MultiNet V5.4 Release Notes December 2011 This document contains a list of new features and bug fixes that have been made since MultiNet V5.3. Revision/Update Information: This document supersedes the MultiNet V5.3-A Release Notes Unpublished - all rights reserved under the copyright laws of the United States No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language or computer language, in any form or by any means electronic, mechanical, magnetic, optical, or otherwise without the prior written permission of: Process Software, LLC 959 Concord Street Framingham, MA 01701-4682 USA Voice: +1 508 879 6994; FAX: +1 508 879 0042 info@process.com Process Software, LLC ("Process") makes no representations or warranties with respect to the contents hereof and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, Process Software reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of Process Software to notify any person of such revision or changes. o Alpha AXP, AXP, MicroVAX, OpenVMS, VAX, VAX Notes, VMScluster, and VMS are registered trademarks of Hewlett-Packard Corporation. o Kerberos. Copyright © 1989, DES.C and PCBC_ENCRYPT.C Copyright © 1985, 1986, 1987, 1988 by Massachusetts Institute of Technology. Export of this software from the United States of America is assumed to require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. o MultiNet is a registered trademark of Process Software. o This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) ii o Secure Shell (SSH). Copyright © 2000. This License agreement, including the Exhibits (Agreement), effective as of the latter date of execution (Effective Date), is hereby made by and between Data Fellows, Inc., a California corporation, having principal offices at 675 N. First Street, 8th floor, San Jose, CA 95112170 (Data Fellows) and Process Software, LLC, having a place of business at 959 Concord Street, Framingham, MA 01701 (OEM). o TCPware is a registered trademark of Process Software. o UNIX is a trademark of UNIX System Laboratories, Inc. o All other trademarks, service marks, registered trademarks, or registered service marks mentioned in this document are the property of their respective holders. o Copyright ©1997, 1998, 1999, 2000 Process Software Corporation. All rights reserved. Printed in USA. o Copyright ©2000, 2001, 2002, 2004 Process Software, LLC. All rights reserved. Printed in USA. o If the examples of URLs, domain names, internet addresses, and web sites we use in this documentation reflect any that actually exist, it is not intentional and should not be considered an endorsement, approval, or recommendation of the actual site, or any products or services located at any such site by Process Software. Any resemblance or duplication is strictly coincidental. iii ________________________________________________________________ Contents ________________________________________________________________ CHAPTER 1 INTRODUCTION 1-1 __________________________________________________________ 1.1 TYPOGRAPHICAL CONVENTIONS 1-1 __________________________________________________________ 1.2 OBTAINING TECHNICAL SUPPORT 1-2 1.2.1 Before Contacting Technical Support 1-3 1.2.2 Sending Electronic Mail 1-4 1.2.3 Calling Technical Support 1-5 1.2.4 Contacting Technical Support by Fax 1-5 __________________________________________________________ 1.3 OBTAINING ONLINE HELP 1-6 __________________________________________________________ 1.4 MULTINET FREQUENTLY ASKED QUESTIONS (FAQS) LIST 1-6 __________________________________________________________ 1.5 ACCESSING THE MULTINET PUBLIC MAILING LIST 1-6 __________________________________________________________ 1.6 PROCESS SOFTWARE WORLD WIDE WEB SERVER 1-7 __________________________________________________________ 1.7 OBTAINING SOFTWARE PATCHES OVER THE INTERNET 1-7 __________________________________________________________ 1.8 DOCUMENTATION COMMENTS 1-9 __________________________________________________________ 1.9 CD-ROM CONTENTS 1-9 1.9.1 Online Documentation 1-9 1.9.1.1 PDF Format, 1-10 __________________________________________________________ 1.10 NOTE CONCERNING KERBEROS V5 1-10 __________________________________________________________ 1.11 NOTE CONCERNING MULTIWARE 1-11 iii Contents __________________________________________________________ 1.12 NOTE CONCERNING SSH 1-11 __________________________________________________________ 1.13 NOTE: CONCERNING SSH SESSIONS 1-11 ________________________________________________________________ CHAPTER 2 CHANGES, FIXES, AND ENHANCEMENTS 2-1 __________________________________________________________ 2.1 MULTINET V5.4 INSTALLATION NOTE 2-1 __________________________________________________________ 2.2 USING MULTINET FOR AN OPENVMS CLUSTER INTERCONNECT 2-1 2.2.1 Troubleshooting 2-2 __________________________________________________________ 2.3 FTP UPDATES 2-3 __________________________________________________________ 2.4 INTRUSION PREVENTION SUBSYSTEM(IPS) 2-3 __________________________________________________________ 2.5 KERNEL MODIFICATIONS 2-3 __________________________________________________________ 2.6 MASTER SERVER 2-4 __________________________________________________________ 2.7 NAMED 2-4 __________________________________________________________ 2.8 NTP SERVER 2-5 __________________________________________________________ 2.9 ADVANCED PACKET FILTERING 2-6 __________________________________________________________ 2.10 RACOON2 2-8 __________________________________________________________ 2.11 SCP2 UPDATES 2-8 __________________________________________________________ 2.12 SSH UPDATES 2-8 iv Contents __________________________________________________________ 2.13 FIXED PROBLEMS 2-10 2.13.1 FTP 2-10 2.13.2 GATED 2-10 2.13.3 Intrusion Prevention Subsystem(IPS) 2-11 2.13.4 Kernel 2-11 2.13.5 Master Server 2-12 2.13.6 Named 2-13 2.13.7 NFS_CLIENT 2-14 2.13.8 NOTDRIVER 2-14 2.13.9 NTP 2-15 2.13.10 Packet Filtering System 2-15 2.13.11 PING 2-16 2.13.12 PWIPDRIVER 2-16 2.13.13 RCP 2-18 2.13.14 SCP/SFTP 2-18 2.13.15 SET_INTERFACE 2-19 2.13.16 SMTP 2-19 2.13.17 SOCKET LIBRARY 2-19 2.13.18 SSH 2-20 2.13.19 Telnet 2-21 2.13.20 TRACEROUTE 2-21 2.13.21 UCXDriver 2-21 2.13.22 UCX Library Emulation 2-22 2.13.23 XDM Server 2-23 ________________________________________________________________ CHAPTER 3 DOCUMENTATION UPDATES 3-1 __________________________________________________________ 3.1 MULTINET V5.4 3-1 __________________________________________________________ 3.2 CORRECTIONS TO THE MULTINET V5.4 DOCUMENTATION 3-1 v Contents ________________________________________________________________ CHAPTER 4 KNOWN BUGS/ISSUES 4-1 __________________________________________________________ 4.1 NFSV3 4-1 __________________________________________________________ 4.2 DNSSEC 4-2 __________________________________________________________ 4.3 R_SERVICES 4-2 ________________________________________________________________ TABLES 1-1 Typographical Conventions 1-1 1-2 System Information 1-4 vi _______________________________________________________ 1 Introduction These Release Notes describe the changes and enhancements made to the MultiNet product in version 5.4. This chapter describes