---

Minimum system requirements and supported browsers

The minimum system requirements for this release are:

• Intel® Pentium® III 550MHz processor
• 512MB disk drive or CompactFlash® card
• 256MB RAM

The supported browsers for the Configuration utility are:

• Microsoft® Internet Explorer 5.0, 5.5, and 6.0
• Netscape® Navigator 4.7x

Note: The IM package for this release is quite large. If the disk drive in your platform does not meet the minimum requirement, you may not be able to successfully install this release.

---

Installing the software

Important: If you are upgrading a 3-DNS Controller that belongs to a sync group, you must remove the controller from the sync group before you apply the upgrade. Failure to do so may cause irrevocable damage to the controllers in the sync group that are running older versions of the software. Once you have upgraded all controllers to the same version, you can then re-create the sync group. For details on removing a controller from a sync group, see Removing a controller from a sync group. Once you have removed the controller from the sync group, you can proceed with the upgrade installation.

Note:  If you are updating the 3-DNS Controller module on a BIG-IP system, refer to the BIG-IP version 4.6.3 note for instructions on installing the upgrade. Applying the upgrade for BIG-IP version 4.6.3 also applies the upgrade to the 3-DNS module. The enhancements, fixes, and known issues for the 3-DNS Controller, however, are available only in the 3-DNS Controller version 4.6.3 release note.

The following instructions explain how to install the 3-DNS Controller version 4.6.3 onto existing systems running version 4.5 PTF-03 and later. The installation script saves your current configuration.

1. Go to the Downloads site and locate the 3-DNS version 4.6.3 upgrade file, BIGIP_4.6.3_Upgrade.im.

   3-DNS is not listed as a product line on the Downloads site; the image file is listed under the BIG-IP 4.x product line.

2. Download the software image and the BIGIP_4.6.4_Upgrade.md5 file.

   For information about how to download software, refer to SOL167: Downloading software from F5 Networks.

3. If you downloaded the image file to a directory other than /var/tmp, copy the image file to the /var/tmp/ directory on your 3-DNS system.

    

4. Check the md5 of the upgrade file by typing the following command:
   md5 BIGIP_4.6.3_Upgrade.im
   cat BIGIP_4.6.3_Upgrade.md5

   The two md5 values should be identical.

   Note: If the sums do not match, download the BIGIP_4.6.4_Upgrade.im file again and recheck the md5 for the file.

5. Install the upgrade by typing the following command:
   im BIGIP_4.6.3_Upgrade.im.

The 3-DNS Controller automatically reboots once it completes installation.

Updating the big3d agent

After the PTF installation has completed, you need to install the new version of the big3d agent on all BIG-IP systems known to the 3-DNS Controller, as follows:

1. Log on to the 3-DNS Controller at the command line.
   
   
2. Type 3dnsmaint to open the 3-DNS Maintenance menu.
   
   
3. Select Install and Start big3d, and press Enter.
   The 3-DNS Controller detects all BIG-IP systems in the network, and updates their big3d agents with the appropriate version of the agent.
   
   
4. Press Enter to return to the 3-DNS Maintenance menu.
   
   
5. Type Q to quit.

For more information about the big3d agent, see the 3-DNS Reference Guide.

---

Activating the license

Once you install the upgrade and connect the controller to the network, you need a valid license certificate to activate the software. To obtain a license certificate, you need to provide two items to the license server: a registration key and a dossier. The registration key  is a 25-character string. You should have received the key by email. The registration key lets the license server know which F5 products you are entitled to license. The dossier  is obtained from the software, and is an encrypted list of key characteristics used to identify the platform. If you do not have a registration key, please contact your vendor.

You can obtain a license certificate using one of the following methods:

• Automatic license activation
  You perform automatic license activation from the command line or from the web-based Configuration utility of an upgraded controller. This method automatically retrieves and submits the dossier to the F5 Networks license server, as well as installs the signed license certificate. In order for you to use this method, the controller must be installed on a network with Internet access.
  
  
• Manual license activation
  You perform manual license activation from the Configuration utility, which is the browser-based user interface. With this method, you submit the dossier to, and retrieve the signed license file from, the F5 Networks license server manually. In order for you to use this method, the administrative work station must have Internet access.

Note:  You can open the Configuration utility using either Netscape Navigator 4.7x, or Microsoft Internet Explorer 5.0, 5.5, or 6.0.

To automatically activate a license from the command line for first time installation

1. Type the user name root and the password default at the logon prompt.
   
   
2. At the prompt, type license. The following prompts appear:
   IP:
   Netmask:
   Default Route:
   Select interface to use to retrieve license:
   The 3-DNS Controller uses this information to make an Internet connection to the license server.
   
   
3. After you type the Internet connection information, continue to the following prompt:
   The Registration Key should have been included with the software or given when the order was placed. Do you have your Registration Key? [Y/N]:
   
   Type Y, and the following prompt displays:
   Registration Key:
   
   
4. Type the 25-character registration key you received. If you received more than one key, enter all of the keys, separating each with a space.
   The controller retrieves and sends the dossier to the F5 Networks license server, and the F5 Networks license server returns and installs a signed license file. A message displays indicating the process was successful.
   
   
5. You are asked to accept the End User License Agreement (EULA). Note that the system is not fully functional until you accept the EULA.
   
   
6. Press Enter to reboot the system. The system is not fully functional until you reboot.
   
   
7. If the licensing process is not successful, contact your vendor's technical support team.
   
   

To automatically activate a license from the command line for upgrades

1. Type your user name and password at the logon prompt.
   
   
2. At the prompt, type setup.
   
   
3. Choose menu option (L) License Activation.
   
   
4. The following prompt displays:
   Number of keys: 1
   If you have more than one registration key, enter the appropriate number, and press Enter.
   
