the process was successful. - If the licensing process is not successful, contact your vendor.
To manually activate a license using the Configuration utility
You can use the Configuration utility to manually activate a license for a previously-configured 3-DNS Controller and for a new controller. Before you can activate the license, however, you must logon to the Configuration utility.
To open the Configuration utility for an existing 3-DNS Controller
- Open the Configuration utility using the configured address.
- Type your user name and password at the logon prompt, and click OK.
The Configuration utility home screen displays.
To open the Configuration utility for a new 3-DNS Controller
- From the administrative work station, open the Configuration utility using one of the following addresses: https://192.168.1.245 or https://192.168.245.245. These are default addresses on the units local area network.
- Type the user name root and the password default at the logon prompt, and click OK.
The Configuration utility home screen displays.
Once you have successfully logged on to the Configuration utility, you can proceed with the manual license activation.
To manually activate a license using the Configuration utility
- Click License Utility to open the License Administration screen.
- In the Registration Key box, type the 25-character registration key that you received. If you have more than one key to install, click Enter More Keys to install multiple keys. Once you have entered all registration keys, click Manual Authorization.
- At the Manual Authorization screen, retrieve the dossier using one of the following methods:
- Copy the entire contents of the Product Dossier box.
- Click Download Product Dossier, and save the dossier to the hard drive.
- Copy the entire contents of the Product Dossier box.
- Click the link in the License Server box.
The Activate F5 License screen opens in a new browser window. - From the Activate F5 License screen, submit the dossier using one of the following methods:
- Paste the data you just copied into the Enter your dossier box, and click Activate.
- At the Product Dossier box, click Browse to locate the dossier on the hard drive, and then click Activate.
The screen returns a signed license file. - Paste the data you just copied into the Enter your dossier box, and click Activate.
- Retrieve the license file using one of the following methods:
- Copy the entire contents of the signed license file.
- Click Download license, and save the license file to the hard drive.
- Copy the entire contents of the signed license file.
- Return to the Manual Authorization screen, and click Continue.
- At the Install License screen, submit the license file using one of the following methods:
- Paste the data you copied into the License Server Output box, and click Install License.
- At the License File box, click Browse to locate the license file on the hard drive, and then click Install License.
The License Status screen displays status messages, and Process complete appears when the licensing activation is finished. - Paste the data you copied into the License Server Output box, and click Install License.
- Click License Terms, review the EULA, and accept it.
- At the Reboot Prompt screen, select when you want to reboot the platform.
You must reboot the controller to complete the license activation.
To automatically activate a license using the Configuration utility
You can use the Configuration utility to automatically activate a license for a previously-configured 3-DNS Controller and for a new controller. Before you can activate the license, however, you must log on to the Configuration utility.
To open the Configuration utility for an existing 3-DNS Controller
- Open the Configuration utility using the configured address.
- Type your user name and password at the logon prompt, and click OK.
The Configuration utility home screen displays.
To open the Configuration utility for a new 3-DNS Controller
- From the administrative work station, open the Configuration utility using one of the following addresses: https://192.168.1.245 or https://192.168.245.245. These are default addresses on the units local area network.
- Type the user name root and the password default at the logon prompt, and click OK.
The Configuration utility home screen displays.
Once you have successfully logged on to the Configuration utility, you can proceed with the automatic license activation.
To automatically activate a license using the Configuration utility
- Click License Utility to open the License Administration screen.
- In the Registration Key box, type the 25-character registration key that you received. If you have more than one key to install, click Enter More Keys to install multiple keys. Once you have entered all registration keys, click Automated Authorization.
The License Status screen displays status messages, and Process complete appears when the licensing activation is finished. - Click License Terms, review the EULA, and accept it.
- At the Reboot Prompt screen, select when you want to reboot the platform.
You must reboot the controller to complete the license activation.
Changes to existing features
This release includes the following changes in product behavior.
Solution | Description |
SOL739 | Versions of software packages used in this release |
SOL1020 | Reserved words for this release |
SOL3689 | Routes in /config/routes and /etc/netstart are removed |
SOL3747 | The user is now prevented from deleting the LDAP default.key |
SOL3748 | The FTBU now warns that it can rewrite zone files |
SOL4011 | Routes are now reloaded when changes to VLANs, interfaces, or self addresses are made |
SOL4366 | DNS proxy port now closed by default and a new global to open it |
SOL4025 | sshd.conf is now backed up when an upgrade is run |
SOL4100 | Hops and round trip time may no longer be used together in QOS calculations |
SOL4101 | ICMP and UDP high port probing may no longer be used together in RTT calculations |
SOL4179 | Hardware platforms supported by this release |
SOL4180 | SEE-IT providers are no longer included in this release |
SOL4189 | The topology database has been updated |
SOL4324 | You can now configure whether or not 3-DNS probes disabled objects |
SOL4376 | New versions of big3d are included in this release |
SOL4402 | big3d will now log a message when it exits |
SOL4548 | Ties in VS selection will now result in randomized response |
SOL4557 | Allow "?" to pass the checktrap.pl content test |
SOL4570 | EDGE-FX is no longer supported by 3-DNS |
[ Top ]
New features in this release
This release includes the following new features.