conventions used in the MultiNet documentation set and the various methods to contact and receive technical support. o For information about product changes and enhancements in the MultiNet V5.4 MultiNet Consolidated Distribution, refer to Chapter 2 of these Release Notes. o For information about changes to the documentation set, refer to Chapter 3 of these Release Notes. __________________________________________________________ 1.1 Typographical Conventions Examples in these Release Notes use the following conventions: ________________________________________________________________ Table 1-1 Typographical Conventions _______________________________________________________ Convention_______Example__________Meaning______________ Angle brackets Represents a key on your keyboard. Angle brackets Indicates that you with a slash hold down the key labeled or while simultaneously pressing another key; in this example, the A key. 1-1 Introduction Typographical Conventions ________________________________________________________________ Table 1-1 (Cont.) Typographical Conventions _______________________________________________________ Convention_______Example__________Meaning______________ Square brackets [FULL] Indicates optional choices; you can enter none of the choices, or as many as you like. When shown as part of an example, square brackets are actual characters you should type. Underscore or file_name or Between words in hyphen file-name commands, indicates the item is a single ___________________________________________element._____________ __________________________________________________________ 1.2 Obtaining Technical Support Process Software provides technical support if you have a current Maintenance Service Agreement. If you obtained MultiNet from an authorized distributor or partner, you receive your technical support directly from them. You can contact Technical Support by: o Sending electronic mail (Section 1.2.2) o Calling Technical Support (Section 1.2.3) o Faxing a description of your problem to the Technical Support Group (Section 1.2.4) 1-2 Introduction Obtaining Technical Support _____________________________ 1.2.1 Before Contacting Technical Support Before you call, or send email or a fax: 1 Verify that your Maintenance Service Agreement is current. 2 Read the online Release Notes completely. 3 Have the following information available: o Your name o Your company name o Your email address o Your voice and fax telephone numbers o Your Maintenance Contract Number o OpenVMS architecture o OpenVMS version o MultiNet layered products and versions 4 Have complete information about your configuration, error messages that appeared, and problem specifics. 5 Be prepared to let a development engineer connect to your system, either with TELNET or by dialing in using a modem. Be prepared to give the engineer access to a privileged account to diagnose your problem. You can obtain information about your OpenVMS architecture, OpenVMS version, MultiNet version, and layered products with the MULTINET SHOW /LICENSE command. Execute the following command on a fully loaded system and email the output to support@process.com: $ MULTINET SHOW /LICENSE Process Software MultiNet V5.4 Rev A, VAXstation 4000- 90, OpenVMS VAX V7.1 In this example: The machine or system architecture is VAX. 1-3 Introduction Obtaining Technical Support The OpenVMS version is V7.1. The MultiNet version is V5.4. Use the following table as a template to record the relevant information about your system: ________________________________________________________________ Table 1-2 System Information _______________________________________________________ Your System Required_Information_______________Information_________ Your name Company name Your email address Your voice and fax telephone numbers System architecture VAX or Alpha OpenVMS version _________MultiNet_version_______________________________________ Please provide information about installed MultiNet applications and patch kits, by sending a copy of MULTINET:MULTINET_VERSION.; file. _____________________________ 1.2.2 Sending Electronic Mail For many questions, electronic mail is the preferred communication method. Technical Support via electronic mail is available to customers with a current support contract. Send electronic mail to support@process.com. At the beginning of your mail message, include the information listed in Section 1.2.1. Continue with the description of your situation and problem specifics. Include all relevant information to help your Technical Support Specialist process and track your electronic support request. 1-4 Introduction Obtaining Technical Support Electronic mail is answered within the desired goal of two hours, during our normal business hours, Monday through Friday from 8:30 a.m. to 5:00 p.m., United States Eastern Time. _____________________________ 1.2.3 Calling Technical Support For regular support issues, call 800-394-8700 or 508- 628-5074 for support Monday through Friday from 8:30 a.m. to 7:00 p.m., United States Eastern Time. For our customers in North America with critical problems, an option for support 7 days per week, 24 hours per day is available at an additional charge. Please contact your Account Representative for further details. Before calling, have available the information described in Section 1.2.1. When you call, you will be connected to a Technical Support Specialist. Be prepared to discuss problem specifics with your Technical Support Specialist and to let that person connect to your system. If our Support Specialists are assisting other customers and you are put on hold, please stay on the line. Most calls are answered in less than five minutes. If you cannot wait for a Specialist to take your call, please take advantage of our automatic call logging feature by sending email to support@process.com (see the Section on Sending Electronic Mail). _____________________________ 1.2.4 Contacting Technical Support by Fax You can send transmissions directly to Technical Support at 508-879-0042. Before faxing comments or questions, complete the steps in Section 1.2.1 and include all your system information at the beginning of your fax message. Continue with the description of your situation and problem specifics. Include all relevant information 1-5 Introduction Obtaining Technical Support to help your Technical Support Specialist process and track your fax support request. Faxed questions are answered Monday through Friday from 8:30 a.m. to 7:00 p.m., United States Eastern Time. __________________________________________________________ 1.3 Obtaining Online Help Extensive information about MultiNet is provided in the MultiNet help library. For more information, enter the following command: $ HELP MULTINET __________________________________________________________ 1.4 MultiNet Frequently Asked Questions (FAQs) List You can obtain an updated list of frequently asked questions (FAQs) and answers about MultiNet from the Process Software MultiNet home page located at http://www.process.com/techsupport/multinet_faqs.html. __________________________________________________________ 1.5 Accessing the MultiNet Public Mailing List Process Software maintains two public mailing lists for MultiNet customers: o Info-MultiNet@process.com o MultiNet-Announce@process.com The Info-MultiNet@process.com mailing list is a forum for discussion among MultiNet system managers and programmers. Questions and problems regarding MultiNet can be posted for a response by any of the subscribers. To subscribe to Info-MultiNet, send a mail message with the word SUBSCRIBE in the body to Info- MultiNet-request@process.com. The information exchanged over Info-MultiNet is also available via the USENET newsgroup vmsnet.networks.tcp-ip.multinet. You can retrieve the Info-MultiNet archives by anonymous FTP to ftp.multinet.process.com. The archives are located in the directory [MAIL_ARCHIVES.INFO- MULTINET]. 