   
5. The following prompt displays:
   Registration Key:
   
   Type the 25-character registration key you received. If you received more than one key, enter all of the keys, separating each with a space.
   The controller retrieves and sends the dossier to the F5 Networks license server, and the F5 Networks license server returns and installs a signed license file. A message displays indicating the process was successful.
   
   
6. If the licensing process is not successful, contact your vendor.

To manually activate a license using the Configuration utility

You can use the Configuration utility to manually activate a license for a previously-configured 3-DNS Controller and for a new controller. Before you can activate the license, however, you must logon to the Configuration utility.

To open the Configuration utility for an existing 3-DNS Controller

1. Open the Configuration utility using the configured address.
   
   
2. Type your user name and password at the logon prompt, and click OK.
   The Configuration utility home screen displays.

To open the Configuration utility for a new 3-DNS Controller

1. From the administrative work station, open the Configuration utility using one of the following addresses: https://192.168.1.245 or https://192.168.245.245. These are default addresses on the units local area network.
   
   
2. Type the user name root and the password default at the logon prompt, and click OK.
   The Configuration utility home screen displays.

Once you have successfully logged on to the Configuration utility, you can proceed with the manual license activation.

To manually activate a license using the Configuration utility

1. Click License Utility to open the License Administration screen.
   
   
2. In the Registration Key box, type the 25-character registration key that you received. If you have more than one key to install, click Enter More Keys to install multiple keys. Once you have entered all registration keys, click Manual Authorization.
   
   
3. At the Manual Authorization screen, retrieve the dossier using one of the following methods:
   
   
   • Copy the entire contents of the Product Dossier box.
     
     
   • Click Download Product Dossier, and save the dossier to the hard drive.
   
   
4. Click the link in the License Server box.
   The Activate F5 License screen opens in a new browser window.
   
   
5. From the Activate F5 License screen, submit the dossier using one of the following methods:
   
   
   • Paste the data you just copied into the Enter your dossier box, and click Activate.
     
     
   • At the Product Dossier box, click Browse to locate the dossier on the hard drive, and then click Activate.
   
   
   The screen returns a signed license file.
   
   
6. Retrieve the license file using one of the following methods:
   
   
   • Copy the entire contents of the signed license file.
     
     
   • Click Download license, and save the license file to the hard drive.
   
   
   
7. Return to the Manual Authorization screen, and click Continue.
   
   
8. At the Install License screen, submit the license file using one of the following methods:
   
   
   • Paste the data you copied into the License Server Output box, and click Install License.
     
     
   • At the License File box, click Browse to locate the license file on the hard drive, and then click Install License.
   
   
   The License Status screen displays status messages, and Process complete appears when the licensing activation is finished.
   
   
9. Click License Terms, review the EULA, and accept it.
   
   
10. At the Reboot Prompt screen, select when you want to reboot the platform.
    You must reboot the controller to complete the license activation.

To automatically activate a license using the Configuration utility

You can use the Configuration utility to automatically activate a license for a previously-configured 3-DNS Controller and for a new controller. Before you can activate the license, however, you must log on to the Configuration utility.

To open the Configuration utility for an existing 3-DNS Controller

1. Open the Configuration utility using the configured address.
   
   
2. Type your user name and password at the logon prompt, and click OK.
   The Configuration utility home screen displays.

To open the Configuration utility for a new 3-DNS Controller

1. From the administrative work station, open the Configuration utility using one of the following addresses: https://192.168.1.245 or https://192.168.245.245. These are default addresses on the units local area network.
   
   
2. Type the user name root and the password default at the logon prompt, and click OK.
   The Configuration utility home screen displays.

Once you have successfully logged on to the Configuration utility, you can proceed with the automatic license activation.

To automatically activate a license using the Configuration utility

1. Click License Utility to open the License Administration screen.
   
   
2. In the Registration Key box, type the 25-character registration key that you received. If you have more than one key to install, click Enter More Keys to install multiple keys. Once you have entered all registration keys, click Automated Authorization.
   
   The License Status screen displays status messages, and Process complete appears when the licensing activation is finished.
   
   
3. Click License Terms, review the EULA, and accept it.
   
   
4. At the Reboot Prompt screen, select when you want to reboot the platform.
   You must reboot the controller to complete the license activation.

---

Changes to existing features

This release includes the following changes in product behavior.

Solution	Description
SOL739	Versions of software packages used in this release
SOL1020	Reserved words for this release
SOL3689	Routes in /config/routes and /etc/netstart are removed
SOL3747	The user is now prevented from deleting the LDAP default.key
SOL3748	The FTBU now warns that it can rewrite zone files
SOL4011	Routes are now reloaded when changes to VLANs, interfaces, or self addresses are made
SOL4366	DNS proxy port now closed by default and a new global to open it
SOL4025	sshd.conf is now backed up when an upgrade is run
SOL4100	Hops and round trip time may no longer be used together in QOS calculations
SOL4101	ICMP and UDP high port probing may no longer be used together in RTT calculations
SOL4179	Hardware platforms supported by this release
SOL4180	SEE-IT providers are no longer included in this release
SOL4189	The topology database has been updated
SOL4324	You can now configure whether or not 3-DNS probes disabled objects
SOL4376	New versions of big3d are included in this release
SOL4402	big3d will now log a message when it exits
SOL4548	Ties in VS selection will now result in randomized response
SOL4557	Allow "?" to pass the checktrap.pl content test
SOL4570	EDGE-FX is no longer supported by 3-DNS

[ Top ]

---

New features in this release

This release includes the following new features.

Connection Rate Limit settings  (CR24840)
This release of the BIG-IP system includes new Connection Rate and Rate Limit settings with which you can measure the number of connections per second. You can then use this statistic to limit the number of connections to a node address. This feature is useful if there are times when you expect to have insufficient resources to service all requests, but you also want to ensure that all available servers are performing at maximum capacity. For example, if you have a data center that has enough capacity to handle the load when all the servers are functional, but you need to bring down half of the servers at a certain time in order to update the content. In this instance, the load may exceed the capacity of the remaining servers and cause the servers to become overloaded and unable to function at their maximum sustainable capacity. To avoid this situation, you can configure the BIG-IP system node connection rate limits to the maximum sustainable rate for each server. This prevents the servers from becoming over-burdened, and thus fewer requests are discarded.