Connection Rate Limit settings (CR24840)
This release of the BIG-IP system includes new Connection Rate and Rate Limit settings with which you can measure the number of connections per second. You can then use this statistic to limit the number of connections to a node address. This feature is useful if there are times when you expect to have insufficient resources to service all requests, but you also want to ensure that all available servers are performing at maximum capacity. For example, if you have a data center that has enough capacity to handle the load when all the servers are functional, but you need to bring down half of the servers at a certain time in order to update the content. In this instance, the load may exceed the capacity of the remaining servers and cause the servers to become overloaded and unable to function at their maximum sustainable capacity. To avoid this situation, you can configure the BIG-IP system node connection rate limits to the maximum sustainable rate for each server. This prevents the servers from becoming over-burdened, and thus fewer requests are discarded.
In addition, if you are using the 3-DNS Controller to load balance traffic between data centers, you can use the virtual server rate limit in conjunction with global Available Connection Rate or Quality of Service load balancing to shift the load from the degraded data center to a data center with sufficient capacity.
For more information on configuring the Connection Rate and Rate Limit settings, see SOL4184: Configuring 3-DNS to limit connections to a virtual server based on the rate of requests rather than the number of concurrent requests
Radware SNMP Prober (CR41010)
The 3-DNS Controller can now gather metrics from Radware machines configured on the network. For more information, see SOL4181: Configuring 3-DNS to probe Radware local traffic management products
Configuring client-side authentication using HTTPS ECV (CR41651)
In this release you can configure client-side authentication using the HTTPS ECV monitor. If you currently use SSL and client-side certificates for authentication, you may want to configure this feature. This feature allows you to monitor the content of pages while using client-side authentication. To configure this feature, you can specify a certificate path in the ECV Certificate box on the Modify Wide IP screen in the Configuration utility, or specify a client_cert string in the ecv portion of the wideip.conf file. For more information, see SOL4182: Configuring 3-DNS to supply a client SSL certificate for an Extended Content Verification (ECV) health monitor
IP Classifier database (CR41800)
In this release we have updated the IP Classifier database used by the 3-DNS Controller. For more information, see SOL4189: Most recent updates to the 3-DNS Controller's IP Classifier database
Recursion bit settings (CR43974)
We have added a new global variable in this release that allows you to configure whether the 3-DNS Controller sets the recursion bit (RA bit) for replies issued by 3dnsd. This feature may be useful in cases where you have applications that only accept DNS responses that have the recursion bit set. This feature is disabled by default. For more information, see SOL4187: Setting the recursion bit for 3dnsd replies on the 3-DNS Controller
BIND Vulnerabilities VU#938617 and VU#327633 (CR44372)
This release includes BIND version 9.3.1. This version of BIND addresses the BIND vulnerabilities described in Vulnerability Note VU#938617 and VU#327633 on the CERT® Coordination Center Web site. For more information on the vulnerabilities, see http://www.kb.cert.org/vuls/id/734644.
New fixes in this release
In the 4.6.3 release, on a trial basis, we have modified the format for displaying CRs for fixes and known issues. The CRs are now listed in a table format, with the corresponding solution listed next to the CR. Clicking the solution link directs you to the more detailed solution document that is posted on the AskF5 Technical Support Web Site. We continually update these solution documents on AskF5 as new details become available. If additional known issues are discovered after we release version 4.6.3, we will update the known issues table with the new CR and solution numbers, with the goal of keeping you current on our known issues.
If you encounter a solution that does not have an active link, it is likely that we have not yet had a chance to get the solution posted on AskF5, but please continue to check this table for new content or links.
This release includes the following new fixes.
CR | Solution | Description |
CR14926 | SOL3676 | 3dnsmaint does not copy iQuery keys to remote units |
CR22419 | SOL4408 | Inability to delete files during an upgrade might result in unallocated iNodes |
CR23634 | SOL3678 | sod reports unnecessary bigapi_unit_mask errors |
CR26589 | SOL4201 | The IP classifier database can now be loaded from the Configuration utility |
CR27161 | SOL3701 | Help for bigpipe class did not exist |
CR27161 | SOL3703 | Help for bigpipe interface did not exist |
CR27161 | SOL3705 | Help for bigpipe reset did not exist |
CR27161 | SOL3707 | Help for bigpipe list did not exist |
CR27161 | SOL3710 | Help for bigpipe merge did not exist |
CR27161 | SOL3711 | Help for bigpipe base save did not exist |
CR27161 | SOL3712 | Help for bigpipe base list did not exist |
CR27161 | SOL3713 | Help for bigpipe save did not exist |
CR27205 | SOL3715 | Syslog listens on UDP port 514 |
CR27252 | SOL3716 | Auto discovery and configuration does not ignore loopback virtual servers |
