# Kea 2.2.0, July 27th 2022, Release Notes
Welcome to Kea 2.2.0, a new stable branch. Kea is a DHCP implementation
developed by Internet Systems Consortium (ISC) that features DHCPv4 and
DHCPv6 servers with DNS update and a REST API; optional database support
(MySQL and PostgreSQL); optional RADIUS. Kerberos, YANG/NETCONF, and
GSS-TSIG support; and much more. Kea provides extensive management
capabilities, including but not limited to: TLS support, Role-Based
Access Control, run-time configuration monitoring and updates via a REST
API, host reservations, client classification, and more.
The text below references issue numbers. For more details, visit the Kea
GitLab page at https://gitlab.isc.org/isc-projects/kea/issues.
If you are upgrading from the previous stable version, the following
major features have been implemented since the 2.0 series:
1. **Native TLS support** Kea now features full native support for TLS
in HA; it is now possible to establish a connection between HA partners
over TLS. Naturally, this requires TLS certificates to be deployed
properly [#1706]. MySQL and PostgreSQL backends now can be configured to
use SSL/TLS support to protect connections between the database and the
Kea server [#34]. The kea-admin tool now accepts extra arguments which
are passed to the database command tool with -x, e.g. --ssl to mysql
with kea-admin ... -x --ssl. While the primary goal of this capability
is to pass TLS-related parameters, it is generic and can be used to tune
other parameters as well [#2225].
2. **PostgreSQL configuration backend**. The PostgreSQL-based Config
Backend is now fully functional and there is feature parity between
MySQL and PostgreSQL. With this addition, it is possible to store major
elements of the configuration in a PostgreSQL database: subnets, shared
networks, options, option definitions, global parameters, client
classes, audit entries, and servers. Those can be managed either using
REST API commands or by manipulating the database directly. The
recommended way is to use the REST API. [#2183, #2244].
3. **Role-Based Access Control (RBAC) hook**. A new hook is dedicated to
access control. It is possible to control access to various parts of the
REST API based on remote IP address, HTTP authentication username, or
several of the TLS certificate fields. Rich ACL capabilities, with
roles, default roles, access-list, and reject-list, can be defined. This
is the first hook for the Control Agent. The RBAC hook is available only
to support subscribers [#1263 (closed)].
4. **Limits hook**. A new hook limits the rate and number of leases. It
supports two major features: the first one - response rate limiting -
lets users specify an upper limit to the number of responses Kea sends
per unit of time, while the second - lease limiting - allows the
administrator to limit the number of leases a targeted class (such as
one customer or one building) can get. The limits hook is available only
to support subscribers [#2422, #2438, #2444].
5. **DDNS Tuning hook**. A new DDNS Tuning library adds custom behaviors
related to Dynamic DNS updates on a per-client basis. It allows the host
name used for DNS to be generated using an expression. Also, it permits
DNS updates for certain clients to be selectively disabled. [#1548,
#2387, #2386, #2354, #2384].
6. **New subnet commands**. The subnet_cmds hook has been expanded with
several new commands: `subnet4-delta-add`, `subnet4-delta-del`,
`subnet6-delta-add`, and `subnet6-delta-del`. These commands allow
incremental changes to be applied to existing subnets, which may be
useful in a variety of scenarios, such as adding new or tweaking
existing pools in an existing subnet or adding or removing DHCP options.
The feature is considered experimental, as it has only been lightly
tested so far [#2266].
7. **Lease/HR lookup order**. In principle, Kea needs to do at least two
lookups before assigning an address: lease lookup and host reservation
lookup. Depending on specific deployments, doing one or the other first
may give a small performance boost. There is no best approach here and
therefore the `reservations-lookup-first` configuration parameter has
been added. This parameter has effect only when multi-threading is
disabled; when multi-threading is enabled, host reservations lookup is
always performed first. The `reservations-lookup-first` parameter
defaults to false when multi-threading is disabled [#2036].
8. **Early global host reservation (HR) lookup**. During normal
operation, Kea first selects a subnet based on topological information
and then conducts an HR lookup for that specific subnet. This meant that
the subnet selection could affect HR selection, but the opposite was not
possible. In some scenarios, the opposite operation (do a global host
reservation lookup first and then use the class defined in the host
reservation to select a subnet) makes sense; this is now possible. A new
boolean parameter `early-global-reservations-lookup` has been added to
allow this behavior. This option is not compatible with RADIUS [#1543,
#2249, #2304].
