Current Version

9.0.1

Upgrade Prerequisites

• If you set up your Grid to use Infoblox Threat Insight (known as Threat Analytics in versions earlier than 9.0.5). but have not enabled automatic updates for Threat Insight (known as Threat Analytics in versions earlier than 9.0.5). module sets, you must manually upload the latest module set to your Grid or enable automatic updates before upgrading. Otherwise, your upgrade will fail.

• Accelerated Networking must be disabled in Microsoft Azure for NIOS members before upgrading to 9.0.x as it is not compatible with NIOS 9.0.x and may cause the member to not rejoin the Grid after upgrading. The VM or, if applicable, all VMs within the availability set may need to be stopped or deallocated before Accelerated Networking is disabled.

• In NIOS 8.6 and earlier versions, BIND allowed the configuration of the listen-on, notify-source, and query-source options on port 53 for both IPv4 and IPv6 addresses. However, starting from NIOS 9.0.x, this configuration is not recommended as BIND does not support the listen-on, notify source, and query-source options to use the same port for both IPv4 and IPv6. Having this configuration can cause BIND to fail during start-up.

• If you have used the ZSK or KSK algorithm key size 640 (which is invalid in BIND 9.16), the upgrade may fail.

• If the length of the DH key is lower than 1024, upgrade will fail.

• Splunk does not support TLS version 1.3 and therefore NIOS reporting will not work if you disable all other TLS versions and enable only TLS version 1.3. A warning to this effect is displayed if you enable only TLS version 1.3.

• Upgrading to NIOS 9.0.x is restricted, subject to the following checks:

  • CA certificates violating RFC: Subject Key Identifier MUST exist if CA=TRUE

  • Certificate validity dates

  • Restrict MD5 and SHA1 for Apache certificates and CA certificates

  • OpenVPN certificates. If you have old OpenVPN certificates, contact Infoblox Support before proceeding with the distribution.

• If the Dual Engine DNS license is present in your Grid in the deleted or expired state (can be validated by running the show license CLI command on the node), contact Infoblox Support to have it removed. The NIOS upgrade fails if the license is not deleted.

• Unbound upgrade guidelines:

  • If an Unbound license is present in the Grid, then upgrading to 9.0.x will fail. You must manually remove the Unbound license and then proceed with the upgrade.

  • If you have offline Grid members and are not able to delete the Unbound license, then you must bring the Grid members online, remove the license, and then proceed with the upgrade. You can also contact Infoblox Support about creating a hotfix to clean up the Unbound licenses for the offline members.

  • If you had a temporary Unbound license that you deleted from Grid Manager, the license will still be present in the database and the upgrade will fail. Please contact Infoblox Support to completely remove the temporary license.

  • If Unbound is configured, the upgrade test fails to indicate that references to Unbound are being completely destroyed during the upgrade process.

• Using an unsupported algorithm such as RSAMD5(1), DSA (3), DSA-NSEC3-SHA1(6) may cause the upgrade to fail.

• Using invalid key size for RSASHA1(5), RSA-NSEC3-SHA1(7), RSASHA256(8) (should be within range [1024 to 4096]) may cause the upgrade to fail.

• Manually creating (through the import keyset) a DS record with an unsupported algorithm or digest type SHA-1 may cause the upgrade to fail.

• The shared secret that you enter when adding a RADIUS authentication server in the Add
  RADIUS Authentication Service wizard > RADIUS Servers > Shared Secret field must be
  between 4 and 64 characters (inclusive) in length. Otherwise, the upgrade will fail.

• If you try to upgrade to NIOS 9.0.x, distribution fails if CA certificates with the md5WithRSAEncryption or sha1WithRSAEncryption ciphers are present. Infoblox recommends that you delete the certificates before upgrading.

• When you upgrade to NIOS 9.0.x and you upgrade or replace your X5 series appliance with an X6 series appliance and you have valid X5 series license, then you can use the X5 series on an X6 series appliance till the license expires. However, you need to contact Infoblox Support to generate a new X5 series license so that it will work with the X6 series appliance. The new license is generated with an X6 series appliance hardware ID and will have the X5 series license validity.

• After a scheduled upgrade to NIOS 8.6.3 and later is complete, you must run the
  command on the Grid Master to get the Cloud Sync (Cloud DNS Sync in 9.0.x versions prior to 9.0.4) service to be update_rabbitmq_password functional. Until that time, Route 53 synchronization does not start because the service has not been started.

• If you are using Threat Insight (known as Threat Analytics in versions earlier than 9.0.5), you must have installed the minimum module set version (20210620) before upgrading to NIOS 9.x.

• From NIOS 9.0.0 onwards, when you define a sort list using the Grid DNS Properties > Sort List tab, ensure that you select or add a correct network and make sure that you set the correct prefix or netmask. Otherwise, the DNS service fails to start because of invalid configuration. An example of an invalid configuration is 11.14.73.0/16 . An example of the syslog error is: /infoblox/var/named_conf/named.conf:60: '11.14.73.0/16': address/prefix length mismatch ‘16’

Upgrade Impact Features

• If you have enabled Accelerated networking or enabled SRIOV on NIOS members in Microsoft Azure, Infoblox requires you to upgrade to NIOS 9.0.5 or later.

• If you are using Ubuntu and a CA certificate of key length 1024 and some unsupported ciphers, after a NIOS upgrade, services that depend on the unsupported ciphers cease to work.

• If you are logging on to NIOS using SSO, in IDP Configuration you must enter the following
  URL in the SP Entity ID field: <grid_virtual IP address>:8765/metadata. If you are using Okta,
  the SP Entity ID field is also called the Audience URI field.

• Before you upgrade to NIOS 9.0.x, check the validity of the CA certificates uploaded. If the certificate is invalid, install a new certificate that is in compliance with RFCs (for example RFC 5280). Failure to do so may result in the Grid Manager UI/WAPI not being accessible after the upgrade. However, NIOS will continue to be functional. To check the validity of the certificate, contact Infoblox Support.

• If there are Threat Protection members in your Grid, for features such as Grid Master Candidate test promotion, forwarding recursive queries to Infoblox Threat Defense Cloud, and CAA records to function properly, ensure that you upload the latest Threat Protection ruleset.

• From NIOS 9.0.0 onwards, the Cisco ISE endpoint (Cisco pxGrid 1.0) has been deprecated.

• Infoblox recommends that you use a minimum size of 100 GB when using discovery resizable images. This applies even when upgrading a resizable discovery image whose size is lower than 100 GB.