In addition, if you are using the 3-DNS Controller to load balance traffic between data centers, you can use the virtual server rate limit in conjunction with global Available Connection Rate or Quality of Service load balancing to shift the load from the degraded data center to a data center with sufficient capacity.

For more information on configuring the Connection Rate and Rate Limit settings, see SOL4184: Configuring 3-DNS to limit connections to a virtual server based on the rate of requests rather than the number of concurrent requests

Radware SNMP Prober  (CR41010)
The 3-DNS Controller can now gather metrics from Radware machines configured on the network. For more information, see SOL4181: Configuring 3-DNS to probe Radware local traffic management products

Configuring client-side authentication using HTTPS ECV  (CR41651)
In this release you can configure client-side authentication using the HTTPS ECV monitor. If you currently use SSL and client-side certificates for authentication, you may want to configure this feature. This feature allows you to monitor the content of pages while using client-side authentication. To configure this feature, you can specify a certificate path in the ECV Certificate box on the Modify Wide IP screen in the Configuration utility, or specify a client_cert string in the ecv portion of the wideip.conf file. For more information, see SOL4182: Configuring 3-DNS to supply a client SSL certificate for an Extended Content Verification (ECV) health monitor

IP Classifier database  (CR41800)
In this release we have updated the IP Classifier database used by the 3-DNS Controller. For more information, see SOL4189: Most recent updates to the 3-DNS Controller's IP Classifier database

Recursion bit settings  (CR43974)
We have added a new global variable in this release that allows you to configure whether the 3-DNS Controller sets the recursion bit (RA bit) for replies issued by 3dnsd. This feature may be useful in cases where you have applications that only accept DNS responses that have the recursion bit set. This feature is disabled by default. For more information, see SOL4187: Setting the recursion bit for 3dnsd replies on the 3-DNS Controller

BIND Vulnerabilities VU#938617 and VU#327633 (CR44372)
This release includes BIND version 9.3.1. This version of BIND addresses the BIND vulnerabilities described in Vulnerability Note VU#938617 and VU#327633 on the CERT® Coordination Center Web site. For more information on the vulnerabilities, see http://www.kb.cert.org/vuls/id/734644.

New fixes in this release

In the 4.6.3 release, on a trial basis, we have modified the format for displaying CRs for fixes and known issues. The CRs are now listed in a table format, with the corresponding solution listed next to the CR. Clicking the solution link directs you to the more detailed solution document that is posted on the AskF5 Technical Support Web Site. We continually update these solution documents on AskF5 as new details become available. If additional known issues are discovered after we release version 4.6.3, we will update the known issues table with the new CR and solution numbers, with the goal of keeping you current on our known issues.

If you encounter a solution that does not have an active link, it is likely that we have not yet had a chance to get the solution posted on AskF5, but please continue to check this table for new content or links.

This release includes the following new fixes.