9. **New statistics for failed allocations**. If the class requirements
for your address pools are defined too tightly, it is possible that some
clients will not get an address. To ease the investigation of this
problem, many new statistics were added:
`v4-allocation-fail`, `v4-allocation-fail-shared-network`,
`v4-allocation-fail-subnet`, `v4-allocation-fail-no-pools`,
`v4-allocation-fail-classes`, `subnet[X].v4-allocation-fail`,
`subnet[X].v4-allocation-fail-shared-network`,
`subnet[X].v4-allocation-fail-subnet`,
`subnet[X].v4-allocation-fail-no-pools`,
`subnet[X].v4-allocation-fail-classes`,
`v6-allocation-fail`, `v6-allocation-fail-shared-network`,
`v6-allocation-fail-subnet`, `v6-allocation-fail-no-pools`,
`v6-allocation-fail-classes`, `subnet[X].v6-allocation-fail`,
`subnet[X].v6-allocation-fail-shared-network`,
`subnet[X].v6-allocation-fail-subnet`,
`subnet[X].v6-allocation-fail-no-pools`, and
`subnet[X].v6-allocation-fail-classes` [#2054].
10. **Retry opening sockets**. Earlier Kea versions produced an error
message when socket opening failed, but otherwise attempted to continue
normally. That was troublesome in some cases, especially during booting,
when the interface had not yet completed initialization. In that case
Kea started, printed an error, and then ran without open sockets. This
created the illusion that the service was healthy, when in fact it was
not usable. Kea can now be instructed to retry opening sockets, with a
configurable number of retries. Also, Kea can be told to shut down when
sockets fail to open completely after multiple retries [#1716].
11. **Credentials in password files**. Support for using separate
password files to configure basic HTTP credentials has been added.
Instead of configuring a value directly in the main configuration, it
can be taken from the content of a separate file. The new parameters are
`user-file`, `password-file`, and `basic-auth-password-file` [#2006].
12. **Split operator in expressions**. A new operator to split strings
has been added to expressions. For example, to get the foo hostname from
the fully qualified foo.example.org, the following expression can be
used: `split('foo.example.org', '.', 1)`. A particular use case for this
is the new DDNS Tuning hook that can split fully qualified domain names
into separate labels; however, the function is generic and can also be
used for other purposes [#2272 (closed)].
13. **Authoritative mode improvements**. By default, Kea assumes it has
full knowledge about the networks it governs. However, it can be told
that there are other servers on the network (`"authoritative":
"false"`). In such cases, Kea does not send NAK for leases it doesn't
know about. This mechanism was implemented properly, but was buggy in
some cases; this has been now corrected [#1584].
14. **Multi-line support in Forensic Logging**. The Forensic Logging
hook library can now log on multiple lines using the hex string 0x0a.
Each line is prepended by the timestamp. This may be useful for
expecially long log entries [#2087].
15. **Netconf YANG modules updated**. The YANG modules used in NETCONF
have been substantially updated and are now in sync with the regular Kea
JSON configuration. `store-extended-info` was fixed; it was an
operational node instead of a config node. Many containers and leaves
were added: `compatibility`, `lenient-option-parsing`,
`multi-threading`, `enable-multi-threading`, `packet-queue-size`,
`thread-pool-size`, `valid-lifetime`, `min-valid-lifetime`,
`max-valid-lifetime`, `preferred-lifetime`, `min-preferred-lifetime`,
`max-preferred-lifetime`, `cache-max-age`, `cache-threshold`,
`ddns-generated-prefix`, `ddns-override-client-update`,
`ddns-override-no-update`, `ddns-qualifying-suffix`,
`ddns-replace-client-name`, `ddns-send-updates`, `ddns-update-on-renew`,
`ddns-use-conflict-resolution`, `ip-reservations-unique`,
`parked-packet-limit`, `reservations-global`, `reservations-in-subnet`,
`reservations-out-of-pool`, `statistic-default-sample-age`,
`statistic-default-sample-count`, `store-extended-info`, and `on-fail`
[#2136].
16. **RADIUS and subnet selection**. The RADIUS hook is now able to
reselect a subnet based on the address reserved by RADIUS. This new
functionality will be useful for deployments that use RADIUS and several
subnets, with or without shared networks [#2347].
17. **Support for long options in DHCPv4**. IETF RFC 3396 is now partly
implemented, allowing the kea-dhcp4 server to send and receive DHCP
options longer than 255 bytes [#2227].
