Documente Academic
Documente Profesional
Documente Cultură
2011 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners. 400-0258-007 Rev. A
Page 2 of 21 11/18/2011
vNIOS Appliance
Disk (GB) 50
# of CPU Cores 1
IB-BOB (supported on Cisco SRE-V only) IB-VM-250 IB-VM-250 IB-VM-550 IB-VM-550 IB-VM-1050 IB-VM-1050 IB-VM-1550 IB-VM-1850 IB-VM-2000
1 1 1 1 1 1 2 4 4
2 GB 2 GB 2 GB 2 GB 2 GB 2 GB 8 GB 8 GB 12 GB
700 MHz 700 MHz 1200 MHz 1200 MHz 2000 MHz 2000 MHz 5.5 GHz 10 GHz 12 GHz
vNIOS for VMware on Cisco UCS Express/SRE-V: The Infoblox vNIOS on VMware software can also run on Cisco SRE-V (Services Ready Engine Virtualization), which is part of the Cisco UCS (Unified Computing System) Express. Cisco SRE-V enables the VMware vSphere Hypervisor to be provisioned on Cisco SRE 700 and 900 Service Modules. The Cisco SRE Service Module can reside in the Cisco 2900 and 3900 series ISRs G2. The following table lists the supported vNIOS on VMware virtual appliances on SRE 700 and SRE 900:
vNIOS on VMware Virtual Appliances IB-BOB IB-VM-250 IB-VM-550 IB-VM-1050 Cisco SRE 700 Yes Yes Yes No Cisco SRE 900 Yes Yes Yes Yes
Note that all vNIOS on VMware virtual appliances running on Cisco SRE-V are not recommended as grid masters or grid master candidates. The IB-BOB virtual appliance only supports configuration as a grid member. For information about Cisco SRE-V, refer to the Cisco documentation.
2011 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners. 400-0258-007 Rev. A
Page 3 of 21 11/18/2011
NIOS 5.1r5
Scheduling Full Upgrades With NIOS 5.1r5, you can schedule a full upgrade that allows for member-to-master data replication. A full upgrade occurs when there are database schema changes between the existing and upgrade software versions. Scheduling an upgrade for a grid can minimize network and operational outages, especially when you have grid members that are in different time zones. Depending on the configuration of your grid and the software version that is currently running in the grid, you can schedule your upgrades for different members or upgrade groups over a period of nine days. For more information about scheduling full upgrades, refer to the Infoblox NIOS Administrator Guide. To schedule a full upgrade, you must first upgrade to NIOS 5.1r4-6, and then to NIOS 5.1r5. GUI Enhancements This release includes the following enhancements to Grid Manager and System Manager: The vertical scroll bar in the Add Content panel of the Dashboard enhances the usability of the Dashboard. In the DNS, DHCP, and Grid tabs, accordions are replaced with sub tabs to improve navigation through different views. System messages, including information, warnings, and errors, are now displayed in specific tabs, panels, and tables in which specific tasks are being performed. GUI performance improvements in the following: tab navigation, login process, and drill downs.
2011 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners. 400-0258-007 Rev. A
Page 4 of 21 11/18/2011
NIOS 5.1r4-3
API Enhancement With this release, you can use the Infoblox::DHCP::Network functionality to enable searching for networks within a network container.