CR27424 | SOL3717 | NTP fails after loading the configuration using the Configuration utility |
CR27820 | SOL5057 | The error message "WARN:FlushAllIQM: iqBufFlush() failed" may be logged after restart |
CR27878 | SOL3726 | Probing always uses the same interface and source address |
CR28079 | SOL3729 | Server appliances enter a netboot loop after a halt command is issued |
CR28101 | SOL3730 | The Configuration utility does not allow more than 39 topology entries |
CR28316 | SOL1660 | Zombie processes might be generated when a terminal server is attached |
CR28316 | SOL3733 | Duplicate VLANs appear when a self IP address on the 135./8 network is configured |
CR28408 | SOL2720 | Cannot establish an SSH connection from a new BIG-IP system or 3-DNS Controller received as an RMA |
CR28497 | SOL3739 | 3-DNS Controller might truncate some zone entries when used as a secondary DNS |
CR29599 | SOL3739 | Automatic discovery and configuration occur even when globally disabled |
CR29730 | SOL3715 | Syslog listens on UDP port 514 |
CR29843 | SOL3787 | BIG-IP 2400, 5000, and 5100 units might lock up during reboot |
CR29859 | SOL4402 | big3d now logs a message when it exits |
CR30235 | SOL3809 | 3-DNS Controller logs an unnecessary "No nodes up" message |
CR30583 | SOL3812 | Random pool selection is not random, and selects the same pool every time |
CR30877 | SOL4242 | The im -Q command does not always report the correct versions for installed packages |
CR30995 | SOL3815 | Fiber gigabit ports show output errors on switch appliances |
CR31388 | SOL5178 | The full_debug script may add duplicate or overlapping statements to syslog.conf |
CR31551 | SOL3822 | Disabling a datacenter does not cause another 3-DNS Controller to become the principle unit |
CR32148 | SOL3825 | sync_zones might leave a stale pid file and refuse to run |
CR32375 | SOL3896 | Dropped packet counters in netstat and bigpipe interface might be inconsistent |
CR32975 | SOL3904 | One-time auto discovery continues to run each time 3dnsd restarts |
CR33286 | SOL3906 | /etc/syslog.conf comments indicate the wrong location of checktrap.pl |
CR33614 | SOL3907 | The status legend is incorrect |
CR33624 | SOL3908 | The Allow Fragmentation option remains in the Configuration utility |
CR34446 | SOL3915 | Problems with internal interface drivers might make BIG-IP system unresponsive |
CR34472 | SOL3915 | 3dpipe syncgroup does not report principle status |
CR34525 | SOL3917 | The standby system might send a gratuitous ARP using the floating IP address |
CR34737 | SOL5041 | The Configuration utility will not accept host addresses that end in .255 |
CR35576 | SOL3969 | 3dnsd might crash due to internal mishandling of long error messages |
CR35576 | SOL3969 | 3dnsd might become unstable due to incorrectly formatted errors |
CR36377 | SOL4405 | High speed interface statistics are reported in the wrong units |
CR36863 | SOL3979 | Routers probed by SNMP v1 might be weighted incorrectly |
CR36926 | SOL3981 | vs_capacity is able to choose down or disabled virtual servers |
CR36998 | SOL3982 | 3-DNS Controller does not always choose the closest prober |
CR37147 | SOL3987 | The system might become unstable when running the ANIP kernel and using the bpf device |
CR37260 | SOL3988 | DMA support is disabled on the D35 platform |
CR38552 | SOL4005 | Changing a wide IP name does not update associated aliases in Namesurfer |
CR38795 | SOL4006 | 3-DNS Controller might become unstable during a synchronization process |
CR38838 | SOL4007 | Upgrade process does not successfully update the root.hint file |
CR39078 | SOL4009 | libpng version 1.0.9 contains security vulnerabilities |
CR39175 | SOL4015 | 3-DNS units might become unresponsive when inter-communicating |
CR40149 | SOL4060 | Topology entries with not (!) cannot be deleted using the Configuration utility |
CR40389 | SOL3369 | BIG-IP system and 3-DNS Controller are vulnerable to VU#395670/CAN-2004-0171 |
CR40390 | SOL3369 | BIG-IP system and 3-DNS Controller are vulnerable to VU#395670/CAN-2004-0171 |
CR40428 | SOL3372 | SNMP traps are sent using the wrong OID base |
CR41099 | SOL4087 | qkview might enter an infinite loop and produce a huge output file |
CR41113 | SOL4088 | Syslog does not attempt enough retries when logging many simultaneous messages |
CR41203 | SOL4089 | root.hint file is missing after clean installation |
CR41267 | SOL4378 | The man page for the dig command is missing |
CR41715 | SOL4321 | The 3dns_add script prompts the user to synchronize a default named.conf file |
CR41801 | SOL4402 | big3d now logs a message when it exits |
CR41836 | SOL2720 | Cannot establish an SSH connection from a new BIG-IP system or 3-DNS Controller system received as an RMA |
CR41852 | SOL2325 | The gray virtual server status is not documented |
CR41863 | SOL4321 | The 3dns_add script prompts the user to synchronize a default named.conf file |
CR41879 | SOL3372 | SNMP traps are sent using the wrong OID base |
CR41881 | SOL4405 | High speed interface statistics are reported in the wrong units |
CR41948 | SOL4408 | Inability to delete files during an upgrade might result in unallocated iNodes |
CR42101 | SOL5041 | The Configuration utility will not accept host addresses that end in .255 |
CR42283 | SOL4203 | 3-DNS Controller does not respond to AAAA or A6 records |
CR42429 | SOL4207 | Apache mod_include vulnerability CAN-2004-0940 |
CR42529 | SOL4100 | Hops and round trip time can no longer be used together in QOS calculations |
CR42529 | SOL4101 | ICMP and UDP high port probing can no longer be used together in RTT calculations |
CR42530 | SOL4100 | Hops and round trip time may no longer be used together in QOS calculations |