18. **GSS-TSIG hook improvements**. The GSS-TSIG hook, which allows
Kerberos integration when conducting DNS updates, has received numerous
updates and improvements. The hook is now able to report statistics for
GSS-TSIG keys (number of created GSS-TSIG keys, when TKEY exchange was
created for each key, last successful use, last timeout, and last error)
[#2124, #2089]. General library robustness has been improved. The TKEY
exchange can now be cancelled, which is useful for clean reconfiguration
or shutdown [#2092]. Building with GSSAPI enabled and without unit tests
now works properly [#2114]. The code now handles a situation in which
the server returns BADNAME, which can happen if the key identifier is
duplicated [#2128]. The ARM section has been expanded with a description
of how to configure Microsoft Windows Active Directory to work with
Kea's GSS-TSIG library [#2113]. Unit-tests are now more robust and no
longer fail on CentOS 8 and Fedora 34 [#2082, #2056]. The fallback
parameter has been added to make it possible to indicate what to do if a
DNS update is supposed to be carried out, but the key for it is not
available [#2125]. GSS-TSIG now sets the environment variables correctly
[#2109]. Additional safety checks for DNS update and TKEY exchange were
implemented [#2121]. It is now possible to control key regeneration
(rekey) using new REST API commands (`gss-tsig-rekey-all`,
`gss-tsig-purge`) [#2127]. New timers (`rekey-interval`,
`retry-interval`) are now configurable [#2138, #2175]. The TKEY exchange
is now cleaned up properly during shutdown [#2170]. The Kea ARM section
has now been expanded [#2173]. The exchange timeout is now configurable
[#2174]. The old GSS-TSIG keys are now removed [#2177]. The Kea ARM now
provides better guidance for integration with Microsoft Active Directory
[#2179].
19. **Packages**. Native DEB, RPM, and APK packages are now available
for many recently released systems: Debian 11 [#2042, #2193], Red Hat
Enterprise Linux 8 [#2410] and 9 [#2453, #2439], Alpine 3.14 and 3.15,
and Ubuntu 22.04 [#2433].
See https://gitlab.isc.org/isc-projects/kea/-/wikis/Release-Notes for a
complete list of all changes from versions 2.1.0-2.1.7 that are included
in this release.
If you are upgrading from the latest development version, the following
bugfixes and features have been implemented since the Kea 2.1.7 release:
1. **Limits**: The lease-limits feature has been implemented and is now
operational [#237]. A bug was fixed that caused a crash if the subnet
was deleted from the configuration while packets coming from that subnet
were processed [#2497]. Unit tests for lease limits were added [#2482].
The ARM has been updated with a lease-limits documentation section
[#2481]. The client lease limits are now functional [#1290]. The core
code has been updated to support lease limits [#244]. The PostgreSQL
schema has been updated to be able to store lease-limits information
[#2445]. The memfile backend has been updated to be able to store
lease-limits information [#2436].
2. **New statistics**: New statistics were have been added to kea-dhcp4
to counts cases of host reservation conflicts. They are tracked at both
the global and subnet level as `v4-reservation-conflicts` and
`subnet[id].v4-reservation-conflicts`, respectively [#2419].
3. **New parameters in YANG/NETCONF**: New parameters have been added to
YANG/NETCONF, including TLS parameters for database connections:
`trust-anchor`, `cert-file`, `key-file`, and `cipher-list`. Parameters
have also been added to govern the way the server behaves regarding
detection of configured interfaces: `service-sockets-require-all`,
`service-sockets-max-retries`, `service-sockets-retry-wait-time`; and
parameters which govern reservations lookup:
`early-global-reservations-lookup`, and `reservations-lookup-first`
[#2224].
4. **Performance improvements for PostgreSQL**. Indexes on the hosts
table in the postgresql schema were modified to improve performance on
host reservation searches. Thanks to Paul Kutzer for suggesting these
changes [#2452].
5. **Socket status operation reported**. The `status-get` command now
shows the status of the sockets being opened for receiving DHCP
requests, and a list of errors for the sockets that were not created
successfully [#2434].
6. **GSS-TSIG improvements**: The rekey interval used to be longer than
the rekey-interval [#2404]. The GSS_C_SEQUENCE flag is now optional.
This change increases compatibility with Microsoft Windows Active
Directory implementation [#2440].
7. **Logging**: Several log messages have been modified. Kea can pick
the right subnet for an incoming packet based on many criteria, which
are evaluated in sequence; this is a normal process and not a reason to
worry. Previously, several log messages that indicated that one part of
the selection process did not result in a selection and the next phase
in the sequence should commence used the word "failure," which caused
some concern among users. The text has been edited [#2387].
