First Published: April 23, 2021

This document provides an overview of the new and changed features in Cisco Prime Network Registrar 11.0, and describes how to access information about the known problems.


Note

You can access the most current Cisco Prime Network Registrar documentation, including these release notes, online at:

https://www.cisco.com/c/en/us/support/cloud-systems-management/prime-network-registrar/tsd-products-support-series-home.html

This document contains the following sections:

Introduction

Cisco Prime Network Registrar is comprised of these components:

  • An Authoritative Domain Name System (DNS) protocol service

  • A Caching DNS service

  • A Dynamic Host Configuration Protocol (DHCP) service

Cisco offers these components as individually licensed applications or in a mix of suites.

Before You Begin

Before you install Cisco Prime Network Registrar 11.0, review the system requirements and licensing information available in Cisco Prime Network Registrar 11.0 Installation Guide.


Note

If you are migrating to Cisco Prime Network Registrar 11.0 from an earlier version of Cisco Prime Network Registrar, you must review the release notes for the releases that occurred in between, to fully understand all the changes.

Cisco Prime Network Registrar DHCP, Authoritative DNS, and Caching DNS components are licensed and managed from the Cisco Prime Network Registrar regional server. All services in the local clusters are licensed through the regional cluster. Only a regional install requires a license and only the regional server accepts new licenses. Then the regional server can authorize individual local clusters, based on available licenses.


Note

Licenses for Cisco Prime Network Registrar 10.x or earlier are not valid for Cisco Prime Network Registrar 11.x. You should have a new license for Cisco Prime Network Registrar 11.x. For the 11.x regional, if one has 10.x CDNS clusters, the 10.x CDNS licenses must be added on the regional server (10.x CDNS clusters will use 10.x licenses, 11.x CDNS clusters will use 11.x licenses).


Warning

You MUST upgrade the Cisco Prime Network Registrar 10.x local clusters to 10.1.1 or later before upgrading the regional to 11.x. You should not upgrade the local clusters to 11.0 (or later) directly, as you will not be able to register with the regional until it is upgraded to 11.0 (or later).


Note

Smart Licensing is enabled by default in Cisco Prime Network Registrar 11.0. Cisco Prime Network Registrar 11.x regional, working in Smart License mode, does not support pre-11.0 local clusters. For more details, see the "Using Smart Licensing" section in "Cisco Prime Network Registrar 11.0 Installation Guide".

For more details about Licensing, see the "License Files" section in Cisco Prime Network Registrar 11.0 Installation Guide.

The Cisco Prime Network Registrar 11.0 kit contains the following files and directories:

  • Linux—RHEL/CentOS 7.x and 8.x installation kits

  • Docs—Pointer card, Bugs, and Enhancement List


Note

The OVA, QCOW2, and KVM kits, as well as the Jumpstart appliance, traditionally bundle the CentOS operating system. These are not currently available for Cisco Prime Network Registrar 11.0. When they become available, the Cisco Prime Network Registrar 11.0 documents will be updated.

Licensing

Cisco Prime Network Registrar 11.0 supports both Smart Licensing and traditional licensing. However, it does not support the hybrid model, that is, you can use any one of the license types at a time. For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide.

Cisco Prime Network Registrar 11.0 is licensed in two parts: Permanent License and SIA License. The SIA License entitles upgrades to future releases. If you are on SIA from Cisco Prime Network Registrar 10.x, or on unexpired SWSS contract from Cisco Prime Network Registrar 9.x, you can upgrade until either of those entitlements expire. For PAK-based licensing, you must install the PAK onto the Cisco Prime Network Registrar regional server. For Smart Licensing, the licenses are delivered to your Smart Account. Smart Licensing is enabled by default in Cisco Prime Network Registrar 11.0, but can be overridden after installation. For Cisco Prime Network Registrar 11.0, the licensing is done according to the services that you require. For more information, see the "License Files" section in Cisco Prime Network Registrar 11.0 Installation Guide.