NIOS 5.1r4
License Transfer for vNIOS on VMware With this release, you can transfer the valid licenses of a vNIOS virtual appliance from one ESX/ESXi 4.x server to another without going through the RMA (returned materials authorization) process. For more information, refer to the Infoblox Installation Guide for vNIOS Software on VMware. New Platforms for vNIOS on ESX/ESXi Servers Infoblox now supports the following additional vNIOS for VMware appliances on ESX/ESXi servers: IB-VM-550 and IB-VM-1850. For information about the new platforms, refer to the Infoblox Installation Guide for vNIOS Software on VMware. vNIOS for VMware on Cisco UCS Express/SRE-V You can now install the vNIOS for VMware software on Cisco SRE-V, which is part of the Cisco UCS Express. Infoblox supports the following vNIOS for VMware virtual appliances on Cisco SRE-V: IB-BOB, IB-VM-250, IB-VM-550, and IB-VM-1050. For more information about the supported virtual appliances, see the section Supported Platforms on page 2. For information about Cisco SRE-V, refer to the Cisco documentation. Lease Scavenging You can enable member DHCP servers to automatically delete free and backup leases that remain in the database beyond a specified period of time. When you enable this feature, the appliance permanently deletes the free and backup leases, and you can no longer view or retrieve the lease information. Synchronization with Microsoft Servers With this release, there is an option to create a Microsoft user account that does not require Administrator Group rights to synchronize Microsoft servers. IPv6 Support for NIC Redundancy This release supports both IPv4 and IPv6 addresses for NIC (Network Interface Controller) redundancy using the LAN2 port.
2011 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners. 400-0258-007 Rev. A
Page 5 of 21 11/18/2011
NIOS 5.1r3-2
CLI Command for Upgrade Compatibility Starting with this release, you can use the CLI command show upgrade_compatible on a grid master to verify whether your grid or appliance can be upgraded to NIOS 6.x and later. For information about this command, refer to the Infoblox CLI Guide.
NIOS 5.1r3
Authenticated DHCP Infoblox now offers a feature that requires unknown users to register their client devices using a captive web portal, before the DHCP server issues a lease. The captive portal can be configured to support authenticated access using either RADIUS or Active Directory, Guest access, or both. An administrator can define multiple ranges per network to handle authenticated, guest and quarantine clients. Each range uses a MAC address filter to determine which clients are registered. Depending on whether a user completes successful authentication, fails authentication, or requests guest access, the DHCP server issues an address from the appropriate range and inserts the MAC address of the client device into the appropriate MAC filter. A grid can support one or more captive portals for redundancy, and each captive portal can be configured with customized graphics, acceptable use policies, and guest registration fields. Option 82 Fixed Address Support Infoblox has enhanced the DHCP fixed address to support DHCP relay agent information (option 82) in addition to the MAC address and DHCP Client Identifier. You can now specify either the circuit ID or remote ID as the host identifier in a fixed address. This will allow the client to receive a consistent IP address based upon the option 82 value. Support for Intermediate Certificates Infoblox now supports the use of intermediate certificates to complete the chain of trust from the server certificate to a trusted root CA. If required, you can upload intermediate certificates in addition to a server certificate. This will eliminate intermediate certificate security warnings that appear when you open a web browser and try to connect to an Infoblox appliance. Enhanced IB-PLATFORMONE-MIB The IB-PLATFORMONE-MIB now provides objects that report status information about software services (e.g., DNS and DHCP), the operating system, and hardware services (e.g., Fan status and CPU temperature). GUI Enhancements This release includes the following enhancements to Grid Manager and System Manager: The Override/Inherit option was added to the DDNS Domain Name and DDNS TTL fields in the DHCP Network, Network Template, DHCP Range, DHCP Range Template, Fixed Address, Roaming Host and Shared Network editors.