8. **Bug fixes**: Under certain conditions, especially under heavy
traffic when both High Availability and Multi-Threading were enabled, a
rare race condition could occur that would lead to two threads
processing the same structure, and caused Kea to crash. This has been
fixed [#2473]. Lease queries are no longer affected by the
load-balancing mechanism. Previously, Kea running HA in load-balancing
mode responded to only 50% of the leasequery traffic [#1781]. The
`config-set` command now works properly on CA when the RBAC hook is
loaded [#2475].
9. **Build improvements**: All Doxygen documentation errors were fixed
[#2454]. The hammer building tool now has support for Alpine 3.16
[#2491]. An obsolete call to std::unary_function has been replaced
[#2432]. Formatting tools have been updated to be more generic and work
on code stored in other repositiories, not just the base Kea code
[#2470]. The `check-hashes.sh` test was updated to no longer fail on
systems with OpenSSL 3 [#2461]. The CI now checks for missing files in
`src/share/api` [#2379]. The problem with undefined symbols when linking
with mold linker was addressed [#2460].
10. **Documentation**: The style of the ARM has been updated to align
with BIND 9 and Stork. The bright red color was replaced with black,
increasing contrast [#2437]. The return parameters for `lease4-get-by-*`
commands are now properly described [#1391]. Several values of
`max-response-delay` and `heartbeat-delay` have been tuned in the ARM
[#2083]. A typo has been corrected in the Developer's Guide [#2447].
11. **Paid Hooks End User License Agreement change**. The Kea Hooks
Basic Commercial End User License Agreement (EULA) has been
substantially updated. Please read it before using the commercial hooks.
The core Kea code remains available under the Mozilla Public License,
version 2.0, as before.
## Incompatible Changes
There are several changes that can be considered backward-incompatible.
1. **Cassandra, benchmarks support removed** The Cassandra database has
been deprecated for a while now and the code has been removed [#2116].
Cassandra support has been removed from the hammer tool [#2375]. Support
for benchmarks, a developer feature that has not been maintained, has
been removed [#2372].
2. **The PostgreSQL schema has been updated**. Existing databases need
to be upgraded.
3. **The YANG module has been updated**. Existing Sysrepo repositories
need to be upgraded.
4. **End User License Agreement for Hooks**. The Kea Hooks Basic
Commercial End User License Agreement (EULA) has been substantially
updated. Please read it before using the commercial hooks. The core Kea
code remains available under the Mozilla Public License, version 2.0, as
before.
## License
This version of Kea is released under the Mozilla Public License,
version 2.0.
https://www.mozilla.org/en-US/MPL/2.0
Some Kea hooks are provided under the MPL 2.0; others are licensed with
the Kea Hooks Basic Commercial End User License. The source for each
hook includes the applicable license.
## Download
Pre-built ISC packages for current versions of the most popular Linux
operating systems are available at:
https://cloudsmith.io/~isc/repos/
The Kea source and PGP signature for this release may be downloaded from:
https://www.isc.org/download
The signature was generated with the ISC code signing key, which is
available at:
https://www.isc.org/pgpkey
ISC provides detailed documentation, including installation instructions
and usage tutorials, in the Kea Administrator Reference Manual.
Documentation is included with the installation or at
https://kea.readthedocs.io/en/latest/index.html in HTML, plain text, or
PDF formats. ISC maintains a public open source code tree, wiki, issue
tracking system, milestone planner, and roadmap at
https://gitlab.isc.org//isc-projects/kea.
Limitations and known issues with this release can be found at
https://gitlab.isc.org/isc-projects/kea/wikis/known-issues-list.
We ask users of this software to please let us know how it worked for
you and what operating system you tested on. Feel free to share your
feedback on the Kea Users mailing list
(https://lists.isc.org/mailman/listinfo/kea-users). We would also like
to hear whether the documentation is adequate and accurate. Please open
tickets in the Kea GitLab project for bugs, documentation omissions and
errors, and enhancement requests. We want to hear from you even if
everything worked.
## Support
Professional support for Kea is available from ISC. We encourage all
professional users to consider this option; Kea maintenance is funded
with support subscriptions. For more information on ISC's Kea and DHCP
software support see https://www.isc.org/support/.
Free best-effort support is provided by our user community via a mailing
list. Information on all public email lists is available at
https://www.isc.org/community/mailing-list. If you have any comments or
questions about working with Kea, please share them to the Kea Users
list (https://lists.isc.org/mailman/listinfo/kea-users). Bugs and
feature requests may be submitted via GitLab at
https://gitlab.isc.org/isc-projects/kea/issues.
## Changes
The following summarizes changes and important upgrades since the 2.0.0
release.