1-6 Introduction Accessing the MultiNet Public Mailing List The MultiNet-Announce@process.com mailing list is a one-way communication (from Process Software to you) used to post announcements relating to MultiNet (patch releases, product releases, etc.). To subscribe to MultiNet-Announce, send a mail message with the word SUBSCRIBE in the body to MultiNet-Announce- request@process.com. __________________________________________________________ 1.6 Process Software World Wide Web Server Electronic support is provided through the Process Software web site which you can access with any World Wide Web browser; the URL is http://www.process.com (select MultiNet) or use the URL http://www.process.com/techsupport/multinet.html __________________________________________________________ 1.7 Obtaining Software Patches over the Internet Process Software provides software patches in save set and ZIP format on its anonymous FTP server, ftp.multinet.process.com. For the location of software patches, read the .WELCOME file in the top-level anonymous directory. This file refers you to the directories containing software patches. To retrieve a software patch, enter the following commands: $ MULTINET FTP/USERNAME=ANONYMOUS/PASSWORD="emailaddress" - _$ FTP.MULTINET.PROCESS.COM A message welcoming you to the Process Software FTP directory appears next followed by the FTP prompt. Enter the following at the FTP prompt: FTP.MULTINET.PROCESS.COM>CD [.PATCHES.MULTINETxxx] FTP.MULTINET.PROCESS.COM>GET update_filename In these commands: emailaddress is your email address in the standard user@host format xxx is the version of MultiNet you want to transfer 1-7 Introduction Obtaining Software Patches over the Internet update_filename is the name of the file you want to transfer To transfer files from Process Software directly to an OpenVMS system, you can use the GET command without any other FTP commands. However, if you need to transfer a software patch through an intermediate non-OpenVMS system, use BINARY mode to transfer the files to and from that system. In addition, if you are retrieving the software patch in save set format, make sure the save set record size is 2048 bytes when you transfer the file from the intermediate system to your OpenVMS system. o If you use the GET command to download the file size from the intermediate system, use the FTP RECORD- SIZE 2048 command before transferring the file. o If you use the PUT command to upload the file to your OpenVMS system, log into the intermediate system and use the FTP quote site rms recsize 2048 command before transferring the file. Process Software also supplies UNZIP utilities for OpenVMS VAX, Alpha, and IA64 for decompressing ZIP archives in the [PATCHES] directory. To use ZIP format kits, you need a copy of the UNZIP utility. The following example shows how to use UNZIP utility, assuming you have copied the appropriate version of UNZIP.EXE to your current default directory: $ UNZIP := $SYS$DISK:[]UNZIP.EXE $ UNZIP filename.ZIP Use VMSINSTAL to upgrade your MultiNet system with the software patch. 1-8 Introduction Documentation Comments __________________________________________________________ 1.8 Documentation Comments Your comments about the information in these Release Notes can help us improve the documentation. If you have corrections or suggestion for improvement, please let us know. Be as specific as possible about your comments: include the exact title of the document, version, date, and page references as appropriate. You can send your comments by email to techpubs@process.com or mail them to: Process Software 959 Concord Street Framingham, MA 01701-4682 Attention: Marketing Director You can also fax your comments to us at 508-879-0042. Your comments about our documentation are appreciated. __________________________________________________________ 1.9 CD-ROM Contents The directory structure on the CD is as follows: [MULTINET054] MultiNet Kit for VAX and Alpha systems [MULTINET_I64054] MultiNet Kit for Integrity Systems [Documentation] PDF format (.pdf) Release Notes [BIND9-DOC] [VAX55-DECC-RTL] _____________________________ 1.9.1 Online Documentation The MultiNet documentation set is available on the product CD in PDF format. The Release Notes are available on the product CD in text format. 1-9 Introduction CD-ROM Contents _____________________________ 1.9.1.1 PDF Format The MultiNet documentation set has the following PDF files: o MULTINET_ADMIN_GUIDE.PDF (Installation and Administrator's Guide) o MULTINET_ADMIN_REFERENCE.PDF (Administrator's Reference Guide) o MULTINET_MESSAGES.PDF (Messages, Logicals, & DECnet Apps) o MULTINET_PROGRAMMERS_REFERENCE.PDF (Programmer's Reference) o MULTINET_USER_GUIDE.PDF (User's Guide) The PDF format is readable from a PC, a VAX, or an Alpha system. o Use Adobe Acrobat to read the PDF files from a PC. Your PC must have 386 architecture or later to use Adobe Acrobat Reader. You can get Acrobat Reader free from Adobe Systems' Website: www.adobe.com. PCs running the Windows or NT operating system cannot read Process Software's CD. You cannot load files from the MultiNet CD directly to a PC. Load them to your OpenVMS system, then transfer them to your PC. We suggest using FTP to transfer these files. The following is an example using MS-DOS: C:> ftp node ftp> binary ftp> mget cd:*.pdf __________________________________________________________ 1.10 Note Concerning Kerberos V5 MultiNet now supports Kerberos V5 for SSH and Telnet (Alpha and Integrity only). Kerberos V5 requires Kerberos for HP OpenVMS. VMS V8 systems are distributed with Kerberos V5, and pre-V8 systems (OpenVMS VAX V7.3 and OpenVMS AXP v7.2-3, 7.3-*) can download Kerberos V5 from the HP website. The Kerberos V5 applications 1-10 Introduction Note Concerning Kerberos V5 can also run with any Kerberos V5 compliant Key Distribution Center (KDC) software. __________________________________________________________ 1.11 Note Concerning MultiWare If you want to continue to use MultiWare with MultiNet, do not install MultiNet V5.4 on your system. MultiWare and all MultiWare-related applications, including management/configuration functionality, have been removed. MultiWare was desupported by TGV prior to 1997. __________________________________________________________ 1.12 Note Concerning SSH You must install the DEC C 6.0 backport library on all OpenVMS VAX v5.5-2 and v6.0 systems prior to using SSH. This is the AACRT060.A file. You can find the ECO on the MultiNet CD in the following directory: VAX55_DECC_ RTL.DIR. __________________________________________________________ 1.13 Note: Concerning SSH Sessions For each active SSH session two(2) channels are used. Please adjust the CHANNELCNT parameter to account for this usage. 