CR	Solution	Description
CR14926	SOL3676	3dnsmaint does not copy iQuery keys to remote units
CR22419	SOL4408	Inability to delete files during an upgrade might result in unallocated iNodes
CR23634	SOL3678	sod reports unnecessary bigapi_unit_mask errors
CR26589	SOL4201	The IP classifier database can now be loaded from the Configuration utility
CR27161	SOL3701	Help for bigpipe class did not exist
CR27161	SOL3703	Help for bigpipe interface did not exist
CR27161	SOL3705	Help for bigpipe reset did not exist
CR27161	SOL3707	Help for bigpipe list did not exist
CR27161	SOL3710	Help for bigpipe merge did not exist
CR27161	SOL3711	Help for bigpipe base save did not exist
CR27161	SOL3712	Help for bigpipe base list did not exist
CR27161	SOL3713	Help for bigpipe save did not exist
CR27205	SOL3715	Syslog listens on UDP port 514
CR27252	SOL3716	Auto discovery and configuration does not ignore loopback virtual servers
CR27424	SOL3717	NTP fails after loading the configuration using the Configuration utility
CR27820	SOL5057	The error message "WARN:FlushAllIQM: iqBufFlush() failed" may be logged after restart
CR27878	SOL3726	Probing always uses the same interface and source address
CR28079	SOL3729	Server appliances enter a netboot loop after a halt command is issued
CR28101	SOL3730	The Configuration utility does not allow more than 39 topology entries
CR28316	SOL1660	Zombie processes might be generated when a terminal server is attached
CR28316	SOL3733	Duplicate VLANs appear when a self IP address on the 135./8 network is configured
CR28408	SOL2720	Cannot establish an SSH connection from a new BIG-IP system or 3-DNS Controller received as an RMA
CR28497	SOL3739	3-DNS Controller might truncate some zone entries when used as a secondary DNS
CR29599	SOL3739	Automatic discovery and configuration occur even when globally disabled
CR29730	SOL3715	Syslog listens on UDP port 514
CR29843	SOL3787	BIG-IP 2400, 5000, and 5100 units might lock up during reboot
CR29859	SOL4402	big3d now logs a message when it exits
CR30235	SOL3809	3-DNS Controller logs an unnecessary "No nodes up" message
CR30583	SOL3812	Random pool selection is not random, and selects the same pool every time
CR30877	SOL4242	The im -Q command does not always report the correct versions for installed packages
CR30995	SOL3815	Fiber gigabit ports show output errors on switch appliances
CR31388	SOL5178	The full_debug script may add duplicate or overlapping statements to syslog.conf
CR31551	SOL3822	Disabling a datacenter does not cause another 3-DNS Controller to become the principle unit
CR32148	SOL3825	sync_zones might leave a stale pid file and refuse to run
CR32375	SOL3896	Dropped packet counters in netstat and bigpipe interface might be inconsistent
CR32975	SOL3904	One-time auto discovery continues to run each time 3dnsd restarts
CR33286	SOL3906	/etc/syslog.conf comments indicate the wrong location of checktrap.pl
CR33614	SOL3907	The status legend is incorrect
CR33624	SOL3908	The Allow Fragmentation option remains in the Configuration utility
CR34446	SOL3915	Problems with internal interface drivers might make BIG-IP system unresponsive
CR34472	SOL3915	3dpipe syncgroup does not report principle status
CR34525	SOL3917	The standby system might send a gratuitous ARP using the floating IP address
CR34737	SOL5041	The Configuration utility will not accept host addresses that end in .255
CR35576	SOL3969	3dnsd might crash due to internal mishandling of long error messages
CR35576	SOL3969	3dnsd might become unstable due to incorrectly formatted errors
CR36377	SOL4405	High speed interface statistics are reported in the wrong units
CR36863	SOL3979	Routers probed by SNMP v1 might be weighted incorrectly
CR36926	SOL3981	vs_capacity is able to choose down or disabled virtual servers
CR36998	SOL3982	3-DNS Controller does not always choose the closest prober
CR37147	SOL3987	The system might become unstable when running the ANIP kernel and using the bpf device
CR37260	SOL3988	DMA support is disabled on the D35 platform
CR38552	SOL4005	Changing a wide IP name does not update associated aliases in Namesurfer
CR38795	SOL4006	3-DNS Controller might become unstable during a synchronization process
CR38838	SOL4007	Upgrade process does not successfully update the root.hint file
CR39078	SOL4009	libpng version 1.0.9 contains security vulnerabilities
CR39175	SOL4015	3-DNS units might become unresponsive when inter-communicating
CR40149	SOL4060	Topology entries with not (!) cannot be deleted using the Configuration utility
CR40389	SOL3369	BIG-IP system and 3-DNS Controller are vulnerable to VU#395670/CAN-2004-0171
CR40390	SOL3369	BIG-IP system and 3-DNS Controller are vulnerable to VU#395670/CAN-2004-0171
CR40428	SOL3372	SNMP traps are sent using the wrong OID base
CR41099	SOL4087	qkview might enter an infinite loop and produce a huge output file
CR41113	SOL4088	Syslog does not attempt enough retries when logging many simultaneous messages
CR41203	SOL4089	root.hint file is missing after clean installation
CR41267	SOL4378	The man page for the dig command is missing
CR41715	SOL4321	The 3dns_add script prompts the user to synchronize a default named.conf file
CR41801	SOL4402	big3d now logs a message when it exits
CR41836	SOL2720	Cannot establish an SSH connection from a new BIG-IP system or 3-DNS Controller system received as an RMA
CR41852	SOL2325	The gray virtual server status is not documented
CR41863	SOL4321	The 3dns_add script prompts the user to synchronize a default named.conf file
CR41879	SOL3372	SNMP traps are sent using the wrong OID base
CR41881	SOL4405	High speed interface statistics are reported in the wrong units
CR41948	SOL4408	Inability to delete files during an upgrade might result in unallocated iNodes
CR42101	SOL5041	The Configuration utility will not accept host addresses that end in .255
CR42283	SOL4203	3-DNS Controller does not respond to AAAA or A6 records
CR42429	SOL4207	Apache mod_include vulnerability CAN-2004-0940
CR42529	SOL4100	Hops and round trip time can no longer be used together in QOS calculations
CR42529	SOL4101	ICMP and UDP high port probing can no longer be used together in RTT calculations
CR42530	SOL4100	Hops and round trip time may no longer be used together in QOS calculations
CR42530	SOL4101	ICMP and UDP high port probing may no longer be used together in RTT calculations
CR42531	SOL4100	Hops and round trip time may no longer be used together in QOS calculations
CR42531	SOL4101	ICMP and UDP high port probing may no longer be used together in RTT calculations
CR42532	SOL4100	Hops and round trip time may no longer be used together in QOS calculations
CR42532	SOL4101	ICMP and UDP high port probing may no longer be used together in RTT calculations
CR42760	SOL4208	The string "--" cannot be used in certificate names
CR42763	SOL4208	The string "--" cannot be used in certificate names
CR42764	SOL4209	RRD graphs are improperly cached
CR42843	SOL4326	System crashes, panics, and hangs fixed in this release
CR43530	SOL4324	You can now configure whether 3-DNS Controller probes disabled objects
CR43583	SOL4328	The ntpd daemon fails to run when more than 128 VLANs exist
CR43628	SOL4326	System crashes, panics, and hangs that have been fixed in this release
CR43643	SOL4328	The ntpd daemon fails to run when more than 128 VLANs exist
CR44148	SOL4209	RRD graphs are improperly cached
CR44270	SOL4334	The 3dpipe command now disables a datacenter correctly
CR44372	SOL4351	BIND VU#938617
CR44375	SOL4326	System crashes, panics, and hangs that have been fixed in this release
CR44376	SOL4326	System crashes, panics, and hangs that have been fixed in this release
CR44450	SOL4334	The 3dpipe command now disables a datacenter correctly
CR44570	SOL4160	3-DNS Controller marks down any BIG-IP version 9.x virtual servers that are configured to use rules
CR44684	SOL4335	BIG-IP system internal variables are now configurable on 3-DNS Controllers
CR44685	SOL4335	BIG-IP system internal variables are now configurable on 3-DNS Controllers
CR44712	SOL4326	3dnsd might crash due to internal mishandling of long error messages
CR44780	SOL4336	The config_ssh script might time out prematurely when attempting to connect
CR44781	SOL4336	The config_ssh script might time out prematurely when attempting to connect
CR44807	SOL4326	3dnsd might crash due to internal mishandling of long error messages
CR44994	SOL4550	The bigpipe man page references incorrect locations for named.conf and named.boot
CR45015	SOL4326	System crashes, panics, and hangs that have been fixed in this release
CR45121	SOL3969	3dnsd may crash due to internal mishandling of long error messages
CR45187	SOL4550	The bigpipe man page references incorrect locations for named.conf and named.boot
CR45625	SOL4559	A small memory leak occurs in 3dnsd when snmpd is restarted
CR45736	SOL4559	A small memory leak occurs in 3dnsd when snmpd is restarted
CR47917	SOL5077	The Configuration utility may crash when displaying production rules
CR47918	SOL5077	The Configuration utility may crash when displaying production rules
CR48152	SOL4809	BIG-IP and 3-DNS are vulnerable to CAN-2005-1278, CAN-2005-1279, and CAN-2005-1280
CR48153	SOL4809	BIG-IP and 3-DNS are vulnerable to CAN-2005-1278, CAN-2005-1279, and CAN-2005-1280