2045. [build] tmark
Bumped library version numbers for the Kea 2.2.0 stable release.
(Gitlab #2504)
2044. [func] tmark
Modified indexes on the hosts table in the postgresql
schema to improve performance on host reservation searches.
Thanks to Paul Kutzer for suggesting these changes.
(Gitlab #2452)
2043. [func] andrei
The status-get command now shows the status of the sockets being
opened to receive DHCP requests, and a list of errors for the
sockets that were not successfully created.
(Gitlab #2434)
2042. [func] razvan
Added missing parameters to YANG modules, including TLS
parameters for database connections.
(Gitlab #2224)
2041. [bug] tmark
HA now applies load balancing and scoping only to inbound
client packet types that apply to client lease fulfillment,
e.g. DHCPDISCOVER, DHCPREQUEST, DHCPV6_SOLICIT, DHCPV6_REQUEST,
etc. Previously, HA indiscriminately balanced and
scoped all inbound packets, including those related to lease
query.
(Gitlab #1781)
2040. [func] djt
Added support for Alpine 3.16 in hammer.py.
(Gitlab #2491)
2039. [doc] andrei
Updated the limits hook library ARM documentation to reflect
support for lease limits.
(Gitlab #2481)
2038. [func] djt
Added a new statistic to kea-dhcp4 that counts host
reservation conflicts. They are now tracked at both
the global and subnet levels, as v4-reservation-conflicts
and subnet[id].v4-reservation-conflicts, respectively.
(Gitlab #2419)
2037. [bug] razvan, marcin
Fixed a crash in the HA+MT scenario caused by a race condition
which occurred between resetting the CalloutHandle state and
accessing the hook point parameters, from different threads,
when unparking packets.
(Gitlab #2473)
2036. [build] andrei
Added a tool that checks whether there are any missing REST
commands from the API Reference section of the ARM.
See tools/check-for-missing-api-commands.sh.
It has been integrated into the Gitlab CI and runs on every
push.
(Gitlab #2379)
2035. [doc] Daniel Bjors
The Developer's Guide now correctly uses the Lease4CollectionPtr
and Lease6CollectionPtr types. Thanks to Daniel Bjors for
reporting this typo.
(Gitlab #2447)
2034. [func] andrei
The PostgreSQL schema has been changed to provide initial support
for the lease-limiting feature, part of the limits hook library.
(Gitlab #2445)
2033. [func] tmark
Functionality needed to support the lease-limiting feature of
of the limits hook library has been added to Memfile_LeaseMgr.
(Gitlab #2436)
2032. [build] razvan
The library version numbers have been bumped for the Kea 2.1.7
development release.
(Gitlab #2455)
2031. [func] fdupont
Improved compatibility with OpenSSL 3.0.x, in particular
recover system error messages.
(Gitlab #1614)
2030. [doc] fdupont, tomek
GSS-TSIG examples updated. The recommendation to not use
client-keytab and credentials-cache at the same time added.
(Gitlab #2247)
2029. [bug] fdupont
The check of the subnet id in configuration is stricter:
values outside the 0..4294967295 are rejected. Note that
the value 0 means to leave Kea to assign itself the id.
(Gitlab #2086)
2028. [build] orbea, fdupont
Compatibility with LibreSSL 3.5.2 improved.
(Github #121, Gitlab #2411)
2027. [func] fdupont
The TLS is now supported with Multi-Threaded HA (HA+MT) scenario.
Additional parameters (trust-anchor, cert-file, key-file,
require-client-certs) are now supported in the HA configuration.
(Gitlab #1706)
2026. [func] andrei
The MySQL schema has been changed to provide initial support for
the lease limiting feature, part of the limits hook library.
(Gitlab #2438)
2025. [bug] tmark
Added missing support for client-class user-context to
both MySQL and PostgreSQL CB hook libraries.
(Gitlab #2430)
2024. [func] djt
The ALLOC_ENGINE_V4_ALLOC_FAIL_SUBNET log message format has been
slightly modified, so that when it is emitted for a subnet that
is not within a shared network, it emits "(none)" for the value
of the shared network. The ARM documentation for this parameter
has been updated to reflect that subnets within shared networks
will in fact display which shared network the subnet belongs to.
The ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET log message format has
changed to be consistent with the format of
ALLOC_ENGINE_V4_ALLOC_FAIL_SUBNET.
(Gitlab #2395)
2023. [bug] tmark
Corrected a MySQL CB issue that caused subnets to be
updated without having audit entries created when the
affiliated shared-network is deleted. This can cause
the subnets to be excluded from subsequent CB refresh
cycles.