CR42530 | SOL4101 | ICMP and UDP high port probing may no longer be used together in RTT calculations |
CR42531 | SOL4100 | Hops and round trip time may no longer be used together in QOS calculations |
CR42531 | SOL4101 | ICMP and UDP high port probing may no longer be used together in RTT calculations |
CR42532 | SOL4100 | Hops and round trip time may no longer be used together in QOS calculations |
CR42532 | SOL4101 | ICMP and UDP high port probing may no longer be used together in RTT calculations |
CR42760 | SOL4208 | The string "--" cannot be used in certificate names |
CR42763 | SOL4208 | The string "--" cannot be used in certificate names |
CR42764 | SOL4209 | RRD graphs are improperly cached |
CR42843 | SOL4326 | System crashes, panics, and hangs fixed in this release |
CR43530 | SOL4324 | You can now configure whether 3-DNS Controller probes disabled objects |
CR43583 | SOL4328 | The ntpd daemon fails to run when more than 128 VLANs exist |
CR43628 | SOL4326 | System crashes, panics, and hangs that have been fixed in this release |
CR43643 | SOL4328 | The ntpd daemon fails to run when more than 128 VLANs exist |
CR44148 | SOL4209 | RRD graphs are improperly cached |
CR44270 | SOL4334 | The 3dpipe command now disables a datacenter correctly |
CR44372 | SOL4351 | BIND VU#938617 |
CR44375 | SOL4326 | System crashes, panics, and hangs that have been fixed in this release |
CR44376 | SOL4326 | System crashes, panics, and hangs that have been fixed in this release |
CR44450 | SOL4334 | The 3dpipe command now disables a datacenter correctly |
CR44570 | SOL4160 | 3-DNS Controller marks down any BIG-IP version 9.x virtual servers that are configured to use rules |
CR44684 | SOL4335 | BIG-IP system internal variables are now configurable on 3-DNS Controllers |
CR44685 | SOL4335 | BIG-IP system internal variables are now configurable on 3-DNS Controllers |
CR44712 | SOL4326 | 3dnsd might crash due to internal mishandling of long error messages |
CR44780 | SOL4336 | The config_ssh script might time out prematurely when attempting to connect |
CR44781 | SOL4336 | The config_ssh script might time out prematurely when attempting to connect |
CR44807 | SOL4326 | 3dnsd might crash due to internal mishandling of long error messages |
CR44994 | SOL4550 | The bigpipe man page references incorrect locations for named.conf and named.boot |
CR45015 | SOL4326 | System crashes, panics, and hangs that have been fixed in this release |
CR45121 | SOL3969 | 3dnsd may crash due to internal mishandling of long error messages |
CR45187 | SOL4550 | The bigpipe man page references incorrect locations for named.conf and named.boot |
CR45625 | SOL4559 | A small memory leak occurs in 3dnsd when snmpd is restarted |
CR45736 | SOL4559 | A small memory leak occurs in 3dnsd when snmpd is restarted |
CR47917 | SOL5077 | The Configuration utility may crash when displaying production rules |
CR47918 | SOL5077 | The Configuration utility may crash when displaying production rules |
CR48152 | SOL4809 | BIG-IP and 3-DNS are vulnerable to CAN-2005-1278, CAN-2005-1279, and CAN-2005-1280 |
CR48153 | SOL4809 | BIG-IP and 3-DNS are vulnerable to CAN-2005-1278, CAN-2005-1279, and CAN-2005-1280 |
Features and fixes released in prior releases
The current release includes the features and fixes that were distributed in prior feature releases, as listed below.
Version 4.6.2
System statistics screen (CR28085)
This release includes a System Graph Statistics screen in the Configuration utility that displays statistics about the 3-DNS system in a graphical format so that you can view changes and trends in statistics over time. The System Graph Statistics screen displays statistics including CPU usage and memory usage.
To view the System Graph Statistics screen, in the left pane of the Configuration utility, click Statistics and then click System Graphs.
Support for BIND 9.2.2 and Namesurfer version 3.0.6
This version of the 3-DNS software includes the BIND DNS server version 9.2.2 and NamesurferTM version 3.0.6. This version of the BIND software contains security enhancements as well as DNS protocol enhancements. For added security, the named utility now runs in a chroot environment. Namesurfer version 3.0.6 supports some, but not all of the BIND 9.2.2 feature set. It does not support Views or ACLs. This version of the 3-DNS software does not support A6 or ipv6 (AAAA) records, and it does not support DHCP.
Important: If you are currently using BIND version 8, be aware that the file system layout has changed and there are new executables and scripts in version 9. If you have named.conf or zone-files stored in non-standard locations, you need to move these files before you upgrade to this version of the software. For more information see, BIND 9 file system migration in the Required configuration changes section of this release note.
BIND MIB removed (CR38482)
In previous releases, the 3-DNS system exposed the BIND rfc1611 MIB. This MIB is removed in this release.
RSA SecurID authentication
This version of the 3-DNS software includes support for RSA SecurID® authentication, the remote authentication protocol used by RSA ACE/Server® software. RSA SecurID authentication is a two-part authentication mechanism that requires both a user ID and a passcode that changes every 60 seconds. For more information on RSA SecurID authentication, please see http://www.rsasecurity.com/node.asp?id=1156. To configure RSA SecurID authentication, see Configuring RSA SecurID authentication in the Optional configuration changes section of this release note.