Note

You should not delete any of the individual licenses loaded from the file. If required, you may delete older versions of DNS and DHCP licenses after the upgrade. Older versions of CDNS licenses must be retained if the servers are not upgraded.

Interoperability

Cisco Prime Network Registrar 11.0 uses individual component licenses. This allows users to purchase and install DHCP services, Authoritative DNS services, and Caching DNS services individually, or as a suite.

If you need additional DNS caching licenses, you should order them based on Server count since DNS caching is a server based license.

To install and manage DHCP, DNS, and Caching DNS licenses, you must establish a regional server. The regional server is used to install, count, and manage licensing for these components.

The synchronization between version 11.0 and pre-11.0 local clusters must be done from a 11.0 regional cluster. Cisco Prime Network Registrar 11.0 protocol servers interoperate with versions 8.3 or later.

What's New in Cisco Prime Network Registrar 11.0

The following table lists the new and modified features we documented in the user and installation guides. For information on additional features and fixes that were committed in Cisco Prime Network Registrar 11.0, see Resolved Bugs and Enhancement Features.

Feature

Description

Docker Container Support

Cisco Prime Network Registrar 11.0 can be run as Docker container that you can install in your own infrastructure. Two Docker images are provided for Cisco Prime Network Registrar 11.0: a regional container and a local container.

DNS over TLS (DoT) Support (Caching DNS)

DNS over TLS (DoT) Support (Authoritative DNS)

DNS queries without encryption are vulnerable to spoofing and other attacks that threaten privacy. To address these issues, Cisco Prime Network Registrar 11.0 supports DNS over TLS (DoT) as specified by RFC 7858. DNS over TLS is a security protocol for encrypting and wrapping DNS queries and answers via the Transport Layer Security (TLS) protocol. It improves privacy and security between clients and resolvers. It uses TCP as the basic connection protocol and layers over TLS encryption and authentication. Cisco Prime Network Registrar 11.0 supports TLS in both Authoritative DNS server and Caching DNS server.

Alternate Views

In Cisco Prime Network Registrar 11.0, zones can be referenced by multiple views without the need to make copies of the zone. This can be useful in a viewed configuration where a subset of zones are common across multiple views. To make the zones visible to other views, set the alternate-view-ids attribute for the zone and reload the DNS server.

Installation/Upgrade Updates

Cisco Prime Network Registrar 11.0 runs on Red Hat/CentOS 7.x and 8.x. Earlier versions of RHEL/CentOS are not supported.

Starting from Cisco Prime Network Registrar 11.0, you need to use the yum install, rpm -i, or dnf install command to install the product. For complete details on installing and upgrading, see Cisco Prime Network Registrar 11.0 Installation Guide.

The major change introduced with Cisco Prime Network Registrar 11.0 is to better separate the distributed files (that is, those installed by the RPM) from those that are data and configuration files specific to your installation. Basically, the /opt/nwreg2 area should not include files that are not provided as part of the installation. Everything that is specific to your installation, should now be in the /var/nwreg2 area.

Two sets of RPM kits (one set for RHEL/CentOS 7.x and the other set for RHEL/CentOS 8.x) are provided for Cisco Prime Network Registrar 11.0. Each set consists of three RPM kits: One for regional clusters, one for local clusters (DHCP, DNS, and CDNS servers), and one for client-only (this provides the CLI and other tools, no servers).

Smart Licensing

Cisco Prime Network Registrar 11.0 supports both Smart Licensing and traditional licensing.

Cisco Smart Licensing is a flexible licensing model that provides you with an easier, faster, and more consistent way to purchase and manage software across the Cisco portfolio and across your organization. And it’s secure – you control what users can access. With Smart Licensing you get:

  • Easy Activation: Smart Licensing establishes a pool of software licenses that can be used across the entire organization—no more PAKs (Product Activation Keys).

  • Unified Management: My Cisco Entitlements (MCE) provides a complete view into all of your Cisco products and services in an easy-to-use portal, so you always know what you have and what you are using.