(Gitlab #2299)
2022. [func] andrei, djt
kea-admin lease-upload now calls the lease file cleanup (LFC)
process to clean up entries with duplicate addresses in the input
CSV file, to avoid a conflict error when inserting the leases in
the database. kea-admin also no longer asks for input on
non-interactive shells. A new -y|--yes flag has been added that
enables automatic overwriting of any file that kea-admin writes
to, when dumping or uploading leases.
(Gitlab #2293)
2021. [build] razvan
The library version numbers have been bumped for the Kea 2.1.6
development release.
(Gitlab #2421)
2020. [doc] andrei
The rate-limiting feature of the new limits hook library has been
documented. It can apply a specified limit of a certain number of
packets per time unit to a given client class or subnet.
(Gitlab #562, #1650)
2019. [func] tmark
A new built-in class, "SKIP_DDNS", was added, which can be used
in conjunction with the ddns-tuning hook library to skip
performing DDNS updates for a given client.
(Gitlab #2354)
2018. [func] razvan
The kea-dhcp4 server now supports portions of RFC 3396, allowing
it to send and receive DHCP options longer than 255 bytes.
(Gitlab #2227)
2017. [bug] marcin
A bug in the allocation engine, which caused it to write an
allocated lease under the wrong subnet ID within a shared
network, has been corrected. This was occurring when multiple
clients matched the same fixed address reservation. The first
client is now assigned the fixed address, while a subsequent
client is then given a dynamically allocated address from a
different subnet in the shared network.
(Gitlab #2409)
2016. [doc] fdupont
Documentation for the role-based access control (RBAC)
premium hook library was added to the ARM.
(Gitlab #1263)
2015. [bug] tmark
Fixed an issue in kea-dhcp6 that was causing the server
not to update the FQDN option in outbound responses when
the ddns-tuning hook lib calculates a new host name.
(Gitlab #2392)
2014. [bug] tmark
Correct an issue that was causing reconfigure to fail
in kea-dhcp4 and kea-dhcp6 when using ddns-tuning hook
library.
(Gitlab #2390)
2013. [build] razvan
Library version numbers bumped for Kea 2.1.5 development
version.
(Gitlab #2385)
2012. [doc] andrei
Documented whether it's OK or not to have overlapping pools,
including PD pools in IPv6.
(Gitlab #1842)
2011. [func] djt
Added CTRL_AGENT_COMMAND_RECEIVED log line with command and
source address to the kea-ctrl-agent for commands which
are not forwarded on to another daemon. Added client
remote-address to CTRL_AGENT_COMMAND_FORWARDED log message if
it is available.
(Gitlab #687)
2010. [func] razvan
Several extra log messages now detail the subnet selection
process. The messages are available on debuglevel 40.
(Gitlab #2352)
2009. [func] tmark
Added new hook callout points: ddns4_update to Kea DHCPv4
server and ddns6_update to Kea DHCPv6 server. This enables
use of the ddns-tuning hook library.
(Gitlab #1548)
2008. [func]* tomek
The support for benchmarks have been removed.
(Gitlab #2372)
2007. [func] tmark
Added split() function to classification expression
language.
(GitLab #2272)
2006. [func] slawek
Added ``service-sockets-require-all`` parameter to specify
mandatory successfully binding all needed service sockets to
initialize DHCP services (defaults to false). If any socket is
unavailable, then the service fails to start. Added
``service-sockets-max-retries`` parameter (defaults to 0) to
specify the number of retries to open unavailable sockets and
``service-sockets-retry-wait-time`` parameter to specify a time
interval to wait between attempts.
(Gitlab #1716)
2005. [func]* razvan
The support for Cassandra database backend has been removed.
(Gitlab #2116)
2004. [build] razvan
Library version numbers bumped for Kea 2.1.4 development
version.
(Gitlab #2363)
2003. [func] fdupont
Added the support of sub-options in the flex_option
hook library.
(GitLab #2314)
2002. [bug] tmark
Fixed a bug in MySql config backend that caused it to
store unspecified, client-class valid and preferred life
time values as zero in the database.
(Gitlab #2344)
2001. [bug] razvan
Fixed a bug which causes client classes with empty test
expressions to fail class evaluation when those classes are
retrieved from config backend.
(Gitlab #2336)
2000. [func] fdupont
Added the ``early-global-reservations-lookup`` configuration
parameter which allows to perform a search for global host
reservations and set client classes before the subnet
selection. This is achieved when explicitly configured to
``true`` and it defaults to ``false`` if not configured.