Version rollback script
This release includes a rollback script that allows you to return to the previous version of the 3-DNS software, after you upgrade. This script is designed to allow you to rollback the software version in instances where you upgrade before you discover that the new version of the software is incompatible with your specific network configuration. You can use the script to return only within the major version (see SOL4476: BIG-IP Software Lifecycle Policy) of the BIG-IP software that was installed on the system prior to the upgrade. Any configuration changes you make after the upgrade are lost when you run the rollback script.
To use the rollback feature you must create a rollback IM package before you upgrade to a different version of the software.
Important: The mkrb file for version 4.6.2 contains a defect. If you install a rollback package created by the version 4.6.2 mkrb file, the rollback procedure will fail. If you are running version 4.6.2 and you want to create a rollback IM package, we recommend that you use the mkrb file included with version 4.6.3 to create the package.
To create a rollback IM package in /var/tmp/rb using the version 4.6.3 mkrb file, use the following procedure:
- Change your directory to /var/tmp by typing the following command:
cd /var/tmp - Extract the mkrb file from the 4.6.3 upgrade package by typing the following command:
-tar -xzf BIGIP_4.6.3_Upgrade.im usr/local/bin/mkrb - Create the necessary rollback files by typing the following command:
./usr/local/bin/mkrb BIGIP_4.6.3_Upgrade.im
This creates an IM package that you can run on the 3-DNS system if you want to return to the previous version of the software. The IM upgrade package you create is located in the /var/tmp/rb directory.
To install the rollback IM package, type the following commands:
cd /var/tmp/rb
im <rollback_im_package_name>.im
Note: If you install the rollback package created by the script and decide that you want to upgrade to a later version of the software in the future, you will need to use the im -force /var/tmp/rb/<rollback_im_package_name>.im command to install the IM package.
named watchdog
A new variable is included in this release that initiates a failover and restarts the named utility if the named utility fails for any reason. You can enable this variable using the command line utility. Use the following command to enable this feature:
bigpipe db set "Common.Bigip.Failover.OnNamedFail" = true
After you enable or disable this variable, we recommend that you start, stop, and restart the named utility using the following commands:
bigstart startup named
bigstart shutdown named
bigstart restart named
Support for TFTP
This version of the 3-DNS software supports TFTP (Trivial File Transport Protocol rev 2 - rfc1350) traffic control.
Version 4.6.1
This release includes the following fix.
The OpenSSL package has been upgraded to version 0.9.7d (CR33306) (CR33755)
The OpenSSL package has been upgraded to version 0.9.7d. This upgrade addresses several recent security issues with OpenSSL described in Technical Cyber Security Alert TA04-078A. This version addresses CERT vulnerabilities VU#288574 and VU#484726. For more information on the resolved security issues, see http://www.us-cert.gov/cas/techalerts/TA04-078A.html.
Version 4.6
The 4.6 release contains several new features for the BIG-IP and Link Controller software.
Required configuration changes
Once you have installed the software, you must make the following required configuration changes, if appropriate.
BIND 9 file system migration
If you are currently using BIND version 8, be aware that the file system layout has changed and there are new executables and scripts included in version 9. If you have named.conf or zone-files stored in non-standard locations, you need to move these files before you upgrade to this version of the software. If you have edited the named.conf or zone-files by hand, the named.conf files may not work properly when you upgrade. The BIG-IP system runs a check after upgrade to make sure that the named.conf and zone-files are working correctly. If the BIG-IP system detects problems converting these files, the system displays an error message in the Configuration utility, and logs error messages to the /var/named/etc/conversion.log log file. The table below lists the F5 standard file locations for BIND versions 8 and 9.
BIND 8 | BIND 9 | File |
/etc/named.conf | /var/named/etc/named.conf | Main configuration file |
/etc/namedb | /var/named/etc/namedb | Zone files |
ndc | rdnc | ndc utility |
BIND 9 does not support the ndc utility. The ndc utility is replaced with the rndc utility in this release. You can use the rndc utility to stop or re-load the configuration. However, we do not recommend using the rndc utility to start named. You should use the bigstart named or sod-named commands to start named.
Removing a controller from a sync group
If you are upgrading a 3-DNS Controller that belongs to a sync group, you must remove the controller from the sync group before you apply the upgrade. Once you have upgraded all controllers to the same version, you can then re-create the sync group. Once you have removed the controller from the sync group, you can proceed with the upgrade installation.
Note: You can re-create the sync group once you have upgraded the software for all of the controllers that belong to the sync group.
To remove a controller from a sync group using the Configuration utility
- In the navigation pane, click 3-DNS Sync.
The Synchronization screen opens. - In the Remove column, next to the controller that you want to remove from the sync group, click the Remove button.
A popup screen opens to confirm the removal of the controller. - Click OK.
The screen refreshes, and the controller is no longer listed as a member of the sync group. - Repeat these tasks for any additional sync group members that you want to remove from the sync group.
Alternately, you can remove the entire sync group, instead of removing the controllers one at a time.
To remove a sync group using the Configuration utility
- In the navigation pane, click 3-DNS Sync.
The Synchronization screen opens. - On the toolbar, click Remove this Group.
A popup screen opens to confirm the removal of the sync group. - Click OK.