2011 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners. 400-0258-007 Rev. A
Page 6 of 21 11/18/2011
NIOS 5.1r2
Management for Microsoft DHCP Servers You can configure grid members to manage Microsoft DHCP servers. Grid members can synchronize DHCP data with Microsoft DHCP servers, enabling administrators to use Grid Manager to view and manage DHCP data served by the Microsoft servers. A Microsoft Management license is required to use this feature. vNIOS on VMware Platforms This release supports the VM-35 and VM-55 virtual NIOS appliances, in addition to the VM-5 and VM-25 virtual NIOS appliances introduced in NIOS 5.1r1. You can install the vNIOS software package on a host with VMware ESX or ESXi 4.x installed and configure it as a VM-5, VM-25, VM-35 or VM-55 virtual appliance. VM-25, VM-35 and VM-55 virtual appliances can be configured as virtual grid masters and grid master candidates, as well as grid members or independent appliances. A VM-5 virtual appliance supports all the services provided by vNIOS virtual appliances, but it is not recommended as a grid master or grid master candidate. For information on supported features and how to install vNIOS software on VMware platforms, refer to the Quick Start Guide for Installing vNIOS Software on VMware Platforms. Sophos NAC Integration You can configure Infoblox DHCP servers to work with Sophos NAC Advanced servers to form a DHCP-based endpoint compliance system. The DHCP servers can send authentication requests to Sophos NAC Advanced servers, and then grant or deny leases based on NAC filters that match the authentication results. DNSSEC Enhancements The appliance supports the SHA-2 (256-bit and 512-bit) cryptographic hash algorithms in DNSKEY and RRSIG resource records, and in Key-Signing Keys (KSKs) and Zone-Signing Keys (ZSKs). Also in this release, signed zones can accept dynamic DNS updates, and users can add a trust anchor for the root zone.
2011 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners. 400-0258-007 Rev. A
Page 7 of 21 11/18/2011
NIOS 5.1r1
Management for Microsoft DNS Servers You can configure grid members to manage Microsoft DNS servers. Grid members can synchronize DNS data with Microsoft DNS servers, enabling administrators to use Grid Manager to view and manage the DNS zones and resource records served by the Microsoft servers. A Microsoft Management license is required to use this feature. vNIOS on VMware Platforms You can install the vNIOS software package on a host with VMware ESX or ESXi 4.x installed and configure it as either a VM-5 or VM-25 virtual NIOS appliance. NIOS virtual appliances are virtual grid members that include a full suite of core network servicesDNS, DHCP, IPAM, FTP, TFTP, HTTP, and NTP. Distributed organizations obtain the cost benefits of consolidation and the simplicity of centrally managed Infoblox NIOS virtual appliances.
2011 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners. 400-0258-007 Rev. A
Page 8 of 21 11/18/2011
ADDRESSED VULNERABILITIES
This section lists security vulnerabilities that were addressed in this and earlier NIOS releases. For additional information about these vulnerabilities, including their severities, please refer to the National Vulnerability Database (NVD) at http://nvd.nist.gov/. The Infoblox Support website at http://support.infoblox.com also provides more information, including vulnerabilities that do not affect Infoblox appliances. CERT VULNERABILITY NOTE CVE-2011-4313 After a recursive name server caches an invalid record, subsequent queries for that record could crash the resolver with an assertion failure and the following error message: "INSIST(! dns_rdataset_isassociated(sigrdataset))"
2011 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners. 400-0258-007 Rev. A
Page 9 of 21 11/18/2011
2011 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners. 400-0258-007 Rev. A
Page 10 of 21 11/18/2011
NIOS 5.1r1-1
In previous releases, when you defined an option filter to match the vendor class value in a vendor option space, the matching value was automatically returned through option 60 (vendor class identifier). In this release, the appliance does not automatically return a matching vendor class value in a vendor option space through option 60. You can now specify any vendor class value to be returned through option 60. For example, for PXE clients that require option 60 to be returned with values starting with PXEClient, you must configure this DHCP option at the option filter level or at other appropriate levels.
NIOS 5.1r1
The Infoblox GUI and API display text in a TXT record exactly as it was entered, except in the following cases: If you enter a text string with multiple spaces between each word and the string is not enclosed in double quotes, the GUI and API display the text string with a single space between each word. If you enter one word enclosed in double quotes, the GUI and API display the word without the quotes.