(Gitlab #2249)
1999. [func] tmark, razvan
The kea-dhcp6 server fully supports using PostgreSQL for config
backend. This should be considered an experimental feature.
(Gitlab #2355, #2356)
1998. [func] tmark, razvan
With the addition of support for client classes, the kea-dhcp4
server now fully supports using PostgreSQL for config backend.
(Gitlab #2322)
1997. [bug] tmark
The obsolete log message, DHCP4_NCR_CREATE, has been
removed from kea-dhcp4.
(GitLab #2301)
1996. [build] razvan
Library version numbers bumped for Kea 2.1.3 development
version.
(Gitlab #2317)
1995. [func] tmark
kea-dhcp4 now supports using PostgreSQL for config
backend for everything except client classes. The
new hook library is libdhcp_pgsql_cb.so. This should
be considered an experimental feature.
(Gitlab #95)
1994. [func] razvan
Added support for Server Identifier Override RAI sub-option
(RFC 5107). The implementation is not complete according to the
RFC, because the server does not store the RAI, but the
functionality handles expected use cases.
(Gitlab #1695)
1993. [func] razvan
Added global and per subnet counters for allocation failures:
``v4-allocation-fail``, ``v4-allocation-fail-shared-network``,
``v4-allocation-fail-subnet``, ``v4-allocation-fail-no-pools``,
``v4-allocation-fail-classes``, ``subnet[X].v4-allocation-fail``,
``subnet[X].v4-allocation-fail-shared-network``,
``subnet[X].v4-allocation-fail-subnet``,
``subnet[X].v4-allocation-fail-no-pools``,
``subnet[X].v4-allocation-fail-classes``,
``v6-allocation-fail``, ``v6-allocation-fail-shared-network``,
``v6-allocation-fail-subnet``, ``v6-allocation-fail-no-pools``,
``v6-allocation-fail-classes``, ``subnet[X].v6-allocation-fail``,
``subnet[X].v6-allocation-fail-shared-network``,
``subnet[X].v6-allocation-fail-subnet``,
``subnet[X].v6-allocation-fail-no-pools``,
``subnet[X].v6-allocation-fail-classes``.
There is a warning log message emitted in the logs each time one
of the allocation failure counters is incremented.
(Gitlab #2054)
1992. [bug] razvan
The ``maxver`` and ``maxsize`` logger parameters are excluded
from ``config-get`` command response if the logger output is
``stdout``, ``stderr`` or ``syslog``.
(Gitlab #2288)
1991. [bug] jinmei, razvan
Fixed keactrl exit code when netconf is not build.
(Gitlab #2262)
1990. [func] razvan
Added the ``reservations-lookup-first`` configuration parameter
which controls whether host reservations lookup should be
performed before lease lookup. This parameter has effect only
when multi-threading is disabled. When multi-threading is
enabled, host reservations lookup is always performed first. The
``reservations-lookup-first`` parameter defaults to ``false``
when multi-threading is disabled.
(Gitlab #2036)
1989. [build] razvan
Library version numbers bumped for Kea 2.1.2 development
version.
(Gitlab #2281)
1988. [bug] tmark
Kea core logic now ensures options belonging
to client classes are properly created when
classes are read from configuration backends.
(Gitlab #2246)
1987. [bug] tmark
Fixed an issue in PostgreSQL support code that caused
asserts when compiled with: -Wp,-D_GLIBCXX_ASSERTIONS.
(Gitlab #2284)
1986. [func] fdupont
The kea-admin command now accepts extra arguments which
are passed to the database command tool, e.g. '--ssl' to
'mysql' with `kea-admin ... -x --ssl'. Quotes are not
preserved but multiple arguments can be given.
(Gitlab #2225)
1985. [func] fdupont
Added support for using files to configure basic HTTP
credentials. Instead of configuring a value, it is taken from
the content of a file. The new parameters of the Control Agent
configuration are:
- 'user-file' pointing to a file vs 'user'
- 'password-file' pointing to a file vs 'password'
- 'password-file' pointing to a file with the secret
(which is <user>:<password>) vs 'user' and 'password'.
For the High Availability hook library the new parameter
is 'basic-auth-password-file' which can be used as an
alternative to 'basic-auth-password'.
(Gitlab #2006)
1984. [func] andrei
Introduced the lease-upload command to kea-admin which can upload
leases from a memfile CSV file to a database backend.
(Gitlab #2039)
1983. [bug] fdupont
Minimum and maximum values of lifetimes are no longer
skipped when the configuration is retrieved even when
they are the same as the default value.