  • License Flexibility: Your software is not node-locked to your hardware, so you can easily use and transfer licenses as needed.

To use Smart Licensing, you must first set up a Smart Account on Cisco Software Central (software.cisco.com).

For a more detailed overview on Cisco Licensing, go to cisco.com/go/licensingguide.

Certificate Management

Cisco Prime Network Registrar uses SSL/TLS certificate in various parts of the product (web UI, Caching DNS, and Authoritative DNS). Cisco Prime Network Registrar 11.0 allows you to input certificate files and have them stored in the appropriate location based on the Cisco Prime Network Registrar component. It also allows to keep track of the certificate expiration and warns when the certificate is about to expire.

Oracle Berkeley Database Upgrade

In Cisco Prime Network Registrar 11.0, the Oracle Berkeley database used by the product is upgraded from 4.5.20 to 18.1.32.

The required database upgrade steps are handled automatically the first time Cisco Prime Network Registrar is started after installation.

Command Line Interface Enhancements

The following commands are added or attributes modified in the CLI. For more information, see Cisco Prime Network Registrar 11.0 CLI Reference Guide.

New Commands

The following commands are added in the CLI:

  • cdns-forwarder—Controls and configures DNS Forwarders in the DNS Caching server.

  • cdns-exception—Controls and configures DNS Exceptions in the DNS Caching server.

  • certificate—Controls and configures SSL/TLS Certificates.

The following commands are for Smart Licensing and these are designed to be compatible with the Cisco Smart Licensing standards:

  • smart—Views and updates smart license information.

  • call-home—Views and updates call-home configuration.

  • debug—Sets debug level.

  • exit—Exits nrcmd.

  • help—Views textual help information.

  • license—Views and updates license information.

  • no—Unsets specified configuration.

  • show—Views current configuration or status.

Modified Commands

New attributes are added to, or definitions modified for, the following commands:

  • expert—Expert mode commands

    Added the following commands:

    • ccm trimChangeSets delete-age [db-max-record>]—Initiates a trim of the change sets (change log) using the specified arguments.

      Warning: This operation is usually NOT necessary and uses the values specified, which may be different than the periodic trimming done by CCM. This command should be used with extreme caution as it can delete data that should be retained.

    • ccm killConnection id—Superuser admin can use this command to shutdown the existing connection to the CCM server. id should be same as returned by the ccm listConnections full command.

    • object list -class=classname

    • object listbrief -class=classname

    • object listnames -class=classname

      The above object commands can be used to list objects of a particular class; the -class=classname must be specified.

  • admin—Creates administrators and assigns them groups and passwords.

    Added the following commands:

    • admin name suspend—Suspends login access for an administrator.

    • admin name reinstate—Reinstates login access for an administrator.

  • cdns—Configures and controls the DNS Caching server.

    Added the following attributes:

    immediate-response-stats, name-servers, tls, tls-port, tls-service-key, tls-service-pem, and tls-upstream-cert-bundle attributes.

  • cdns-redirect—Controls and configures DNS redirect processing in the DNS Caching server

    Added the rpz-tls and rpz-tls-auth-name attributes.

  • cdns-firewall—Controls and configures DNS firewall processing in the DNS Caching server

    Added the rpz-tls and rpz-tls-auth-name attributes.

  • client-class-policy—Adds DHCP policy information to a client-class.

    Updated the following commands to include -expression:

    • client-class-policy name setOption <opt-name | id> value [-blob | -expression] [-roundrobin]

    • client-class-policy name setV6Option <opt-name | id>[.instance] value [-blob | -expression] [-roundrobin]

    • client-class-policy name addV6Option <opt-name | id>[.instance] value [-blob | -expression] [-roundrobin]

    • client-class-policy name setVendorOption <opt-name | id> opt-set-name value [-blob | -expression]

    • client-class-policy name setV6VendorOption <opt-name | id> opt-set-name value [-blob | -expression]

  • client-policy—Adds DHCP policy information to a client object.