The screen refreshes, and the Add a New Sync Group screen opens, where you can re-create your sync group once you have upgraded the software on all of the controllers that belong to the sync group.
Known issues
The following items are known issues in the current release.
CR | Solution | Description |
CR9333 | SOL5189 | Multiple instances of the Configuration utility may overwrite each other |
CR11703 | SOL5265 | Production rules do not stop when the Stop Time is reached |
CR11710 | SOL5265 | Production rules do not stop when the Stop Time is reached |
CR14294 | SOL765 | Reverse ECV monitors mark nodes up only as frequently as the timeout period |
CR14955 | SOL5078 | The Configuration utility allows special characters in configuration object names |
CR14956 | SOL5078 | The Configuration utility allows special characters in configuration object names |
CR16629 | SOL311 | The production rule wizard does not allow changes to QOS settings for existing rules |
CR16971 | SOL5078 | The Configuration utility allows special characters in configuration object names |
CR16972 | SOL5078 | The Configuration utility allows special characters in configuration object names |
CR16973 | SOL5078 | The Configuration utility allows special characters in configuration object names |
CR17173 | SOL5078 | The Configuration utility allows special characters in configuration object names |
CR18008 | SOL312 | Equivalence operators in production rules must be separated on either side with a space |
CR18859 | SOL5370 | The Configuration utility reports an error if you attempt to add an invalid VS dependency |
CR19648 | SOL320 | The splash screen displayed by the first time configuration utility contained erroneous instructions |
CR20183 | SOL5179 | 3dpipe will not allow pool names that consist only of numerals |
CR20213 | SOL327 | QOS values for VS Capacity and Kilobytes/Second might change |
CR20322 | SOL328 | Ports List page does not display the ports enabled for a wide IP |
CR20337 | SOL766 | Debugging commands are not entirely removed from 3-DNS |
CR21176 | SOL767 | Changing the address of a wide IP to an invalid address can cause 3dnsconf.cgi to become unstable |
CR21513 | SOL334 | The Configuration utility might become unstable if a router is configured with multiple self addresses |
CR22374 | SOL780 | The Last Hit column on the Requests Statistics page actually displays persistence expiration |
CR22875 | SOL5260 | A unit in a redundant pair may still become active when 3dnsd is disabled |
CR23224 | SOL5032 | The Configuration utility does not correctly modify wide IP names |
CR23287 | SOL5254 | Correcting mis-matched self IP addresses in an active-active system may cause 3dnsd to crash |
CR23564 | SOL783 | Saved copies and new copies of snmptrap.conf can conflict after an upgrade |
CR24734 | SOL5230 | Auto-configuration may incorrectly set the Unit IDs on 3-DNS redundant pairs |
CR24735 | SOL5230 | Auto-configuration may incorrectly set the Unit IDs on 3-DNS redundant pairs |
CR25821 | SOL816 | F5 source addresses are not added to hosts.allow when the support account is enabled |
CR26610 | SOL336 | Disabling SNMP traps using the Configuration utility causes an error |
CR26784 | SOL5030 | 3-DNS may not respond to requests after upgrade if persistence and a sync group are configured |
CR27037 | SOL5186 | Changing a self IP address does not change associated bigdb entries |
CR27260 | SOL371 | Default gateway pools cannot be changed using the config command |
CR27359 | SOL5185 | 3dnsmaint cannot copy big3d to BIG-IP 3.x versions |
CR27501 | SOL399 | The config command reports an unnecessary error when a copy of 3dnsd is already running |
CR27791 | SOL437 | An error is logged to /var/log/3dns when a router is not configured for a datacenter |
CR27799 | SOL445 | An error may be reported when synchronizing iQuery keys |
CR27823 | SOL1290 | 3-DNS Controller adds a forward slash (/) to the beginning of the text added to the File Name field |
CR27923 | SOL446 | The network map never marks pool virtual servers red |
CR27924 | SOL446 | The network map never marks pool virtual servers red |
CR28099 | SOL486 | 3-DNS Controller still uses BIG-IP systems for probing when all prober factories have been deleted |
CR28180 | SOL5262 | 3-DNS may not properly create configuration statements for redundant pairs |
CR28228 | SOL509 | The 3-DNS Controller might display a 331781 memory error, but not fail the operation that caused the error |
CR28348 | SOL1491 | The Configuration utility appears to allow you to disable a datacenter, but does not actually change the configuration |
CR28529 | SOL509 | 3-DNS Controller might display a 331781 memory error, but not fail the operation that caused the error |
CR28459 | SOL1664 | Modifying a data center from the Configuration utility results in an error |
CR28626 | SOL554 | You cannot manage topology records with a web browser that uses the Sun Java Virtual Machine |
CR29967 | SOL2853 | The Wide IP Port drop down box can list only pre-configured ports |
CR30139 | SOL5169 | 3-DNS cannot determine the state of SSL proxies that use remote target servers |
CR30212 | SOL5032 | The Configuration utility does not correctly modify wide IP names |
CR30225 | SOL5258 | Manual configuration changes and synchronization may conflict |