1-11 _______________________________________________________ 2 Changes, Fixes, and Enhancements This chapter describes the changes and enhancements made for MultiNet V5.4. __________________________________________________________ 2.1 MultiNet V5.4 Installation Note MultiNet V5.4 installations may only be performed from a random-access device (e.g., disk or CD-ROM). If the MultiNet V5.4 installation is attempted from a sequential-access device (e.g., magtape or TKxx cartridge), the installation will fail. If the distribution savesets have been copied to a sequential- access device (for transporting them, for example), they must be copied to a disk for installation. On VMS V8.4, the following logical definition will prevent VMSINSTAL from attempting to validate the kit and prompting as to whether or not installation should proceed even though the kit is not signed: $ define/job VMI$VALIDATE_KIT NO __________________________________________________________ 2.2 Using MultiNet for an OpenVMS Cluster Interconnect MultiNet V5.4 can be used to provide transport services for an OpenVMS IP cluster on Integrity systems running VMS V8.4. The user of this should first familiarize themselves with the section on Cluster over IP in the OpenVMS Guidelines for Cluster Configurations manual. Complete directions can be found in Chapter 34 of the MultiNet Installation & Administrator's Guide. To set up MultiNet to be used with the IP cluster follow the steps below: 2-1 Changes, Fixes, and Enhancements Using MultiNet for an OpenVMS Cluster Interconnect 1 Configure TCP/IP Services with the same set of interfaces and default routes as MultiNet will use. Though this is an inconvenience, the OpenVMS cluster configuration command procedure that HP provides requires TCP/IP Services for configuration. o SYS$SYSROOT:[SYSEXE]TCPIP$CLUSTER.DAT o SYS$SYSTEM:PE$IP_CONFIG.DAT 2 Execute MULTINET:SET_MULTINET_IP_CLUSTER.COM with the parameter INITIAL to enter the MultiNet Files in the correct directories for VMS to find at boot time 3 Use SYSGEN to set the system parameter NISCS_USE_UDP to 1 4 Reboot the system so that MultiNet will be used for IP Cluster communication. After the reboot is complete use the standard MultiNet startup procedure to finish starting MultiNet. _____________________________ 2.2.1 Troubleshooting The following set of commands will verify that the MultiNet configuration and the IP cluster configuration agree. Any differences encountered will be displayed. $ MultiNet Configure/Network MultiNet Network Configuration Utility T5.4(109) [Reading in configuration from MULTINET:NETWORK_DEVICES.CONFIGURATION] NET-CONFIG>check If the MultiNet "KRNNOTFOUND failed to locate MultiNet kernel" message is displayed while attempting to start MultiNet and the BG device exists, then the most likely problem is that TCP/IP Services is being used instead of MultiNet. Use the MULTINET:SET_MULTINET_IP_ 2-2 Changes, Fixes, and Enhancements Using MultiNet for an OpenVMS Cluster Interconnect CLUSTER.COM procedure to make sure that the MultiNet files are in the correct places. __________________________________________________________ 2.3 FTP Updates o Improved security for FTPS. __________________________________________________________ 2.4 Intrusion Prevention Subsystem(IPS) o Improved packet filtering for systems with multiple interfaces such that the filters for the interface that the packet is destined for are checked as well as the filters on the interface that the packet is received on. This makes filtering and IPS work as expected when the MultiNet system is functioning as a firewall and both the inside and outside interfaces are reachable from the outside. A new qualifier, /CLEAR_FILTERS, has been added to the MULTINET SET /IPS command. It can be used standalone or with /START and /RESTART: $ multinet set /ips/start/clear_filters $ multinet set /ips/restart/clear_filters $ multinet set /ips/clear_filters When /CLEAR_FILTERS is specified, the FILTER_SERVER process will retrieve all filters for all interfaces it knows about, remove all filters with the FLTSVR flag bit set on them from the list of filters, then reset the remaining filters back on the interface. __________________________________________________________ 2.5 Kernel Modifications o PD interfaces no longer support IPv6 as use of IPv6 on PD interfaces can cause problems with IPv6 duplicate address detection. SE interfaces can support multiple addresses so there is no loss of functionality. o Improvements based upon draft-ietf-tcpm-tcpsecure- 00.txt to reduce vulnerabilities. [DE 10914] 2-3 Changes, Fixes, and Enhancements Kernel Modifications o Change the ephemeral port obfuscation algorithm such that a random increment is chosen instead of a random port. This lengthens the time until a port number is chosen again and reduces problems that FTP may have with MPUT and MGET. [DE 10916] o Improvements to path MTU support when there is an existing path MTU route. o Reduce contention on the QUEUEAST spinlock for VMS V8 (AXP and ia64). o Limit how long MultiNet's main loop holds the primary MultiNet spinlock before releasing it to prevent spinwait timeouts. Also reduce contention for IOLOCK8 on VMS V8. [DE 10928] o The following MultiNet parameters have been increased to match the values in TCP/IP Services: TCP_SENDSPACE, TCP_RECVSPACE, UDP_SENDSPACE, UDP_ RECVSPACE. o Multiple IPv6 addresses can be configured for SE interfaces by using the /PREFIX and /IP6_SUBNET_MASK qualifiers. o On VMS V8, the MultiNet kernel variable SPLNET_ AFFINITY_MASK will allow a preferred CPU to be specified for MultiNet interrupt processing. The lowest bit set in the mask is the preferred CPU. If preferred CPU is not present in the active set, then the mask is reset to -1 (the default value). __________________________________________________________ 2.6 Master Server __________________________________________________________ 2.7 Named o Upgraded to version 9.6.1 of the Bind 9 codebase, the most recent ISC release. [DE 10883] o Bind 9.6.1 has a number of new features over previous versions, including, but not limited to: o Full NSEC3 support 2-4 Changes, Fixes, and Enhancements Named o Automatic zone re-signing o New update-policy methods tcp-self and 6to4-self o Improved statistics reporting o Added support for MULTINET NSUPDATE command line parsing. [DE 10547] o Added functionality to specify a specific operator class for OPCOM messages. Using the logical MULTINET_NAMED_OPCOM_TARGET a system administrator can define a value from OPER1 through OPER12. For example, to direct the opcoms to OPER8, use the command : [DE 10409] $ DEFINE/SYSTEM/EXEC MULTINET_NAMED_OPCOM_TARGET "OPER8" To then see the opcom messages : $ REPLY/ENABLE=OPER8 The default or undefined value is the NETWORK class. o To run any of the support tools, define symbols, i.e.: $ nsupdate :== $multinet:nsupdate.exe $ rndc :== $multinet:rndc.exe $ rndcconfgen :== $multinet:rndc-confgen.exe __________________________________________________________ 2.8 NTP Server o NTPD has been enhanced to update the VMS Time Differential Factor (TDF) cell when the time is updated. o The logical DTSS$TIMEZONE_DIFFERENTIAL and the file SYS$TIMEZONE.DAT are now updated when set_ vms_logicals is included in the configuration. o The option "tinker step 0" (which forces slewing instead of stepping) now nullifies the daily setting of time of day that set_clock_daily will cause. [DE 11187] 2-5 Changes, Fixes, and Enhancements Advanced Packet Filtering __________________________________________________________ 2.9 Advanced Packet Filtering o Added an interface to the Multinet Intrusion Prevention System (IPS) to allow it to handle common link interfaces better. This involves two modifications to MULTINET_SET_INTERFACE: 1 When a SET INTERFACE/UP or SET INTERFACE/COMMON_ LINK command is done, a message is sent to the IPS FILTER_SERVER process so that it may adjust its internal databases accordingly. 