 

---

Features and fixes released in prior releases

The current release includes the features and fixes that were distributed in prior feature releases, as listed below.

Version 4.6.2

System statistics screen  (CR28085)
This release includes a System Graph Statistics screen in the Configuration utility that displays statistics about the 3-DNS system in a graphical format so that you can view changes and trends in statistics over time. The System Graph Statistics screen displays statistics including CPU usage and memory usage.
To view the System Graph Statistics screen, in the left pane of the Configuration utility, click Statistics and then click System Graphs.

Support for BIND 9.2.2 and Namesurfer version 3.0.6 
This version of the 3-DNS software includes the BIND DNS server version 9.2.2 and Namesurfer^TM version 3.0.6. This version of the BIND software contains security enhancements as well as DNS protocol enhancements. For added security, the named utility now runs in a chroot environment. Namesurfer version 3.0.6 supports some, but not all of the BIND 9.2.2 feature set. It does not support Views or ACLs. This version of the 3-DNS software does not support A6 or ipv6 (AAAA) records, and it does not support DHCP.

Important:  If you are currently using BIND version 8, be aware that the file system layout has changed and there are new executables and scripts in version 9. If you have named.conf or zone-files stored in non-standard locations, you need to move these files before you upgrade to this version of the software. For more information see, BIND 9 file system migration in the Required configuration changes section of this release note.

BIND MIB removed   (CR38482)
In previous releases, the 3-DNS system exposed the BIND rfc1611 MIB. This MIB is removed in this release.

RSA SecurID authentication 
This version of the 3-DNS software includes support for RSA SecurID® authentication, the remote authentication protocol used by RSA ACE/Server® software. RSA SecurID authentication is a two-part authentication mechanism that requires both a user ID and a passcode that changes every 60 seconds. For more information on RSA SecurID authentication, please see http://www.rsasecurity.com/node.asp?id=1156. To configure RSA SecurID authentication, see Configuring RSA SecurID authentication in the Optional configuration changes section of this release note.

Version rollback script 
This release includes a rollback script that allows you to return to the previous version of the 3-DNS software, after you upgrade. This script is designed to allow you to rollback the software version in instances where you upgrade before you discover that the new version of the software is incompatible with your specific network configuration. You can use the script to return only within the major version (see SOL4476: BIG-IP Software Lifecycle Policy) of the BIG-IP software that was installed on the system prior to the upgrade. Any configuration changes you make after the upgrade are lost when you run the rollback script.

To use the rollback feature you must create a rollback IM package before you upgrade to a different version of the software.

Important:  The mkrb file for version 4.6.2 contains a defect. If you install a rollback package created by the version 4.6.2 mkrb file, the rollback procedure will fail. If you are running version 4.6.2 and you want to create a rollback IM package, we recommend that you use the mkrb file included with version 4.6.3 to create the package.

To create a rollback IM package in /var/tmp/rb using the version 4.6.3 mkrb file, use the following procedure:

1. Change your directory to /var/tmp by typing the following command:
   cd /var/tmp
   
   
2. Extract the mkrb file from the 4.6.3 upgrade package by typing the following command:
   -tar -xzf BIGIP_4.6.3_Upgrade.im usr/local/bin/mkrb
   
   
3. Create the necessary rollback files by typing the following command:
   ./usr/local/bin/mkrb BIGIP_4.6.3_Upgrade.im
   
   

This creates an IM package that you can run on the 3-DNS system if you want to return to the previous version of the software. The IM upgrade package you create is located in the /var/tmp/rb directory.
To install the rollback IM package, type the following commands:
cd /var/tmp/rb
im <rollback_im_package_name>.im

Note:  If you install the rollback package created by the script and decide that you want to upgrade to a later version of the software in the future, you will need to use the im -force /var/tmp/rb/<rollback_im_package_name>.im command to install the IM package.

named watchdog 
A new variable is included in this release that initiates a failover and restarts the named utility if the named utility fails for any reason. You can enable this variable using the command line utility. Use the following command to enable this feature:

bigpipe db set "Common.Bigip.Failover.OnNamedFail" = true

After you enable or disable this variable, we recommend that you start, stop, and restart the named utility using the following commands:

bigstart startup named
bigstart shutdown named
bigstart restart named

Support for TFTP 
This version of the 3-DNS software supports TFTP (Trivial File Transport Protocol rev 2 - rfc1350) traffic control.

Version 4.6.1

This release includes the following fix.

The OpenSSL package has been upgraded to version 0.9.7d (CR33306) (CR33755)
The OpenSSL package has been upgraded to version 0.9.7d. This upgrade addresses several recent security issues with OpenSSL described in Technical Cyber Security Alert TA04-078A. This version addresses CERT vulnerabilities VU#288574 and VU#484726. For more information on the resolved security issues, see http://www.us-cert.gov/cas/techalerts/TA04-078A.html.

Version 4.6

The 4.6 release contains several new features for the BIG-IP and Link Controller software.

