/
9.0.4 Upgrade Prerequisites

This section details general and specific upgrade prerequisites that you must follow before upgrading NIOS versions.

Ensure that you read these prerequisites completely before proceeding with the upgrade.

NIOS 9.0.4 Upgrade Prerequisites

Read the following prerequisites before upgrading to NIOS 9.0.4:

  • If you set up your Grid to use Infoblox Threat Insight (known as Threat Analytics in versions earlier than 9.0.5). but have not enabled automatic updates for Threat Insight (known as Threat Analytics in versions earlier than 9.0.5). module sets, you must manually upload the latest module set to your Grid or enable automatic updates before upgrading. Otherwise, your upgrade will fail.

  • Accelerated Networking must be disabled in Microsoft Azure for NIOS members before upgrading to 9.0.x as it is not compatible with NIOS 9.0.x and may cause the member to not rejoin the Grid after upgrading. The VM or, if applicable, all VMs within the availability set may need to be stopped or deallocated before Accelerated Networking is disabled.

  • In NIOS 8.6 and earlier versions, BIND allowed the configuration of the listen-on, notify-source, and query-source options on port 53 for both IPv4 and IPv6 addresses. However, starting from NIOS 9.0.x, this configuration is not recommended as BIND does not support the listen-on, notify source, and query-source options to use the same port for both IPv4 and IPv6. Having this configuration can cause BIND to fail during start-up.

  • If you have used the ZSK or KSK algorithm key size 640 (which is invalid in BIND 9.16), the upgrade may fail.

  • If the length of the DH key is lower than 1024, upgrade will fail.

  • From NIOS 9.0.4 onwards, the CPUID hypervisor bit (CPUID(1)ECX:31 must be enabled for VM guests. It is the default for all VM hypervisors, but can be disabled in some hosting configurations. Do not disable it.

  • Splunk does not support TLS version 1.3 and therefore NIOS reporting will not work if you disable all other TLS versions and enable only TLS version 1.3. A warning to this effect is displayed if you enable only TLS version 1.3.

  • After an upgrade to NIOS 9.0.4 or later, for the Route53 synchronization to function properly, ensure that your network firewall settings permit access to the global STS endpoint (sts.amazonaws.com) and the regional STS endpoints specific to your region listed on the AWS STS Regions and endpoints page. This is crucial for establishing a connectivity between the NIOS appliance and your configured AWS accounts.

  • Before upgrading to NIOS 9.0.4 or later, Amazon Route 53 requires the AmazonRoute53ReadOnlyAccess permission for synchronization of data. Otherwise, add the following actions explicitly to the permission:

    • route53:GetHostedZone

    • route53:ListHostedZones

    • route53:ListResourceRecordSets

    • route53:ListTagsForResources

    • route53:ListQueryLoggingConfigs

    • route53:GetHealthCheck

  • Upgrading to NIOS 9.0.x is restricted, subject to the following checks:

    • CA certificates violating RFC: Subject Key Identifier MUST exist if CA=TRUE

    • Certificate validity dates

    • Restrict MD5 and SHA1 for Apache certificates and CA certificates

    • OpenVPN certificates. If you have old OpenVPN certificates, contact Infoblox Support before proceeding with the distribution.

  • If the Dual Engine DNS license is present in your Grid in the deleted or expired state (can be validated by running the show license CLI command on the node), contact Infoblox Support to have it removed. The NIOS upgrade fails if the license is not deleted.

  • Unbound upgrade guidelines:

    • If an Unbound license is present in the Grid, then upgrading to 9.0.x will fail. You must manually remove the Unbound license and then proceed with the upgrade.

    • If you have offline Grid members and are not able to delete the Unbound license, then you must bring the Grid members online, remove the license, and then proceed with the upgrade. You can also contact Infoblox Support about creating a hotfix to clean up the Unbound licenses for the offline members.

    • If you had a temporary Unbound license that you deleted from Grid Manager, the license will still be present in the database and the upgrade will fail. Please contact Infoblox Support to completely remove the temporary license.

    • If Unbound is configured, the upgrade test fails to indicate that references to Unbound are being completely destroyed during the upgrade process.

  • Using an unsupported algorithm such as RSAMD5(1), DSA (3), DSA-NSEC3-SHA1(6) may cause the upgrade to fail.

  • Using invalid key size for RSASHA1(5), RSA-NSEC3-SHA1(7), RSASHA256(8) (should be within range [1024 to 4096]) may cause the upgrade to fail.

  • Manually creating (through the import keyset) a DS record with an unsupported algorithm or digest type SHA-1 may cause the upgrade to fail.

  • The shared secret that you enter when adding a RADIUS authentication server in the Add
    RADIUS Authentication Service wizard > RADIUS Servers > Shared Secret field must be
    between 4 and 64 characters (inclusive) in length. Otherwise, the upgrade will fail.

  • If you try to upgrade to NIOS 9.0.x, distribution fails if CA certificates with the md5WithRSAEncryption or sha1WithRSAEncryption ciphers are present. Infoblox recommends that you delete the certificates before upgrading.

  • When you upgrade to NIOS 9.0.x and you upgrade or replace your X5 series appliance with an X6 series appliance and you have valid X5 series license, then you can use the X5 series on an X6 series appliance till the license expires. However, you need to contact Infoblox Support to generate a new X5 series license so that it will work with the X6 series appliance. The new license is generated with an X6 series appliance hardware ID and will have the X5 series license validity.

  • After a scheduled upgrade to NIOS 8.6.3 and later is complete, you must run the
    command on the Grid Master to get the Cloud Sync (Cloud DNS Sync in 9.0.x versions prior to 9.0.4) service to be update_rabbitmq_password functional. Until that time, Route 53 synchronization does not start because the service has not been started.

  • If you are using Threat Insight (known as Threat Analytics in versions earlier than 9.0.5), you must have installed the minimum module set version (20210620) before upgrading to NIOS 9.x.

  • From NIOS 9.0.0 onwards, when you define a sort list using the Grid DNS Properties > Sort List tab, ensure that you select or add a correct network and make sure that you set the correct prefix or netmask. Otherwise, the DNS service fails to start because of invalid configuration. An example of an invalid configuration is 11.14.73.0/16 . An example of the syslog error is: /infoblox/var/named_conf/named.conf:60: '11.14.73.0/16': address/prefix length mismatch ‘16’