2 When performing a SET INTERFACE/[NO]FILTER or SHOW INTERFACE/FILTER command on an interface that's part of a common link set, the filters are set, cleared or displayed for all interfaces in the common link set. This change of behavior is due to the concept that all interfaces in a common link set are always treated equally in terms of filters; when a filter is set or cleared on one member of a common link set, it's applied equally to all members of the common link set. Note Note that the previous behavior instituted in #2 above may be restored to its previous behavior by defining, /SYSTEM, the logical name MULTINET_OLD_STYLE_FILTERS. o The following logical names have been added to help tune the IPS FILTER_SERVER process (these must be defined using the /SYSTEM qualifier): o MULTINET_FILTER_SERVER_MBX_MSGS This defines the number of event messages that can exist in the FILTER_SERVER mailbox at any time. The default is 400. If the mailbox becomes full, additional messages will simply be lost. Note that if the size of the mailbox is changed, the existing mailbox must first be deleted by running MULTINET:DELMBX.EXE and following the instructions it displays. o MULTINET_FILTER_SERVER_QUOTA_CHECK 2-6 Changes, Fixes, and Enhancements Advanced Packet Filtering If defined (the value is ignored), the FILTER_ SERVER process will check for remaining TQELM and ASTLM quotas. If these quotas are within 10% of being exhausted, a warning message will be sent to OPCOM. If these quotas become exhausted, the FILTER_SERVER process will likely enter MUTEX state and hang. o MULTINET_FILTER_SERVER_QUOTA_CHECK_TIME Defines the frequency, in seconds, between quota checks. The default is 15 minutes (900 seconds). o MULTINET_FILTER_SERVER_TQELM Defines the size of the TQELM quota with which the FILTER_SERVER process will be created. Default is 500. o MULTINET_FILTER_SERVER_ASTLM Defines the size of the ASTLM quota with which the FILTER_SERVER process will be created. Default is 500. The values for TQELM and ASTLM must be set and adjusted according to anticipated and measured traffic. When choosing values for TQELM, a good rule of thumb is to allocate TQELM as follows: o 1 for automated hourly reporting o 1 for automated 24-hour maintenance o 1 for automated quota checking o 1 for each source address per rule per component for which an event has been received. These timers are used to clean up internal address structures after 24 hours of inactivity from the address. o 1 for each non-empty event queue per source address per rule per component. These timers are used to delete aged events from the event queue. ASTLM tends to be used at a slightly higher rate than TQELM, so plan accordingly. 2-7 Changes, Fixes, and Enhancements Racoon2 __________________________________________________________ 2.10 Racoon2 o AXP and Integrity system support for RACOON2. Provides the Racoon2 IPSec Key Exchange utility. __________________________________________________________ 2.11 SCP2 Updates o A new qualifier /RECORD has been added. /RECORD opens the source file in vms record mode. This is equivalent to using record mode transfers in SFTP2. The file is transferred as a stream of records with no carriage control added between them. [DE 11121] __________________________________________________________ 2.12 SSH Updates o In versions of MultiNet prior to V5.4, the return status codes from the SSH clients SSH2, SSH-ADD2, SSH-CMPCLIENT, SSH-CERTTOOL, SSH-CERTVIEW and SSH- KEYGEN2 were based on UNIX-style status codes, causing problems for many VMS users. Beginning with MultiNet V5.4, a logical name may be defined that will cause the SSH clients listed above to use VMS-style return codes. If the logical name isn't defined, the old-style codes will still be used by default. Refer to table 6-1 in the MultiNet for OpenVMS Messages, Logicals and DECnet Applications manual for a description of the new status codes. To enable the new status codes instead of using the pre-MultiNet V5.4 codes, the logical name MULTINET_ SSH_NEW_STATUS_CODES must be defined system-wide. o Changed the identification string sent by the client and server to be "Process Software SSH". This change will prevent erroneous alerts from security scanner software when the scanner previously encountered the string "ReflectionForSecureIT" in the identity string. o Updated the SSH version from 6.1.4.0 to 6.1.5.0. 2-8 Changes, Fixes, and Enhancements SSH Updates o New parameters have been added for the SSH service, and can be set using CONFIGURE/SERVER: o disable-ipv4 - when set, SSHD MASTER will not listen on an IPV4 socket. o disable-ipv6 - when set, SSHD MASTER will not listen on an IPV6 socket. o RFC 4255, "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints", has been implemented in the SSH2 client. This provides the ability to look up host key fingerprints stored as SSHFP records in a DNS RRSET using DNSSEC. This provides additional protection against man-in-the-middle host key spoofing attacks. The /DNS_DIGEST option has been added to SSH-KEYGEN2 for RFC 4255 support. This option causes SSH-KEYGEN2 to calculate and print the digest of the local SSH host key in a format that allows it to be added to the local MultiNet hosts file. o The system-wide logical name MULTINET_SSH_CMD_FILE_ DIR may be used to determine where the SSH2 server will create the temporary command procedures it creates to execute remote commands. If this logical is not defined, the default behavior remains to create the command procedures in the user's [.SSH2] directory. o The SSH2 client now accepts /IDKEY=(key1, key2, ..., keyn) qualifier. If this qualifier is specified, the contents of the [.SSH2]IDENTIFICATION file are ignored. If the switch is not specified, then [.SSH2]IDENTIFICATION is used. [DE 11146] o Fix a problem where a CTRL_SSHLEI.DMP file is created when performing a MU NETCONTROL SSH MASTER_ RESTART command. [DE 11183] 2-9 Changes, Fixes, and Enhancements Fixed Problems __________________________________________________________ 2.13__Fixed_Problems_________ 2.13.1 FTP o Improve security for FTPS. o Modify the display of file names in Unix mode so that FireFox can parse it correctly. o Correct