---

Required configuration changes

Once you have installed the software, you must make the following required configuration changes, if appropriate.

BIND 9 file system migration

If you are currently using BIND version 8, be aware that the file system layout has changed and there are new executables and scripts included in version 9. If you have named.conf or zone-files stored in non-standard locations, you need to move these files before you upgrade to this version of the software. If you have edited the named.conf or zone-files by hand, the named.conf files may not work properly when you upgrade. The BIG-IP system runs a check after upgrade to make sure that the named.conf and zone-files are working correctly. If the BIG-IP system detects problems converting these files, the system displays an error message in the Configuration utility, and logs error messages to the /var/named/etc/conversion.log log file. The table below lists the F5 standard file locations for BIND versions 8 and 9.

BIND 8	BIND 9	File
/etc/named.conf	/var/named/etc/named.conf	Main configuration file
/etc/namedb	/var/named/etc/namedb	Zone files
ndc	rdnc	ndc utility

BIND 9 does not support the ndc utility. The ndc utility is replaced with the rndc utility in this release. You can use the rndc utility to stop or re-load the configuration. However, we do not recommend using the rndc utility to start named. You should use the bigstart named or sod-named commands to start named.

---

Removing a controller from a sync group

If you are upgrading a 3-DNS Controller that belongs to a sync group, you must remove the controller from the sync group before you apply the upgrade. Once you have upgraded all controllers to the same version, you can then re-create the sync group. Once you have removed the controller from the sync group, you can proceed with the upgrade installation.

Note: You can re-create the sync group once you have upgraded the software for all of the controllers that belong to the sync group.

To remove a controller from a sync group using the Configuration utility

1. In the navigation pane, click 3-DNS Sync.
   The Synchronization screen opens.
   
   
2. In the Remove column, next to the controller that you want to remove from the sync group, click the Remove button.
   A popup screen opens to confirm the removal of the controller.
   
   
3. Click OK.
   The screen refreshes, and the controller is no longer listed as a member of the sync group.
   
   
4. Repeat these tasks for any additional sync group members that you want to remove from the sync group.

Alternately, you can remove the entire sync group, instead of removing the controllers one at a time.

To remove a sync group using the Configuration utility

1. In the navigation pane, click 3-DNS Sync.
   The Synchronization screen opens.
   
   
2. On the toolbar, click Remove this Group.
   A popup screen opens to confirm the removal of the sync group.
   
   
3. Click OK.
   The screen refreshes, and the Add a New Sync Group screen opens, where you can re-create your sync group once you have upgraded the software on all of the controllers that belong to the sync group.
   
   

 

---

Known issues

The following items are known issues in the current release.