NIOS 5.x
The Workflow Scheduling feature was changed as follows: Grid Manager does not display a warning when tasks are scheduled for the same date/time. There is no restriction on entering seconds for the scheduled time. There is no restriction on the number of tasks that can be scheduled. In previous releases, a maximum of 500 tasks could be scheduled. Scheduled tasks survive a master promotion and revert. Changed default value for CLI-accessible scheduled task restarts from 4 to 60 Removed the ability to enable/disable the scheduling feature at the global level (in GUI and PAPI). This feature is enabled by default. An Infoblox DHCP server that was also a DHCP IF-MAP client sent packets to the IF-MAP server from its LAN port, even when the client was an HA member. The DHCP server now sends the packets from the VIP of the HA pair. Therefore, you must configure the IF-MAP server to accept packets from the VIP.
2011 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners. 400-0258-007 Rev. A
Page 11 of 21 11/18/2011
2011 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners. 400-0258-007 Rev. A
Page 12 of 21 11/18/2011
If you configured the NIOS appliance to authenticate administrators using RADIUS or Active Directory servers, and configured static routes from the MGMT port of the appliance to any of those servers, the appliance will ignore those static routes after the upgrade to NIOS 5.x. To enable remote authentication using the MGMT port to connect to a RADIUS or AD server after the upgrade, navigate to the Administration tab, select the Administrators tab, and then select Remote Authentication. In the RADIUS Service or Active Directory Services tab, click the Add icon to add a server and select the Connect through MGMT Interface option. API Upgrade Guidelines All the deprecated IPAM device type and custom fields were removed from the API. The API does not support RADIUS. For example, the uca_group() method was removed from the DHCP::Range object as it was only used with the NAC Foundation feature. The behavior of bootfile(), bootserver() and nextserver() has changed. Each of these methods has its own override. Setting the override for one enables the override for that method to True. Object types affected by this change are: Grid::Member::DHCP DHCP::Range DHCP::SharedNetwork DHCP::Network DHCP::FixedAddress DHCP::NetworkTemplate DHCP::FixedAddressTemplate DHCP::RangeTemplate DHCP::Host Changes to the "range_templates" and "fixed_address_templates" methods of the NetworkTemplate object. You can no longer specify just the name of the child template when assigning a range and fixed address template to a network template. Instead, you must specify a DHCP::Template object that contains optional "offset" and "count". Following is an example: my $rtemp = Infoblox::DHCP::Template->new( name => "range template", offset => 10, # OPTIONAL, if not provided use from template count => 10, # OPTIONAL, if not provided use from template ); my $fatemp = Infoblox::DHCP::Template->new( name => "fa template", offset => 10, # OPTIONAL, if not provided use from template count => 10, # OPTIONAL, if not provided use from template ); $network_template->range_templates([ $rtemp ]); $network_template->fixed_address_templates([ $fatemp ]); In the Infoblox::DNS::View object, the match_clients and match_tsig_clients fields were replaced by the mixed-type match_clients field.
2011 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners. 400-0258-007 Rev. A
Page 14 of 21 11/18/2011
2011 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners. 400-0258-007 Rev. A
Page 15 of 21 11/18/2011
Infoblox recommends using the latest release of the supported versions of Mozilla Firefox or Google Chrome for best performance. When viewing Grid Manager, set the screen resolution of your monitor as follows: Minimum resolution: 1024x768 Recommended resolution: 1280x800 or better Documentation You can download the Infoblox Administrator Guide from the appliance. From Grid Manager, expand the Help panel, and then click Documentation -> Admin Guide. Training Training information is available at http://www.infoblox.com/en/training/training-center.html.
RESOLVED ISSUES
This section lists the issues that were fixed in the NIOS 5.1r5 release. The resolved issues are listed by severity. For a description of the severity levels, refer to Severity Levels on page 20. Note: Infoblox now uses a new numbering scheme to track issue IDs. Numbers in parenthesis are legacy IDs. The new numbering scheme is in the format: NIOS-xxxxx or DIW-xxxxx.
Fixed in 5.1r5-5
ID Severity Summary After upgrading, grid members could not boot until a "reset database" was performed on all grid members, which had to rejoin the grid.