CR30242 | SOL5185 | 3dnsmaint cannot copy big3d to BIG-IP 3.x versions |
CR30243 | SOL5191 | Versions of big3d included in 3-DNS 4.5 PTF-04 and later do not work on BIG-IP version 4.5 |
CR30783 | SOL2942 | Default gateway entry is converted to a default gateway pool |
CR31239 | SOL1865 | You must use the command line to clear LDNS statistics |
CR31928 | SOL766 | Debugging commands are not entirely removed from the 3-DNS Controller |
CR31946 | SOL1902 | You must configure a self IP address for a new system before using 3dnsmaint to set up SSH communication |
CR32729 | SOL743 | You cannot configure the ECV scan level of none using the Configuration utility |
CR32755 | SOL573 | In rare cases, a BIG-IP object with an address of 127.0.0.1 may be created |
CR32762 | SOL591 | The random pool load balancing mode distributes connections using a fixed ratio |
CR32977 | SOL2853 | The Wide IP Port drop down box can list only pre-configured ports |
CR33161 | SOL604 | Autoconf might not add all virtual servers when it is initially run after configuring the 3-DNS Controller |
CR33666 | SOL3343 | 3-DNS displays a large pending value for a link on the Probers Statistics page |
CR33671 | SOL5137 | Changes to Check Static Dependencies require a 3ndc restart to take effect |
CR33735 | SOL653 | The summary statistics provided for BIG-IP systems are inaccurate |
CR33815 | SOL761 | The table that contains Nokia NetAct SNMP traps might grow very large and use disk space |
CR33921 | SOL3657 | Available memory reported by the "memAvailReal" OID and the "vmstat" command differs |
CR34267 | SOL4717 | 3-DNS changes the interface media settings after running the Setup utility |
CR34599 | SOL2325 | The gray virtual server status is not documented |
CR35174 | SOL3818 | 3-DNS logs an error message in the /var/log/3dns file: |
CR35320 | SOL309 | The Telnet and FTP servers are not started when you enable Telnet and FTP |
CR37565 | SOL814 | After logging out, you cannot log in to NameSurfer as the same user |
CR37656 | SOL659 | Adding aliases to wide IPs can lead to NameSurfer zone corruption |
CR37919 | SOL676 | File locking is not performed when running the 3dns_add and sync_zones scripts |
CR38086 | SOL145 | Copper gigabit switch ports should not allow manual media settings |
CR38087 | SOL145 | Copper gigabit switch ports should not allow manual media settings |
CR38163 | SOL681 | The Explicit IP, Return to DNS, None, and Drop Packet load balancing modes do not work correctly |
CR38193 | SOL688 | The Hops, RTT, and QOS load balancing modes return a single virtual server if probing is disabled |
CR38340 | SOL692 | Sync groups allow synchronization across versions |
CR38491 | SOL688 | The Hops, RTT, and QOS load balancing modes return a single virtual server if probing is disabled |
CR38569 | SOL146 | The Return to previous page link does not work after entering invalid dates for the change log |
CR39381 | SOL150 | Disabling a link by name in an application object does not work |
CR39967 | SOL5259 | 3-DNS may not always create backward-compatible iQuery messages |
CR41714 | SOL312 | Equivalence operators in production rules must be separated on either side with a space |
CR41803 | SOL2942 | Default gateway entry is converted to a default gateway pool |
CR41805 | SOL309 | The Telnet and FTP servers are not started when you enable Telnet and FTP |
CR41808 | SOL311 | The production rule wizard does not allow changes to QOS settings for existing rules |
CR41809 | SOL312 | Equivalence operators in production rules must be separated on either side with a space |
CR41810 | SOL320 | Cannot access the Configuration utility after running the Setup utility |
CR41811 | SOL327 | QOS values for VS Capacity and Kilobytes/Second might change |
CR41812 | SOL328 | Ports List page does not display the ports that are enabled for a wide IP |
CR41814 | SOL334 | For multi-homed routers, you must configure the 3-DNS Controller with a link to the router that uses a self IP address on each of the multi-homed networks |
CR41816 | SOL5032 | The Configuration utility does not correctly modify wide IP names |
CR41824 | SOL371 | Default gateway pools cannot be changed using the config command |
CR41826 | SOL399 | The config command reports an unnecessary error when a copy of 3dnsd is already running |
CR41829 | SOL437 | An error is logged to /var/log/3dns when a router is not configured for a datacenter |
CR41830 | SOL445 | An error might be reported when synchronizing iQuery keys |
CR41831 | SOL446 | The network map never marks pool virtual servers red |
CR41833 | SOL467 | It is possible to partially remove a link by deleting its self address and VLAN |
CR41834 | SOL486 | 3-DNS Controller still uses BIG-IP systems for probing when all prober factories have been deleted |
CR41835 | SOL5262 | 3-DNS may not properly create configuration statements for redundant pairs |
CR41837 | SOL509 | 3-DNS Controller might display a 331781 memory error, but not fail the operation that caused the error |
CR41839 | SOL554 | You cannot manage topology records with a web browser that uses the Sun Java Virtual Machine |
CR41843 | SOL743 | You cannot configure the ECV scan level of none using the Configuration utility |