errors in building VAX MULTINET_LIBCRYPTO and MULTINET_LIBSSL images. o Correctly handle zero length reads for SSL channels so that they close without error. [DE 11062] o Add ability to handle certificates that contain ASN.1 data to the FTP client certificate verification processing. [DE 11050] o Correct a potential ACCVIO upon end of data transfer, and some errors in state keeping relative to FTPS. [DE 11050] o Correct an error in the VAX FTP.EXE and FTP_ SERVER.EXE images that can result in an error while transferring files. [DE 10994] o Correct a problem with the FTP_SERVER properly acting upon a USER command. [DE 10927] o Correct a problem with a stale status value that can cause a take file to be aborted after a successful connection to a remote node with more than one address. [DE 10896] o Correct an error that can lead to file transfers in VMS mode being terminated before they are complete. [DE 10880] _____________________________ 2.13.2 GATED o Add ET (DEBNA, DEBNT, DEBNK) as a recognized device. [DE 10910] 2-10 Changes, Fixes, and Enhancements Fixed Problems _____________________________ 2.13.3 Intrusion Prevention Subsystem(IPS) o When an error occurs that causes the FILTER_SERVER process to exit, made sure more meaningful message are written to both the log file and to OPCOM. [DE 11088] o Correct a possible channel leak. [DE 10857] _____________________________ 2.13.4 Kernel For Alpha and Itanium systems, the following ESP (IPSEC) algorithms have been added: rijndael-cbc, aes-ctr. o For Alpha and Itanium systems, the following AH (IPSEC) algorithms have been added: hmac-sha2-256, hmac-sha2-384, hmac-sha2-512, hmac-ripemd160, aes- xcbc-mac. o Racoon2 support: Correct an error in ESP code that is included in the kernel; IPSec support for the STF (6to4) interface; Correct some potential crashes in IPSec code. o When the only remaining packet filter on an interface is a PERMIT ALL filter, delete the filter to improve performance by not performing unnecessary packet filtering. o Correct some errors in ICMP redirect processing. o Correct a problem where port obfuscation can result in the previous port being reused. o Change how MultiNet waits for its spinlock for telnet output. This change is designed to remove contention by creating a new work list item for processing. o Correct a potential crash due insufficient interlocking. [DE 11043] o Correct a potential crash due to a null pointer. [DE 11042] o Don't allow port obfuscation to generate port numbers below ephemeral min. [DE 11010] 2-11 Changes, Fixes, and Enhancements Fixed Problems o Send IP packet identification in correct order for UDP unknown port ICMP message. [DE 11006] o Correct an error in processing IPv6 connect requests; this allows WEBM to run. [DE 10999] o Add the kernel variable USE_PORT_OBFUSCATION which can be set to 0 (zero) to disable the port obfuscation code for ephemeral ports. Some applications have significant problems with ephemeral port obfuscation. [DE 10968] o Correct a memory leak when routes that are created after receiving an ICMP redirect timeout occurs when the reference count is non-zero. [DE 10938] o Correct an error path in failure to allocate memory that can cause a system crash. [DE 10876] o Correct an error in reporting which kinds of activity are present on channels from select calls. [DE 10869] o Change how Cluster IP address are added to the ARP table so they can be more easily deleted when the system releases the address. [DE 10849] o Correct an data structure initialization error that can cause a system crash. [DE 10848] o Correct an error in IPv6 packet processing that can cause a system crash. [DE 10843] o Improve handling of program keep alive options to more closely match TCP/IP services. [DE 10837] _____________________________ 2.13.5 Master Server o Correct a patch build problem on integrity system which had an older module for TELNET processing, which could cause an ACCVIO when the family was changed to AF_INET. o Correct a problem with the TFTP server reporting the wrong block number when the block number is greater than 32767. [DE 11078] 2-12 Changes, Fixes, and Enhancements Fixed Problems o Correct a problem with not applying KEEPALIVE options to services that are running as AF_INET6 services. With this change services that are AF_INET or AF_INET6 will receive the KEEPALIVE option if it is defined for the service. [DE 11060] o Correct a memory leak in TELNET processing. [DE 10961] o Correct an error in logging filter server events from Telnet when Telnet is using AF_INET for the socket family that can cause the MultiNet master server to ACCVIO. [DE 10909] o On VAX and Integrity systems, the settings for the LOG-ACCEPTS, LOG-REJECTS and LOG-FILE parameters for SSH aren't preserved. [DE 10629] _____________________________ 2.13.6 Named o Corrects a linker problem with the Itanium NAMED image which caused the image to crash when the Cluster Service functionality was configured [D/E 11009] o Corrects problem when using RNDC from a remote host to control a MultiNet NAMED server. [D/E 10983] o Incorporated BIND 9.6.1-P3 updates, which is a SECURITY PATCH for BIND 9.6.1. It addresses two potential cache poisoning vulnerabilities, both of which could allow a validating recursive nameserver to cache data which had not been authenticated or was invalid. [D/E 10981] o Addresses performance issues for NAMED server on VAX. [DE 10946] o When validating with DNSSEC, track whether pending data was from the additional section or not and only return it if it validates as secure (CVE-2009-4022). [D/E 10945] o Added support for SPF and IPSEC RR data types. [D/E 10931] 2-13 Changes, Fixes, and Enhancements Fixed Problems o Corrects problem when receiving queries over IPv6 network connections. [DE 10917] o Corrects intermittent fatal error in supporting socket library. [DE 10902] o Implemented ISC security fix to protect against DoS attacks with dynamic updates. [DE 10893] o Added support for MULTINET NSUPDATE command line parsing. [D/E 10547] _____________________________ 2.13.7 NFS_CLIENT o Crashing while dismounting an NFS device that previously had a logical name assigned has been fixed. [DE 10840, 7731] o Attempting to mount an export using a uid/gid pair that isn't the same in the server configuration could cause a crash or leave the NFS device stranded in an online state, but unable to be dismounted. [DE 11055] o Inconsistent fdl file mapping in the nfs client cache could cause the client to corrupt file copies. Evidence of this bug occurring is noticed when seeing an inconsistent file attributes status upon copying a file. [DE 11054] _____________________________ 2.13.8 NOTDRIVER o Change to putting the KTB into RWAST while waiting for name resolution. [DE 11081] o Change a field size to match what is used in CTDRIVER so that buffer size calculations are correct. This problem only existed on VMS V8. [DE 10631] 2-14 Changes, Fixes, and Enhancements Fixed Problems _____________________________ 2.13.9 NTP o Correct a potential denial of service attack. [DE 10921] o NTPQ and NTPDC now try each of the answers returned by getaddrinfo until they successfully establish a connection or run out of answers. [DE 