    Updated the following commands to include -expression:

    • client-policy name setOption <opt-name | id> value [-blob | -expression] [-roundrobin]

    • client-policy name setV6Option <opt-name | id>[.instance] value [-blob | -expression] [-roundrobin]

    • client-policy name addV6Option <opt-name | id>[.instance] value [-blob | -expression] [-roundrobin]

    • client-policy name setVendorOption <opt-name | id> opt-set-name value [-blob | -expression]

    • client-policy name setV6VendorOption <opt-name | id> opt-set-name value [-blob | -expression]

    • client-policy name listV6VendorOptions value [-blob | -expression] [-roundrobin]

  • dhcp-address-block-policy—Edits the DHCP policy embedded in a dhcp-address-block.

    Updated the following commands to include -expression:

    • dhcp-address-block-policy name setOption <opt-name | id> value [-blob | -expression] [-roundrobin]

    • dhcp-address-block-policy name setVendorOption <opt-name | id> opt-set-name value [-blob | -expression]

  • dhcp-dns-update—Configures a DNS Update object for DHCP.

    Removed the update-dns-first attribute.

  • dns—Configures and controls the DNS server.

    • Added the following attributes:

      acl-blocklist, hybrid-adns-addrs, hybrid-use-adns-addrs, query-types-unwanted, tls, tls-port, tls-service-key, and tls-service-pem attributes.

    • Removed the push-notifications flag from the activity-counter-log-settings and server-log-settings attributes.

    • Removed the push-notifications-in and push-notifications-out flags from the packet-log-settings attribute.

    • Removed the following attributes:

      blackhole-acl, local-port-num, pn-acl, pn-conn-ttl, pn-max-conns, pn-max-conns-per-client, pn-port, pn-tls, and push-notifications attributes.

  • dns-interface—Configures the DNS server's network interfaces.

    Removed the port attribute.

  • ldap—Specifies the LDAP remote server's properties.

    Added the password-encrypt attribute.

  • license—Views and updates license information.

    • Added the following command:

      license showUtilHistory [-start start-time] [-end end-time] [-service cdns|dns|dhcp|...|all]

    • Updated the license showUtilization command to include [-rescan]:

      license showUtilization [-rescan]

  • link-policy—Edits the DHCP policy embedded in a link.

    Updated the following commands to include -expression:

    • link-policy name setV6Option <opt-name | id>[.instance] value [-blob | -expression] [-roundrobin]

    • link-policy name addV6Option <opt-name | id>[.instance] value [-blob | -expression] [-roundrobin]

    • link-policy name setV6VendorOption <opt-name | id> opt-set-name value [-blob | -expression]

  • link-template-policy—Edits the DHCP policy embedded in a link-template.

    Updated the following commands to include -expression:

    • link-template-policy name setV6Option <opt-name | id>[.instance] value [-blob | -expression] [-roundrobin]

    • link-template-policy name addV6Option <opt-name | id>[.instance] value [-blob | -expression] [-roundrobin]

    • link-template-policy name setV6VendorOption <opt-name | id> opt-set-name value [-blob | -expression]

  • option—Configures option definitions.

    Added the expression attribute.

  • prefix-policy—Edits the DHCP policy embedded in a prefix.

    Updated the following commands to include -expression:

    • prefix-policy name setV6Option <opt-name | id>[.instance] value [-blob | -expression] [-roundrobin]

    • prefix-policy name addV6Option <opt-name | id>[.instance] value [-blob | -expression] [-roundrobin]

    • prefix-policy name setV6VendorOption <opt-name | id> opt-set-name value [-blob | -expression]

  • prefix-template-policy—Edits the DHCP policy embedded in a prefix-template.

    Updated the following commands to include -expression:

    • prefix-template-policy name setV6Option <opt-name | id>[.instance] value [-blob | -expression] [-roundrobin]

    • prefix-template-policy name addV6Option <opt-name | id>[.instance] value [-blob | -expression] [-roundrobin]

    • prefix-template-policy name setV6VendorOption <opt-name | id> opt-set-name value [-blob | -expression]

  • policy—Specifies DHCP policy information.