CR	Solution	Description
CR9333	SOL5189	Multiple instances of the Configuration utility may overwrite each other
CR11703	SOL5265	Production rules do not stop when the Stop Time is reached
CR11710	SOL5265	Production rules do not stop when the Stop Time is reached
CR14294	SOL765	Reverse ECV monitors mark nodes up only as frequently as the timeout period
CR14955	SOL5078	The Configuration utility allows special characters in configuration object names
CR14956	SOL5078	The Configuration utility allows special characters in configuration object names
CR16629	SOL311	The production rule wizard does not allow changes to QOS settings for existing rules
CR16971	SOL5078	The Configuration utility allows special characters in configuration object names
CR16972	SOL5078	The Configuration utility allows special characters in configuration object names
CR16973	SOL5078	The Configuration utility allows special characters in configuration object names
CR17173	SOL5078	The Configuration utility allows special characters in configuration object names
CR18008	SOL312	Equivalence operators in production rules must be separated on either side with a space
CR18859	SOL5370	The Configuration utility reports an error if you attempt to add an invalid VS dependency
CR19648	SOL320	The splash screen displayed by the first time configuration utility contained erroneous instructions
CR20183	SOL5179	3dpipe will not allow pool names that consist only of numerals
CR20213	SOL327	QOS values for VS Capacity and Kilobytes/Second might change
CR20322	SOL328	Ports List page does not display the ports enabled for a wide IP
CR20337	SOL766	Debugging commands are not entirely removed from 3-DNS
CR21176	SOL767	Changing the address of a wide IP to an invalid address can cause 3dnsconf.cgi to become unstable
CR21513	SOL334	The Configuration utility might become unstable if a router is configured with multiple self addresses
CR22374	SOL780	The Last Hit column on the Requests Statistics page actually displays persistence expiration
CR22875	SOL5260	A unit in a redundant pair may still become active when 3dnsd is disabled
CR23224	SOL5032	The Configuration utility does not correctly modify wide IP names
CR23287	SOL5254	Correcting mis-matched self IP addresses in an active-active system may cause 3dnsd to crash
CR23564	SOL783	Saved copies and new copies of snmptrap.conf can conflict after an upgrade
CR24734	SOL5230	Auto-configuration may incorrectly set the Unit IDs on 3-DNS redundant pairs
CR24735	SOL5230	Auto-configuration may incorrectly set the Unit IDs on 3-DNS redundant pairs
CR25821	SOL816	F5 source addresses are not added to hosts.allow when the support account is enabled
CR26610	SOL336	Disabling SNMP traps using the Configuration utility causes an error
CR26784	SOL5030	3-DNS may not respond to requests after upgrade if persistence and a sync group are configured
CR27037	SOL5186	Changing a self IP address does not change associated bigdb entries
CR27260	SOL371	Default gateway pools cannot be changed using the config command
CR27359	SOL5185	3dnsmaint cannot copy big3d to BIG-IP 3.x versions
CR27501	SOL399	The config command reports an unnecessary error when a copy of 3dnsd is already running
CR27791	SOL437	An error is logged to /var/log/3dns when a router is not configured for a datacenter
CR27799	SOL445	An error may be reported when synchronizing iQuery keys
CR27823	SOL1290	3-DNS Controller adds a forward slash (/) to the beginning of the text added to the File Name field
CR27923	SOL446	The network map never marks pool virtual servers red
CR27924	SOL446	The network map never marks pool virtual servers red
CR28099	SOL486	3-DNS Controller still uses BIG-IP systems for probing when all prober factories have been deleted
CR28180	SOL5262	3-DNS may not properly create configuration statements for redundant pairs
CR28228	SOL509	The 3-DNS Controller might display a 331781 memory error, but not fail the operation that caused the error
CR28348	SOL1491	The Configuration utility appears to allow you to disable a datacenter, but does not actually change the configuration
CR28529	SOL509	3-DNS Controller might display a 331781 memory error, but not fail the operation that caused the error
CR28459	SOL1664	Modifying a data center from the Configuration utility results in an error
CR28626	SOL554	You cannot manage topology records with a web browser that uses the Sun Java Virtual Machine
CR29967	SOL2853	The Wide IP Port drop down box can list only pre-configured ports
CR30139	SOL5169	3-DNS cannot determine the state of SSL proxies that use remote target servers
CR30212	SOL5032	The Configuration utility does not correctly modify wide IP names
CR30225	SOL5258	Manual configuration changes and synchronization may conflict
CR30242	SOL5185	3dnsmaint cannot copy big3d to BIG-IP 3.x versions
CR30243	SOL5191	Versions of big3d included in 3-DNS 4.5 PTF-04 and later do not work on BIG-IP version 4.5
CR30783	SOL2942	Default gateway entry is converted to a default gateway pool
CR31239	SOL1865	You must use the command line to clear LDNS statistics
CR31928	SOL766	Debugging commands are not entirely removed from the 3-DNS Controller
CR31946	SOL1902	You must configure a self IP address for a new system before using 3dnsmaint to set up SSH communication
CR32729	SOL743	You cannot configure the ECV scan level of none using the Configuration utility
CR32755	SOL573	In rare cases, a BIG-IP object with an address of 127.0.0.1 may be created
CR32762	SOL591	The random pool load balancing mode distributes connections using a fixed ratio
CR32977	SOL2853	The Wide IP Port drop down box can list only pre-configured ports
CR33161	SOL604	Autoconf might not add all virtual servers when it is initially run after configuring the 3-DNS Controller
CR33666	SOL3343	3-DNS displays a large pending value for a link on the Probers Statistics page
CR33671	SOL5137	Changes to Check Static Dependencies require a 3ndc restart to take effect
CR33735	SOL653	The summary statistics provided for BIG-IP systems are inaccurate
CR33815	SOL761	The table that contains Nokia NetAct SNMP traps might grow very large and use disk space
CR33921	SOL3657	Available memory reported by the "memAvailReal" OID and the "vmstat" command differs
CR34267	SOL4717	3-DNS changes the interface media settings after running the Setup utility
CR34599	SOL2325	The gray virtual server status is not documented
CR35174	SOL3818	3-DNS logs an error message in the /var/log/3dns file:
CR35320	SOL309	The Telnet and FTP servers are not started when you enable Telnet and FTP
CR37565	SOL814	After logging out, you cannot log in to NameSurfer as the same user
CR37656	SOL659	Adding aliases to wide IPs can lead to NameSurfer zone corruption
CR37919	SOL676	File locking is not performed when running the 3dns_add and sync_zones scripts
CR38086	SOL145	Copper gigabit switch ports should not allow manual media settings
CR38087	SOL145	Copper gigabit switch ports should not allow manual media settings
CR38163	SOL681	The Explicit IP, Return to DNS, None, and Drop Packet load balancing modes do not work correctly
CR38193	SOL688	The Hops, RTT, and QOS load balancing modes return a single virtual server if probing is disabled
CR38340	SOL692	Sync groups allow synchronization across versions
CR38491	SOL688	The Hops, RTT, and QOS load balancing modes return a single virtual server if probing is disabled
CR38569	SOL146	The Return to previous page link does not work after entering invalid dates for the change log
CR39381	SOL150	Disabling a link by name in an application object does not work
CR39967	SOL5259	3-DNS may not always create backward-compatible iQuery messages