Fixed in 5.1r5-4
ID Severity Summary This release addresses CVE-2011-4313: After a recursive name server caches an invalid record, subsequent queries for that record could crash the resolver with an assertion failure and the following error message: "INSIST(! dns_rdataset_isassociated(sigrdataset))"
NIOS-33433 Major
Fixed in 5.1r5-3
ID Severity Summary After an HTTPD process failure, the appliance generated core files and restarted. Users were able to view additional information when they used the autocomplete feature to enter CLI commands. The vertical toolbar and the Logout button became unresponsive. A descriptor leakage caused the monitor process to generate core files after it exceeded the descriptor threshold for a process. When using the Add Admin Group wizard to create an admin group, the Role Selector dialog did not display user-defined roles. When a client attempted to use an incorrect encryption method during a GSS-TSIG transaction, the appliance sent a SERFAIL error message instead of indicating that there was a decryption failure. After upgrading to NIOS 5.1r4-4, users were unable to access the Administration tab in Grid Manager.
NIOS-32148 Major NIOS-32134 Major NIOS-31867 Major NIOS-31783 Major NIOS-31696 Major NIOS-31542 Major
NIOS-31535 Major
2011 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners. 400-0258-007 Rev. A
Page 17 of 21 11/18/2011
NIOS-29429 Major NIOS-29345 Major NIOS-28189 Major (49936) NIOS-26649 Major (47567) NIOS-32108 Minor NIOS-31996 Minor NIO-31748 Minor
Fixed in 5.1r5-2
ID Severity Summary clusterd could consume increasing amounts of memory.
NIOS-32094 Critical
2011 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners. 400-0258-007 Rev. A
Page 18 of 21 11/18/2011
NIOS-31866 Major
Fixed in 5.1r5-0
ID Severity Summary Upgrading to NIOS to 5.1r4-3 failed due to a named daemon monitoring failure when zones had a TSIG key defined to allow updates. This issue affected NIOS 5.1r4-3, 6.0.4, and 6.1.0.
NIOS-31310 Critical
ID
Severity
Summary This release addresses the following vulnerability: DHCP: A remote attacker could cause the "dhcpd" process to exit using a specially crafted packet. (CVE-2011-2748 | CVE-2011-2749) This issue affected NIOS 4.2r4 and later releases. Adding zone associations to DHCP networks impacted GUI performance. After a grid master candidate was promoted to grid master, the DNS views that contained DNSSEC zones were not associated with the newly promoted grid master. The appliance could not restore a backup file due to a data translation issue in a TXT record. Adding zone associations to DHCP networks impacted GUI performance. DNS queries on the UDP port encountered frequent timeouts due to a buffer issue in the burst traffic. When a zone was assigned to a Microsoft server, users could not create a delegation to this zone if the grid master is a Microsoft primary server in a read-only mode. Users could not create a sub zone if the parent zone was managed by a Microsoft primary server in a read-only mode.
NIOS-31455 Major
NIOS-31296 Major (51108) NIOS-31177 Major NIOS-31172 Major NIOS-31111 Major NIOS-30972 Major (47645) NIOS-30806 Major NIOS-30802 Major
2011 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners. 400-0258-007 Rev. A
Page 19 of 21 11/18/2011
Severity Levels
Severity Critical Major Moderate Minor Enhance Description Core network services are significantly impacted. Network services are impacted, but there is an available workaround. Some loss of secondary services or configuration abilities. Minor functional or UI issue. An enhancement to the product.
2011 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners. 400-0258-007 Rev. A
Page 20 of 21 11/18/2011
VNIOS-36 (41215) NIOS-21512 (39917) NIOS-21499 (38968) NIOS-19853 (31668) NIOS-19144 (30208) NIOS-18163 (27831) NIOS-18009 (27385)
2011 Infoblox Inc. All Rights Reserved. All registered trademarks are property of their respective owners. 400-0258-007 Rev. A
Page 21 of 21 11/18/2011