8.x | 9.0.x | Upgrading a NIOS 8.x Grid that is configured with Thales HSM to NIOS 9.x is not supported. Also, configuring Thales HSM in a new NIOS 9.x Grid is not supported. Using an unsupported algorithm such as RSAMD5(1), DSA (3), DSA-NSEC3-SHA1(6) may cause the upgrade to fail. Using invalid key size for RSASHA1(5), RSA-NSEC3-SHA1(7), RSASHA256(8) (should be within range [1024 to 4096]) may cause the upgrade to fail. Manually creating (through the import keyset) a DS record with an unsupported algorithm or digest type SHA-1 may cause the upgrade to fail. In NIOS 8.6 and earlier versions, BIND allowed the configuration of the listen-on, notify-source, and query-source options on port 53 for both IPv4 and IPv6 addresses. However, starting from NIOS 9.0.x onwards, this configuration is not recommended as BIND does not support the listen-on, notify-source, and query-source options to use the same port for both IPv4 and IPv6. Having this configuration can cause BIND to fail during start-up. Before you upgrade to NIOS 9.0.x, check the validity of the CA certificates uploaded. If the certificate is invalid, install a new certificate that is in compliance with RFCs (for example RFC 5280). Failure to do so may result in the Grid Manager UI/WAPI not being accessible after the upgrade. However, NIOS will continue to be functional. To check the validity of the certificate, contact Infoblox Support. If you set up your Grid to use Infoblox Threat Insight but have not enabled automatic updates for Threat Analytics module sets, you must manually upload the latest module set to your Grid or enable automatic updates before upgrading. Otherwise, your upgrade will fail.
| BIND performance may be poor if the DNS load originates from a small number of source IP addresses or ports. If you are using Ubuntu and a CA certificate of key length 1024 and some unsupported ciphers, after a NIOS upgrade, services that depend on the unsupported ciphers cease to work. A downgrade from NIOS 9.0.x to NIOS 8.4.x is not supported. Auto-synchronization from NIOS 9.0.x to NIOS 8.4.x is not supported. If there are Threat Protection members in your Grid for the 8.3 and later features (Grid Master Candidate test promotion, forwarding recursive queries to BloxOne Threat Defense Cloud, and CAA records), ensure that you upload the latest Threat Protection ruleset for these features to function properly. Infoblox recommends that you enable DNS Fault Tolerant Caching right after you upgrade to NIOS 8.2.x and later and keep this feature enabled to handle unreachable authoritative servers. Note that enabling this feature requires a DNS service restart, which will clear the current cache. Therefore, if you enable this when you are trying to mitigate an ongoing attack on an authoritative server that is outside of your control, it will clear the DNS cache, which will magnify the issues that your system is experiencing. During a scheduled full upgrade to NIOS 8.1.0 and later versions, you can use only IPv4 addresses for NXDOMAIN redirection. You cannot use IPv6 addresses for NXDOMAIN redirection while the upgrade is in progress. After a scheduled upgrade to NIOS 8.6.3 and later is complete, you must run the update_rabbitmq_password command on the Grid Master to get the Cloud DNS Sync service to be functional. Until that time, Route 53 synchronization does not start because the service has not been started.
After an upgrade to NIOS 8.6.3 and later, the Cloud DNS Sync service starts automatically on the Grid member that is assigned to the Route 53 synchronization groups. After an upgrade to NIOS 8.6.3 and later, the Disable Default Search Path and the Additional Search Paths fields will no longer be displayed in the Add Active Directory Authentication Service > Step 1 of 1 wizard. If you upgrade to NIOS 8.6.3 or later, all IB-FLEX appliances or Grids that have the FLEX Grid Activation license or the MSP license will have the ReportingSPLA external attribute assigned automatically for supported Grid members. After an upgrade to NIOS 8.6.3 and later, only 5% of allowed blocklist subscribers is supported for virtual DNS Cache Acceleration (vDCA).
|