CR41844 | SOL573 | In rare cases, a BIG-IP object with an address of 127.0.0.1 may be created |
CR41845 | SOL591 | The random pool load balancing mode distributes connections using a fixed ratio |
CR41847 | SOL604 | Autoconf might not add all virtual servers when initially run after configuring the 3-DNS Controller |
CR41849 | SOL653 | The summary statistics provided for BIG-IP systems are inaccurate |
CR41853 | SOL659 | Adding aliases to wide IPs can lead to NameSurfer zone corruption |
CR41854 | SOL676 | File locking is not performed when running the 3dns_add and sync_zones scripts |
CR41855 | SOL681 | The Explicit IP, Return to DNS, None, and Drop Packet load balancing modes do not work correctly |
CR41856 | SOL688 | The Hops, RTT, and QOS load balancing modes return a single virtual server if probing is disabled |
CR41857 | SOL692 | Sync groups allow synchronization across versions |
CR41858 | SOL688 | The Hops, RTT, and QOS load balancing modes return a single virtual server if probing is disabled |
CR41866 | SOL766 | Debugging commands are not entirely removed from the 3-DNS Controller |
CR41876 | SOL2853 | The Wide IP Port drop down box can list only pre-configured ports |
CR41877 | SOL761 | The table that contains Nokia NetAct SNMP traps might grow very large and use disk space |
CR41884 | SOL765 | The Generate and Copy iQuery Encryption Key option detects BIG-IP/3-DNS combination products twice and attempts to copy the iQuery keys to each detected unit |
CR41887 | SOL767 | Changing the address of a wide IP to an invalid address can cause 3dnsconf.cgi to become unstable |
CR41888 | SOL780 | The Last Hit column on the Requests Statistics page actually displays persistence expiration |
CR41889 | SOL783 | Saved copies and new copies of snmptrap.conf can conflict after an upgrade |
CR41891 | SOL816 | F5 source addresses are not added to hosts.allow when the support account is enabled |
CR41897 | SOL1290 | 3-DNS Controller adds a forward slash (/) to the beginning of the text added to the File Name field |
CR41899 | SOL1491 | The Configuration utility appears to allow you to disable a datacenter, but does not actually change the configuration |
CR41902 | SOL1664 | Modifying a data center from the Configuration utility results in an error |
CR41909 | SOL1865 | You must use the command line to clear LDNS statistics |
CR41911 | SOL1866 | You must configure a self IP address for a new system before using 3dnsmaint to set up SSH communication |
CR41912 | SOL1902 | You must configure a self IP address for a new system before using 3dnsmaint to set up SSH communication |
CR41917 | SOL3343 | 3-DNS displays a large pending value for a link on the Probers Statistics page |
CR41919 | SOL3657 | Available memory reported by the "memAvailReal" OID and the "vmstat" command differs |
CR41922 | SOL3818 | 3-DNS logs an error message in the /var/log/3dns file: |
CR41926 | SOL5259 | 3-DNS may not always create backward-compatible iQuery messages |
CR42147 | SOL4717 | 3-DNS changes the interface media settings after running the Setup utility |
CR43497 | SOL5257 | 3-DNS will not sync changes to the prober address when you change it back to the default value |
CR43498 | SOL5257 | 3-DNS will not sync changes to the prober address when you change it back to the default value |
CR43639 | SOL5145 | BIND may not receive notification from NameSurfer when NameSurfer receives zone changes from the principal 3-DNS Controller |
CR46405 | SOL4810 | BIG-IP and 3-DNS may report "date not found" during installation |
CR46407 | SOL4810 | BIG-IP and 3-DNS may report "date not found" during installation |
CR46509 | SOL4497 | Switch appliances do not send an SNMP trap when booting because the switch ports are disabled |
CR47235 | SOL4572 | The login.conf file may be overwritten during an upgrade |
CR47236 | SOL4572 | The login.conf file may be overwritten during an upgrade |
CR47237 | SOL4583 | The 3-DNS Controller is vulnerable to VU#222750 |
CR47261 | SOL4583 | The 3-DNS Controller is vulnerable to VU#222750 |
CR47262 | SOL4583 | The 3-DNS Controller is vulnerable to VU#222750 |
CR47276 | SOL4574 | BIG-IP and 3-DNS will not prevent you from installing unsupported versions on older hardware |
CR47296 | SOL4583 | The 3-DNS Controller is vulnerable to VU#222750 |
CR47531 | SOL5064 | 3dnsd may crash when several hundred BIG-IPs are added to the configuration |
CR47532 | SOL5064 | 3dnsd may crash when several hundred BIG-IPs are added to the configuration |
CR48262 | SOL4583 | The 3-DNS Controller is vulnerable to VU#222750 |
CR48313 | SOL4583 | The 3-DNS Controller is vulnerable to VU#222750 |
CR48351 | SOL4817 | 3-DNS may corrupt the CLASS field when responding to a AAAA record request |
CR48352 | SOL4817 | 3-DNS may corrupt the CLASS field when responding to a AAAA record request |
CR49272 | SOL4532 | The BIG-IP system and 3-DNS Controller are vulnerable to CAN-2005-0758, CAN-2005-0988, and CAN-2005-1228 |
CR49273 | SOL4532 | The BIG-IP system and 3-DNS Controller are vulnerable to CAN-2005-0758, CAN-2005-0988, and CAN-2005-1228 |
CR49336 | SOL4616 | BIG-IP and 3-DNS are vulnerable to CAN-2005-0488 |
CR49337 | SOL4616 | BIG-IP and 3-DNS are vulnerable to CAN-2005-0488 |
CR58321 | SOL6551 | Changes in US and Canada Daylight Saving Time |