CR41714	SOL312	Equivalence operators in production rules must be separated on either side with a space
CR41803	SOL2942	Default gateway entry is converted to a default gateway pool
CR41805	SOL309	The Telnet and FTP servers are not started when you enable Telnet and FTP
CR41808	SOL311	The production rule wizard does not allow changes to QOS settings for existing rules
CR41809	SOL312	Equivalence operators in production rules must be separated on either side with a space
CR41810	SOL320	Cannot access the Configuration utility after running the Setup utility
CR41811	SOL327	QOS values for VS Capacity and Kilobytes/Second might change
CR41812	SOL328	Ports List page does not display the ports that are enabled for a wide IP
CR41814	SOL334	For multi-homed routers, you must configure the 3-DNS Controller with a link to the router that uses a self IP address on each of the multi-homed networks
CR41816	SOL5032	The Configuration utility does not correctly modify wide IP names
CR41824	SOL371	Default gateway pools cannot be changed using the config command
CR41826	SOL399	The config command reports an unnecessary error when a copy of 3dnsd is already running
CR41829	SOL437	An error is logged to /var/log/3dns when a router is not configured for a datacenter
CR41830	SOL445	An error might be reported when synchronizing iQuery keys
CR41831	SOL446	The network map never marks pool virtual servers red
CR41833	SOL467	It is possible to partially remove a link by deleting its self address and VLAN
CR41834	SOL486	3-DNS Controller still uses BIG-IP systems for probing when all prober factories have been deleted
CR41835	SOL5262	3-DNS may not properly create configuration statements for redundant pairs
CR41837	SOL509	3-DNS Controller might display a 331781 memory error, but not fail the operation that caused the error
CR41839	SOL554	You cannot manage topology records with a web browser that uses the Sun Java Virtual Machine
CR41843	SOL743	You cannot configure the ECV scan level of none using the Configuration utility
CR41844	SOL573	In rare cases, a BIG-IP object with an address of 127.0.0.1 may be created
CR41845	SOL591	The random pool load balancing mode distributes connections using a fixed ratio
CR41847	SOL604	Autoconf might not add all virtual servers when initially run after configuring the 3-DNS Controller
CR41849	SOL653	The summary statistics provided for BIG-IP systems are inaccurate
CR41853	SOL659	Adding aliases to wide IPs can lead to NameSurfer zone corruption
CR41854	SOL676	File locking is not performed when running the 3dns_add and sync_zones scripts
CR41855	SOL681	The Explicit IP, Return to DNS, None, and Drop Packet load balancing modes do not work correctly
CR41856	SOL688	The Hops, RTT, and QOS load balancing modes return a single virtual server if probing is disabled
CR41857	SOL692	Sync groups allow synchronization across versions
CR41858	SOL688	The Hops, RTT, and QOS load balancing modes return a single virtual server if probing is disabled
CR41866	SOL766	Debugging commands are not entirely removed from the 3-DNS Controller
CR41876	SOL2853	The Wide IP Port drop down box can list only pre-configured ports
CR41877	SOL761	The table that contains Nokia NetAct SNMP traps might grow very large and use disk space
CR41884	SOL765	The Generate and Copy iQuery Encryption Key option detects BIG-IP/3-DNS combination products twice and attempts to copy the iQuery keys to each detected unit
CR41887	SOL767	Changing the address of a wide IP to an invalid address can cause 3dnsconf.cgi to become unstable
CR41888	SOL780	The Last Hit column on the Requests Statistics page actually displays persistence expiration
CR41889	SOL783	Saved copies and new copies of snmptrap.conf can conflict after an upgrade
CR41891	SOL816	F5 source addresses are not added to hosts.allow when the support account is enabled
CR41897	SOL1290	3-DNS Controller adds a forward slash (/) to the beginning of the text added to the File Name field
CR41899	SOL1491	The Configuration utility appears to allow you to disable a datacenter, but does not actually change the configuration
CR41902	SOL1664	Modifying a data center from the Configuration utility results in an error
CR41909	SOL1865	You must use the command line to clear LDNS statistics
CR41911	SOL1866	You must configure a self IP address for a new system before using 3dnsmaint to set up SSH communication
CR41912	SOL1902	You must configure a self IP address for a new system before using 3dnsmaint to set up SSH communication
CR41917	SOL3343	3-DNS displays a large pending value for a link on the Probers Statistics page
CR41919	SOL3657	Available memory reported by the "memAvailReal" OID and the "vmstat" command differs
CR41922	SOL3818	3-DNS logs an error message in the /var/log/3dns file:
CR41926	SOL5259	3-DNS may not always create backward-compatible iQuery messages
CR42147	SOL4717	3-DNS changes the interface media settings after running the Setup utility
CR43497	SOL5257	3-DNS will not sync changes to the prober address when you change it back to the default value
CR43498	SOL5257	3-DNS will not sync changes to the prober address when you change it back to the default value
CR43639	SOL5145	BIND may not receive notification from NameSurfer when NameSurfer receives zone changes from the principal 3-DNS Controller
CR46405	SOL4810	BIG-IP and 3-DNS may report "date not found" during installation
CR46407	SOL4810	BIG-IP and 3-DNS may report "date not found" during installation
CR46509	SOL4497	Switch appliances do not send an SNMP trap when booting because the switch ports are disabled
CR47235	SOL4572	The login.conf file may be overwritten during an upgrade
CR47236	SOL4572	The login.conf file may be overwritten during an upgrade
CR47237	SOL4583	The 3-DNS Controller is vulnerable to VU#222750
CR47261	SOL4583	The 3-DNS Controller is vulnerable to VU#222750
CR47262	SOL4583	The 3-DNS Controller is vulnerable to VU#222750
CR47276	SOL4574	BIG-IP and 3-DNS will not prevent you from installing unsupported versions on older hardware
CR47296	SOL4583	The 3-DNS Controller is vulnerable to VU#222750
CR47531	SOL5064	3dnsd may crash when several hundred BIG-IPs are added to the configuration
CR47532	SOL5064	3dnsd may crash when several hundred BIG-IPs are added to the configuration
CR48262	SOL4583	The 3-DNS Controller is vulnerable to VU#222750
CR48313	SOL4583	The 3-DNS Controller is vulnerable to VU#222750
CR48351	SOL4817	3-DNS may corrupt the CLASS field when responding to a AAAA record request
CR48352	SOL4817	3-DNS may corrupt the CLASS field when responding to a AAAA record request
CR49272	SOL4532	The BIG-IP system and 3-DNS Controller are vulnerable to CAN-2005-0758, CAN-2005-0988, and CAN-2005-1228
CR49273	SOL4532	The BIG-IP system and 3-DNS Controller are vulnerable to CAN-2005-0758, CAN-2005-0988, and CAN-2005-1228
CR49336	SOL4616	BIG-IP and 3-DNS are vulnerable to CAN-2005-0488
CR49337	SOL4616	BIG-IP and 3-DNS are vulnerable to CAN-2005-0488
CR58321	SOL6551	Changes in US and Canada Daylight Saving Time

Copyright © 1996-2005, F5 Networks, Inc., Seattle, Washington.  All rights reserved. 
F5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, iControl, GLOBAL-SITE, SEE-IT, EDGE-FX, FireGuard, Internet Control Architecture, IP Application Switch, iRules, OneConnect, Packet Velocity, SYN Check, Control Your World, ZoneRunner, uRoam, FirePass, and TrafficShield are registered trademarks or trademarks of F5 Networks, Inc., in the U.S. and certain other countries. All other trademarks mentioned in this document are the property of their respective owners. F5 Networks' trademarks may not be used in connection with any product or service except as permitted in writing by F5.