10836] _____________________________ 2.13.10 Packet Filtering System o When parsing a filter file using MULTINET SET /INTERFACE/FILTER, addresses of 0.0.0.0 are not always parsed correctly. Examples of such addresses would be 0.0.0.0/0 and 0.0.0.0/32. [DE 10939] o Errors in parsing exclude addresses have been corrected. [DE 10903] o When using common link interfaces, filters were not set properly on all interfaces in the common link set. o When parsing the FILTER_SEVER_CONFIG.DAT file, the following errors are encountered, then the FILTER_SERVER process exits, if SNMP reporting isn't enabled in the configuration file: [DE 10887] No enterprise string specified for SNMP logging No specific trap ID specified for SNMP logging No generic trap ID specified for SNMP logging o The following message may have been encountered when performing a SET IPS/RESTART command, although the command does complete successfully: Error fetching JPI info, %SYSTEM-F-SUSPENDED, process is suspended [DE 10888] o When running in an environment where a large number of events are generated (for example, an email server), the processes that are reporting events may hang in RWMBX state, and the FILTER_SERVER process may enter MUTEX state and hang. [DE 10892] 2-15 Changes, Fixes, and Enhancements Fixed Problems _____________________________ 2.13.11 PING 1 The MULTINET PING and MULTINET PING6 commands have been combined into a single command (MULTINET PING). The qualifier /IPV6 is needed for the trace to take place on IPv6. _____________________________ 2.13.12 PWIPDRIVER o Restore rate limiting code which is necessary to prevent pool consumption on a slow system when copying a file from a fast system. Correct problem in rate limiting code that caused it to perform erratically. [DE 10868] The new PWIPDRIVER image has an adjustable memory- limit setting to be used on machines that exhibit problems. This limit is adjusted via the MultiNet kernel variable PWIP_IO_LIMIT. It is adjusted as follows: $ multinet set/kernel pwip_io_limit (new-value) The new-value is the number of non-paged pool packets that may be outstanding at any one time to store data that have not yet been written to disk. Using too low a value will artificially constrain all but the slowest systems, and too high a value may result in the reappearance of the original problems. In testing, each packet held an average of about 1400 bytes, but this value can vary substantially. You may use the 1400 bytes per packet as a rough initial guideline. This value remains in place until the next reboot of the system. HOW TO CHOOSE A TUNING VALUE: The proper value is one that keeps data coming into non-paged pool just fast enough to stay ahead of your disk subsystem, which is a highly variable number in different configurations. In practice, you can arrive at the proper number by making incremental increases until you no longer see a performance improvement (and also see no recurrence of previous problems, or 2-16 Changes, Fixes, and Enhancements Fixed Problems symptoms of impending problems, such as unreasonable non-paged pool expansions). By default, there is no limit (PWIP_IO_LIMIT defaults to zero, which means no limit). Should you need to make adjustments due to experiencing undesirable symptoms, Process Software suggests you start with a value of 200, then make minor adjustments as necessary. NOTE: Setting PWIP_IO_LIMIT will not survive a reboot. It is recommended that this be done early in the MultiNet startup; MULTINET:LOCAL_ROUTES.COM would be a good location to place the command. HOW TO CHECK FOR NON-PAGED POOL EXPANSIONS: When OpenVMS boots, non-paged pool is set to an initial size indicated by the SYSGEN parameter NPAGEDYN. If, during the time the system stays up, this initial allocation is reached (even for a short time), the size may be expended, eventually reaching the size indicated by the SYSGEN parameter NPAGEVIR, the maximum size. On the running system, use the command SHOW MEMORY and look for the line marked "Nonpaged Dynamic Memory" under the heading "Total". You may also use the SDA command SHOW POOL/SUMMARY and examine the last line of output. You may wish to do this at various times to learn if and when non-paged pool expands on your system. If the "total" size of non-page pool increases beyond NPAGEDYN, one or more expansions has occurred. To examine NPAGEDYN and NPAGEVIR, use the following SYSGEN commands: $ RUN SYS$SYSTEM:SYSGEN (requires privileges) SYSGEN> USE CURRENT SYSGEN> SHOW NPAGEDYN SYSGEN> SHOW NPAGEVIR SYSGEN> EXIT $ Look for the column marked "Current". o Correct an error that can cause large copies to hang. [DE 10801] 2-17 Changes, Fixes, and Enhancements Fixed Problems _____________________________ 2.13.13 RCP o Correct an error that can lead to file transfers in VMS mode being terminated before they are complete. [DE 11073] _____________________________ 2.13.14 SCP/SFTP o Remove hashing data structures from buffer management data structures to reduce memory utilization. (MultiNet SCP2 & SFTP2 do not support file hashing to check to see if a file is different before transferring.) [DE 10937] o Can't SCP2 in batch procedures after MultiNet 5.3 upgrade. [DE 10890] o Correct some file truncation problems. [DE 11079] o Change SCP2 and SFTP2 to open destination files for write only instead of read/write to provide interoperability with more implementations. o Restore SFTP2 & SCP2 password prompt to include a space after the colon as it had in previous versions. [DE 11065] o Correct a possible ACCVIO on SFTP [M]PUT commands. [DE 11048/DE 11066] o Correct problems with incomplete transfers in SFTP record mode. [DE 11044] o The SSH_LOG:SSHD.LOG file has an extra character at the end of each line, which could make it difficult to parse programmatically. This has been changed such that if the system-wide logical name MULTINET_SSH2_SERVER_DEBUG_NOCR is defined (the value doesn't matter), the trailing will not appear on debug log lines. [DE 11103] o Correct problems with specifying a version number on a source file and getting the file appropriately transferred to the remote system. [DE 9852/10242] 2-18 Changes, Fixes, and Enhancements Fixed Problems o Errors from attempting to close a file that is already closed are now ignored. Don't make call to set file characteristics when there are no characteristics to be set. [DE 10829] o Improvements to FXP_REALPATH processing. [DE 10832] _____________________________ 2.13.15 SET_INTERFACE o When attempting to set filters on an interface, the status SS$_INSFMEM could be returned. This is a serious status, and indicates overly-fragmented non-paged pool, meaning no new filters can be set on the interface. The severity of this was not clear to users, and will now be made more clear. o When attempting to set filters on an interface, the status SS$_MBFULL could be returned. This is a serious status, and indicates the FILTER_SERVER process for IPS has possibly crashed, leaving the system at least partially unprotected. The severity of this was not clear to users, and will now be made more clear. _____________________________ 2.13.16 SMTP o Correct a channel leak on VAX. [DE 11022] o Correct a possible infinite loop. [DE 10855] o Correct a