Accelerated networking must be disabled in Microsoft Azure for NIOS members before upgrading to 9.0.0, 9.0.1, 9.0.2, 9.0,3 or 9.0.4 as it may cause the member to not rejoin the Grid after upgrading. The VM or, if applicable, all VMs within the availability set may need to be stopped or deallocated before accelerated networking is disabled. This issue does not affect NIOS 9.0.5 or later versions.

Upgrading to NIOS 9.0.1 or later is restricted, subject to the following checks:

• CA certificates violating RFC: Subject Key Identifier MUST exist if CA=TRUE

• Certificate validity dates

• Restrict MD5 and SHA1 for Apache certificates and CA certificates

• OpenVPN certificates. If you have old OpenVPN certificates, contact Infoblox Support before proceeding with the distribution.

If the Dual Engine DNS license is present in your Grid in the deleted or expired state (can be validated by running the show license CLI command on the node), contact Infoblox Support to have it removed. The NIOS upgrade fails if the license is not deleted.

Unbound upgrade guidelines:

• If an Unbound license is present in the Grid, then upgrading to 9.0.1 will fail. You must manually remove the Unbound license and then proceed with the upgrade.

• If you have offline Grid members and are not able to delete the Unbound license, then you must bring the Grid members online, remove the license, and then proceed with the upgrade. You can also contact Infoblox Support about creating a hotfix to clean up the Unbound licenses for the offline members.

• If you had a temporary Unbound license that you deleted from Grid Manager, the license will still be present in the database and the upgrade will fail. Please contact Infoblox Support to completely remove the temporary license.

• If Unbound is configured, the upgrade test fails to indicate that references to Unbound are being completely destroyed during the upgrade process.

Using an unsupported algorithm such as RSAMD5(1), DSA (3), DSA-NSEC3-SHA1(6) may cause the upgrade to fail.

Using invalid key size for RSASHA1(5), RSA-NSEC3-SHA1(7), RSASHA256(8) (should be within range [1024 to 4096]) may cause the upgrade to fail.

Manually creating (through the import keyset) a DS record with an unsupported algorithm or digest type SHA-1 may cause the upgrade to fail.

If you are using Ubuntu and a CA certificate of key length 1024 and some unsupported ciphers, after a NIOS upgrade, services that depend on the unsupported ciphers cease to work.

If you are logging on to NIOS using SSO, in IDP Configuration you must enter the following
URL in the SP Entity ID field: <grid_virtual IP address>:8765/metadata. If you are using Okta,
the SP Entity ID field is also called the Audience URI field.

The shared secret that you enter when adding a RADIUS authentication server in the Add
RADIUS Authentication Service wizard > RADIUS Servers > Shared Secret field must be
between 4 and 64 characters (inclusive) in length. Otherwise, the upgrade will fail.

Before you upgrade to NIOS 9.0.x, check the validity of the CA certificates uploaded. If the certificate is invalid, install a new certificate that is in compliance with RFCs (for example RFC 5280). Failure to do so may result in the Grid Manager UI/WAPI not being accessible after the upgrade. However, NIOS will continue to be functional. To check the validity of the certificate, contact Infoblox Support.

Accelerated networking must be disabled in Microsoft Azure for NIOS members before upgrading to 9.0.0, 9.0.1, 9.0.2, 9.0,3 or 9.0.4 as it may cause the member to not rejoin the Grid after upgrading. The VM or, if applicable, all VMs within the availability set may need to be stopped or deallocated before accelerated networking is disabled. This issue does not affect NIOS 9.0.5 or later versions.

In NIOS 8.6 and earlier versions, BIND allowed the configuration of the listen-on, notify-source, and query-source options on port 53 for both IPv4 and IPv6 addresses. However, starting from NIOS 9.0.x onwards, this configuration is not recommended as BIND does not support the listen-on, notify source, and query-source options to use the same port for both IPv4 and IPv6. Having this configuration can cause BIND to fail during start-up.

If there are Threat Protection members in your Grid for the 8.3 and later features (Grid Master Candidate test promotion, forwarding recursive queries to Infoblox Threat Defense Cloud, and CAA records), ensure that you upload the latest Threat Protection ruleset for these features to function properly.

If you set up your Grid to use Infoblox Threat Insight (known as Threat Analytics in versions earlier than 9.0.5). but have not enabled automatic updates for Threat Insight (known as Threat Analytics in versions earlier than 9.0.5). module sets, you must manually upload the latest module set to your Grid or enable automatic updates before upgrading. Otherwise, your upgrade will fail.

After a scheduled upgrade to NIOS 8.6.3 and later is complete, you must run the
command on the Grid Master to get the Cloud Sync (Cloud DNS Sync in 9.0.x versions prior to 9.0.4) service to be update_rabbitmq_password functional. Until that time, Route 53 synchronization does not start because the service has not been started.

The shared secret that you enter when adding a RADIUS authentication server in the Add RADIUS
Authentication Service wizard > RADIUS Servers > Shared Secret field must be between 4 and 64
characters (inclusive) in length. Otherwise, the upgrade will fail.

If you are using Threat Insight (known as Threat Analytics in versions earlier than 9.0.5), you must have installed the minimum module set version (20210620) before upgrading to NIOS 8.6.x.