    Updated the following commands to include -expression:

    • policy name setOption <opt-name | id> value [-blob | -expression] [-roundrobin]

    • policy name setV6Option <opt-name | id>[.instance] value [-blob | -expression] [-roundrobin]

    • policy name addV6Option <opt-name | id>[.instance] value [-blob | -expression] [-roundrobin]

    • policy name setVendorOption <opt-name | id> opt-set-name value [-blob | -expression]

    • policy name setV6VendorOption <opt-name | id> opt-set-name value [-blob | -expression]

  • resource—Configures resources limits and allows for viewing and resetting resources.

    Added the certificate-expiration-critical-level and certificate-expiration-warning-level attributes.

  • scope-policy—Adds DHCP policy information to a scope.

    Updated the following commands to include -expression:

    • scope-policy name setOption <opt-name | id> value [-blob | -expression] [-roundrobin]

    • scope-policy name setVendorOption <opt-name | id> opt-set-name value [-blob | -expression]

  • scope-template-policy—Edits the DHCP policy embedded in a scope-template.

    Updated the following commands to include -expression:

    • scope-template-policy name setOption <opt-name | id> value [-blob | -expression] [-roundrobin]

    • scope-template-policy name setVendorOption <opt-name | id> opt-set-name value [-blob | -expression]

  • zone—Configures a DNS zone.

    • Added the alternate-view-ids attribute.

    • Removed the push-notifications attribute.

  • zone-dist—Configures zone distributions.

    Removed the push-notifications attribute.

  • zone-template—Configures a zone template.

    • Added the alternate-view-ids attribute.

    • Removed the push-notifications attribute.

SDK Compatibility Considerations

You must use the Cisco Prime Network Registrar 11.0 SDK.

Note

  • While in many cases rebuilding existing applications that use the SDK are not required, Cisco recommends that you do so to assure that you can rebuild these applications and that the applications remain current with the latest SDK. You must test the applications to assure that they continue to operate properly as product changes (that are not necessarily SDK compatibility issues) could require changes.

  • The Cisco Prime Network Registrar 11.0 jar files and libraries are provided in the client-only kit; therefore if the systems on which you run the applications are not a regional or local cluster, you may want to install the client-only kit and make use of the /opt/nwreg2/client/classes and /opt/nwreg2/client/lib directories that contain the jar and library files.

Cisco Prime Network Registrar Bugs

For more information on a specific bug or to search all bugs in a particular Cisco Prime Network Registrar release, see Using the Bug Search Tool.

This section contains the following information:

Resolved Bugs

The following table lists the key issues resolved in the Cisco Prime Network Registrar 11.0 release.

Table 1. Resolved Bugs in Cisco Prime Network Registrar 11.0

Bug ID

Description

CSCvw69983

Unable to register 10.x locals with 11.0 regional

Warning 

It is critical that any Cisco Prime Network Registrar 10.x local clusters that are running a version prior to 10.1.1 are first upgraded to 10.1.1 or later before attempting to upgrade the regional to 11.x. You should not upgrade the local clusters to 11.0 (or later) directly, as you will not be able to register with the regional until it is upgraded to 11.0 (or later).

CSCvx07365

Restoring local cluster data from regional can create some duplicate objects on the local

CSCvx54914

DNS updates stuck when DNS server configured for multiple roles

For the complete list of bugs for this release, see the cpnr_11_0_buglist.pdf file available at the product download site. See this list especially for information about fixes to customer-reported issues.

Enhancement Features

The following table lists the key enhancement features added in the Cisco Prime Network Registrar 11.0 release.