possible channel leak. _____________________________ 2.13.17 SOCKET LIBRARY o Correct problem with resolver waiting 2 minutes before retrying sends to resolve a nameserver. [DE 11051] o Additional checking in routines that read MultiNet kernel memory to prevent possible crashes. Add code to ia64 to check through the loader image descriptors. [DE 11001] 2-19 Changes, Fixes, and Enhancements Fixed Problems _____________________________ 2.13.18 SSH o Corrected SSHD MASTER access violation after many sessions. [DE 11127] o Optimized user information lookups on systems with large UAF and RIGHTSLIST files. [DE 11122] o On Integrity systems only, SSHLEI.EXE has been moved from SYS$LOADABLE_IMAGES to the MULTINET_COMMON_ ROOT:[MULTINET] directory. This fixes problems caused by the incorrect version of SSHLEI.EXE existing in SYS$LOADABLE_IMAGES. [DE 11021] o An assertion in SSHADT in the SSHD2 server could fail, causing the server to abort. [DE 10967] o SSH OPCOM session accept and session reject messages would sometimes display garbage at the end of the message. [DE 10629] o Corrected an ACCVIO when public key authentication fails in batch mode. [DE 10675] o When using the VMS Authentication Module and LDAP for authentication, the LDAP_ALLOW_NULL_PASSSWORD flag isn't honored properly. o Problems with DCL passing arguments to SSH on Integrity systems when using /PARSE_STYLE=EXTENDED. [DE 11002] o When connecting to an Integrity management processor, the key guess is incorrect. [DE 10979] o The number of connection attempts and the timeout for each attempt for the client needs to be configurable. The following configuration keywords in SSH2_DIR:SSH2_CONFIG have been added: o ConnectionTimeout (default zero seconds) o ConnectionAttempts (default 5) [DE 9175] o DSA host keys can't be generated. [DE 10972] 2-20 Changes, Fixes, and Enhancements Fixed Problems o On VAX, $ MULT SSHKEYGEN/SSH2 will produce the error: Error: Algorithm or key not supported [DE 11015] o The user group in the UAF isn't used when doing group comparisons (e.g., AllowGroups or DenyGroups). [DE 10958] o A scenario wherein [.ssh2] directories in user accounts may be created with incorrect protection masks has been corrected. [DE 11156] _____________________________ 2.13.19 Telnet o Try all addresses returned by getaddrinfo so that an IPv4 connection is established when there is no IPv6 path to a host that has both IPv6 and IPv4 addresses. [DE 10862] _____________________________ 2.13.20 TRACEROUTE o The MULTINET TRACEROUTE and MULTINET TRACEROUTE6 commands have been combined into a single command (MULTINET TRACEROUTE). The qualifier /IPV6 is needed for the trace to take place on IPv6. _____________________________ 2.13.21 UCXDriver o Correct a problem with using Java to set up multicast sockets. o Mark BG0 as mounted to support WEBM. [DE 10999] 2-21 Changes, Fixes, and Enhancements Fixed Problems _____________________________ 2.13.22 UCX Library Emulation o Correct problems with getaddrinfo honoring AI_ V4MAPPED flag. [DE 10936] o Added the logical MULTINET_SKIP_IPV6_LOOKUP which can be defined to True/Yes/1 to cause getaddrinfo to not attempt to look up the name as an IPv6 (AAAA) name. [DE 10828] o The logical MULTINET_SOCKET_TRACE may be defined to get debugging output on the status of various operations. The logical is a bit mask with the following values: 1 - control operations 2 - read operations 4 - write operations o Add timestamps to the trace information provided when the logical MULTINET_SOCKET_TRACE is defined. o Removing looping for sends greater than 65535 bytes for VMS V8 (Alpha and Integrity) that was introduced in UCX_LIBRARY_EMULATION-040_A052. Support for these large sends is now part of the MultiNet kernel. For MultiNet V5.2 use KERNEL-UPDATE-070_A052. [DE 10619, 10662] o Correct errors introduced in UCX_LIBRARY_EMULATION- 060_A052 for VMS V8 Alpha and Integrity systems. [DE 10647] o Correct errors introduced in UCX_LIBRARY_EMULATION- 040_A052 for VMS V7 and VMS V8 Alpha and VMS V8 Integrity systems. [DE 10619] o Modifications to support using send on TCP sockets with a length greater than 65535. [DE 10619] o Correct errors in the implementation of GETNAMEINFO. [DE 10740] 2-22 Changes, Fixes, and Enhancements Fixed Problems _____________________________ 2.13.23 XDM Server o Fixes intermittent crash of XDM Server. [DE 10405] 2-23 _______________________________________________________ 3 Documentation Updates This chapter contains a summary of changes to the documentation for MultiNet V5.4. __________________________________________________________ 3.1 MultiNet V5.4 o Changed the MultiNet version number to read V5.4. o Appendix B was added to the Installation & Administrator's Guide to detail the DNSSEC functionality included with the Bind 9 component. o A chapter was added to the Installation & Administrator's Guide for the new NFSv3 service. Please refer to this chapter for details on how to get the NFSv3 service up and running. __________________________________________________________ 3.2 Corrections to the MultiNet V5.4 documentation 3-1 _______________________________________________________ 4 Known Bugs/Issues __________________________________________________________ 4.1 NFSv3 The following are known bugs and issues with MultiNet V5.4. o If NFSv2 makes use of the NFS password file in its configuration, the convert_nfs utility does not convert the NFS password file into the NFSv3 proxy data. o If NFSv2 makes use of a "-ro" mount restriction, the convert_nfs utility does not convert this into the correct read-only restriction in the NFS export database for the NFSv3 server. o The NFSv3 server doesn't support the use of rooted logicals in the export database. If your NFSv2 configuration makes use of a rooted logical as an export, the convert_nfs utility does not translate this logical into a value that is usable in the NFSv3 server. o Restarting the MultiNet master server from inside of $ multinet configure/server will cause the NFSv3 server to no longer be registered as an RPC program. After restarting the master server in this manner, you must restart NFSv3 to re-register it using $ multinet netcontrol nfsv3 restart o $ multinet show/nfs does not display NFSv3 clients that have an export mounted. o The NFSv3 server has a couple of performance issues that we are aware of and are working to resolve for the next beta. 4-1 Known Bugs/Issues DNSSEC __________________________________________________________ 4.2 DNSSEC DNSSEC-KEYGEN on IA64 returns an openssl failure. $ dskg :== $multinet:dnssec-keygen $ dskg -a RSASHA1 -b 768 -n ZONE child-example Generating key pair. dnssec-keygen: fatal: failed to generate key child-example/RSASHA1: openssl failure __________________________________________________________ 4.3 R_SERVICES Starting R_SERVICES will generate the following OPCOMS: %%%%%%%%%%% OPCOM 11-FEB-2011 14:45:20.21 %%%%%%%%%%% Message from user SYSTEM on XXXXXX MultiNet Server: R_SERVICES: still unable to find kernel symbol "$magic" (voo doo!!!) %%%%%%%%%%% OPCOM 11-FEB-2011 14:45:20.22 %%%%%%%%%%% Message from user SYSTEM on XXXXXX MultiNet Server: R_SERVICES: Unable to hand off WSA device to process 43B, vms status = %x134 4-2