Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

This section helps you learn more about the general upgrade guidelines before upgrading to NIOS releases.

Upgrade to NIOS 9.0.1 fails in the following scenarios:

  • When you upgrade to NIOS 9.0.1 and you upgrade or replace your X5 series appliance with an X6 series appliance and you have valid X5 series license, then you can use the X5 series on an X6 series appliance till the license expires. However, you need to contact Infoblox Support to generate a new X5 series license so that it will work with the X6 series appliance. The new license is generated with an X6 series appliance hardware ID and will have the X5 series license validity.

  • If you try to upgrade to NIOS 9.0.1, distribution fails if CA certificates with the
    md5WithRSAEncryption or sha1WithRSAEncryption ciphers are present. Infoblox recommends that you delete the certificates before upgrading.

  • Upgrading to NIOS 9.0.1 is restricted, subject to the following checks:

    • CA certificates violating RFC: Subject Key Identifier MUST exist if CA=TRUE

    • Certificate validity dates

    • Restrict MD5 and SHA1 for Apache certificates and CA certificates

    • OpenVPN certificates. If you have old OpenVPN certificates, contact Infoblox Support before proceeding with the distribution.

  • If the Dual Engine DNS license is present in your Grid in the deleted or expired state (can be validated by running the show license CLI command on the node), contact Infoblox Support to have it removed. The NIOS upgrade fails if the license is not deleted.

  • Unbound upgrade guidelines:

    • If an Unbound license is present in the Grid, then upgrading to 9.0.1 will fail. You must manually remove the Unbound license and then proceed with the upgrade.

    • If you have offline Grid members and are not able to delete the Unbound license, then you must bring the Grid members online, remove the license, and then proceed with the upgrade. You can also contact Infoblox Support about creating a hotfix to clean up the Unbound licenses for the offline members.

    • If you had a temporary Unbound license that you deleted from Grid Manager, the license will still be present in the database and the upgrade will fail. Please contact Infoblox Support to completely remove the temporary license.

    • If Unbound is configured, the upgrade test fails to indicate that references to Unbound are being completely destroyed during the upgrade process.

  • Upgrade to NIOS 9.0.0 fails in the following scenarios:

    • Upgrading a NIOS 8.x Grid that is configured with Thales HSM to NIOS 9.0 is not supported. Also,
      configuring Thales HSM in a new NIOS 9.0.0 Grid is not supported.

    • Using an unsupported algorithm such as, RSAMD5(1), DSA (3), DSA-NSEC3-SHA1(6).

    • Using invalid key size for RSASHA1(5), RSA-NSEC3-SHA1(7), RSASHA256(8) (should be within range [1024 to 4096]).

    • BIND performance may be poor if the DNS load originates from a small number of source IP addresses or ports.

    • Manually creating (through the import keyset) a DS record with an unsupported algorithm or digest type SHA-1.

    • If you are using Ubuntu and a CA certificate of key length 1024 and some unsupported ciphers, after a NIOS upgrade, services that depend on the unsupported ciphers cease to work.

    • In NIOS 9.0, the Cisco ISE endpoint (Cisco pxGrid 1.0) has been deprecated.

    • Infoblox recommends that you use a minimum size of 100 GB when using discovery resizable images. This applies even when upgrading a resizable discovery image whose size is lower than 100 GB.

    • Infoblox recommends using a minimum size of 70 GB for any of the files that has resizable as
      part of the file name and you can resize them depending on your requirement and
      deployment.

    • If you are logging on to NIOS using SSO, in IDP Configuration you must enter the following
      URL in the SP Entity ID field: <grid_virtual IP address>:8765/metadata. If you are using Okta,
      the SP Entity ID field is also called the Audience URI field.

    • The shared secret that you enter when adding a RADIUS authentication server in the Add
      RADIUS Authentication Service wizard > RADIUS Servers > Shared Secret field must be
      between 4 and 64 characters (inclusive) in length. Otherwise, the upgrade will fail.

  • Before you upgrade to NIOS 9.0.x, check the validity of the CA certificates uploaded. If the certificate is
    invalid, install a new certificate that is in compliance with RFCs (for example RFC 5280). Failure to do so may result in the Grid Manager UI/WAPI not being accessible after the upgrade. However, NIOS will
    continue to be functional. To check the validity of the certificate, contact Infoblox Support.

  • A downgrade from NIOS 9.0.x to NIOS 8.4.x is not supported. Auto-synchronization from NIOS 9.0.x to NIOS 8.4.x is not supported.

  • If there are Threat Protection members in your Grid for the 8.3 and later features (Grid Master Candidate test promotion, forwarding recursive queries to BloxOne Threat Defense Cloud, and CAA records), ensure that you upload the latest Threat Protection ruleset for these features to function properly.

  • Infoblox recommends that you enable DNS Fault Tolerant Caching right after you upgrade to NIOS 8.2.x and later and keep this feature enabled to handle unreachable authoritative servers. Note that enabling this feature requires a DNS service restart, which will clear the current cache. Therefore, if you enable this when you are trying to mitigate an ongoing attack on an authoritative server that is outside of your control, it will clear the DNS cache, which will magnify the issues that your system is experiencing.

  • During a scheduled full upgrade to NIOS 8.1.0 and later versions, you can use only IPv4 addresses for
    NXDOMAIN redirection. You cannot use IPv6 addresses for NXDOMAIN redirection while the upgrade is in progress.

  • If you set up your Grid to use Infoblox Threat Insight but have not enabled automatic updates for Threat Analytics module sets, you must manually upload the latest module set to your Grid or enable automatic updates before upgrading. Otherwise, your upgrade will fail.

  • After a scheduled upgrade to NIOS 8.6.3 and later is complete, you must run the
    command on the Grid Master to get the Cloud DNS Sync service to be update_rabbitmq_password
    functional. Until that time, Route 53 synchronization does not start because the service has not been started.

  • After an upgrade to NIOS 8.6.3 and later, the Cloud DNS Sync service starts automatically on the Grid
    member that is assigned to the Route 53 synchronization groups.

  • After an upgrade to NIOS 8.6.3 and later, the Disable Default Search Path and the Additional Search
    Paths fields will no longer be displayed in the Add Active Directory Authentication Service > Step 1 of 1
    wizard.

  • If you upgrade to NIOS 8.6.3 or later, all IB-FLEX appliances or Grids that have the FLEX Grid Activation
    license or the MSP license will have the ReportingSPLA external attribute assigned automatically for
    supported Grid members.

  • After an upgrade to NIOS 8.6.3 and later, only 5% of allowed blocklist subscribers is supported for virtual DNS Cache Acceleration (vDCA).

  • The shared secret that you enter when adding a RADIUS authentication server in the Add RADIUS
    Authentication Service wizard > RADIUS Servers > Shared Secret field must be between 4 and 64
    characters (inclusive) in length. Otherwise, the upgrade will fail.

  • If you are using threat analytics, you must have installed the minimum module set version (20210620) before upgrading to NIOS 8.6.1 or to NIOS 8.5.3 or later versions.

  • No labels