Table 2. Enhancement Features Added in Cisco Prime Network Registrar 11.0

Bug ID

Description

CSCvr46213

Implement calculation of query RTT in CDNS server

CSCvr82453

Update Berkeley DB

CSCvs00077

CDNS should have a way of reporting information on forwarders and exceptions

CSCvs54938

License showUtilization enhancement for regional

CSCvs62940

Support expressions for options

CSCvs64602

CDNS: DNS over TLS (DoT) support

CSCvt36593

Align DHCPv6 lease licensing counts with DHCPv4

CSCvu16801

Change DHCPv4 DNS updates to store details on lease

CSCvw34584

Add command to kill ccm connection

CSCvw81729

Add support for IPv6-Only Preferred option (RFC8925)

CSCvw83374

Add new IANA options (v4: 108, 114, 147, 148; v6: 141, 142)

For the complete list of enhancement features added in this release, see the cpnr_11_0_enhancements.pdf file available at the product download site.

Using the Bug Search Tool

Use the Bug Search tool to search for a specific bug or to search for all bugs in a release.

Procedure

Step 1

Go to http://tools.cisco.com/bugsearch.

Step 2

At the Log In screen, enter your registered Cisco.com username and password; then, click Log In. The Bug Search page opens.

Note 

If you do not have a Cisco.com username and password, you can register for them at http://tools.cisco.com/RPF/register/register.do.

Step 3

To search for a specific bug, enter the bug ID in the Search For field and press Return.

Step 4

To search for bugs in the current release, click the Search Bugs tab and specify the following criteria:

  1. In the Search For field, enter Prime Network Registrar 11.0 and press Return. (Leave the other fields empty.)

  2. When the search results are displayed, use the filter tools to find the types of bugs you are looking for. You can search for bugs by status, severity, modified date, and so forth.


Note

To export the results to a spreadsheet, click the Export All to Spreadsheet link.

Important Notes

This section contains the important information related to this software release and information in response to recent customer queries. It describes:

Windows Support

Cisco Prime Network Registrar 11.0 does not support Windows.

BYOD Support

Starting from 11.0, Cisco Prime Network Registrar does not support the BYOD feature. Cisco Prime Network Registrar 10.1 was the last release to support BYOD.

DNS Push Notification Support

Starting from 11.0, Cisco Prime Network Registrar does not support the DNS Push Notification feature. Cisco Prime Network Registrar 10.1 was the last release to support DNS Push Notification.

DHCPv4 DNS Updates

In Cisco Prime Network Registrar 11.0, the support for updating DNS before sending an acknowledgement to the client is removed (that is, the DNS Update Configuration attribute (update-dns-first) is deprecated and is ignored). However, for backward compatibility, the extension dictionary data item "send-ack-first" is retained though whatever it is set to is ignored. DNS updates are performed as soon as possible, but may well occur after the client has been sent an acknowledgement.

DHCPv4 DNS updates no longer make use of the eventstore and therefore, the eventstore related queue size traps will no longer trigger events related to DNS updates. Note that the eventstore is still used for LDAP writes.

DHCP DNS Updates - DNS Servers Cannot Perform in Multiple Roles

Starting from Cisco Prime Network Registrar 11.0, you can no longer configure a DNS server to be used in multiple roles. Before upgrading to Cisco Prime Network Registrar 11.0, you may want to review your DHCP DNS update configurations to confirm that they do not violate the rules. The stricter rules are that each server (based on its address) can only operate as a standalone, HA main, or HA backup; and a HA main or HA backup may only be in a single HA relationship. If you need a DNS server to perform in multiple roles, you must use a separate address for the DNS server for each of those roles.

After upgrading, review the DHCP server logs for any error messages and correct the configurations, if required.

Accessibility Features in Cisco Prime Network Registrar 11.0

All product documents are accessible except for images, graphics, and some charts. If you would like to receive the product documentation in audio format, braille, or large print, contact accessibility@cisco.com.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What's New in Cisco Product Documentation.

To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the What's New in Cisco Product Documentation RSS feed. RSS feeds are a free service.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2021 Cisco Systems, Inc. All rights reserved.