(Gitlab #2222)
1982. [bug] andrei
The config for an HA peer now accepts an IPv6 address as a valid
value for the "url" entry.
(Gitlab #2264)
1981. [func] tomek
The default-url DHCPv4 option has been replaced with
v4-captive-portal, as defined in RFC8910.
(Gitlab #1684)
1980. [func]* andrei
The kea-admin lease-dump command now outputs a CSV file that is
compatible with the memfile backend. This is useful when
migrating from database to memfile. The generated output is
backwards incompatible. Any tools that depend on it would need
to adapt.
(Gitlab #2038)
1979. [bug] fdupont
Update and delete operations on leases no longer raise
an error with infinite valid lifetime (used by BOOTP)
and MySQL or PostgreSQL backends where timestamps can
be limited to 32 bits.
(Gitlab 897)
1978. [doc] tomek
The Kea Administrator Reference Manual now correctly states that
DHCPv6 authentication option has code 11, not 10.
(Gitlab #2207)
1977. [bug] razvan
Use only MAX_HWADDR_LEN (20) bytes from remote-id when extracting
the MAC from relay options.
(Gitlab #2201)
1976. [func] andrei
Added hwtype and hwaddr_source columns to v6 memfile.
(Gitlab #2236)
1975. [func] tmark
Additional changes and corrections relating to Config Backend
were made to the PostgreSQL database schema. In addition, the
upgrade scripts were renamed to ensure proper file name ordering.
Note that PostgreSQL CB is not yet functional.
(Gitlab #2183, #2244, #2245)
1974. [func] fdupont
The global parameter lookup has been refactored to provide better
performance. Proper return error code (CONTROL_RESULT_ERROR) has
been fixed in some cases when trying to apply the new
configuration. Old code was using wrong hardcoded '2' value
(CONTROL_RESULT_COMMAND_UNSUPPORTED).
(Gitlab #1082)
1973. [func] fdupont
MySQL backends now can be configured to use the SSL/TLS
support to protect connections to the server. New
database parameters are "cert-file", "key-file",
"trust-anchor" and "cipher-list". The negotiated cipher
name is logged so the MySQL service configuration can
be checked. PostgreSQL accepts the same parameters
but they only trigger the call to the OpenSSL generic
initialization in the Pq C-API.
(Gitlab #34)
1972. [func] andrei
Kea servers now can accept trailing commas in file
configurations. While parsing, a warning is printed with the
location of the comma to give the user the ability to correct
a mistake.
(Gitlab #2084)
1971. [func] tmark, jad
Added support for embedded DHCPv6 DUIDs within DHCPv4
Client Identifier options per RFC 4361. This allows
Kea to support DDNS in dual stack environments per
RFC 4703(Sec 5.2). Thanks to John Dickinson for
contributing the patch!
(Gitlab #1934)
1970. [build] razvan
Library version numbers bumped for Kea 2.1.1 development
version.
(Gitlab #2195)
1969. [build] andrei
Fixed "make check -j N" running tests in parallel in src/lib/log.
(Gitlab #2172)
1968. [build] andrei
Fixed make check failing when googletest support was disabled.
(Gitlab #2167)
1967. [bug] andrei
Fixed a bug where keactrl did not color the active status code
for kea-dhcp-ddns as it did for the other servers.
(Gitlab #2117)
1966. [func] djt
Allow Kea to pack opaque data tuples within options with zero
length to accommodate some DHCP clients who have been observed
to send DHCPv4 option 124 with zero length tuples.
(Gitlab #2021)
1965. [func] andrei
Increase the value that "maxsize" can take from 2GB to 2PB.
(Gitlab #2130)
1964. [func] wlodek
Added support for Debian 11 in hammer.py.
(Gitlab #2042, #2193)
1963. [func] andrei
hammer.py has had several improvements.
NETCONF and PostgreSQL will be properly configured when running
prepare-system on Fedora and FreeBSD.
vagrant will be automatically upgraded if it is too outdated.
Error messages are more clear when running on unsupported
systems.
hammer.py is now able to detect Arch Linux distributions and
offers limited support for it, being able to prepare-system with
freeradius and netconf support.
(Gitlab #2111, #2112)
1962. [func] andrei
kea-netconf updates: fixed store-extended-info, it was an
operational node instead of a config node. Added several
containers and leaves: compatibility, lenient-option-parsing,
multi-threading, enable-multi-threading, packet-queue-size,
thread-pool-size, valid-lifetime, min-valid-lifetime,
max-valid-lifetime, preferred-lifetime, min-preferred-lifetime,
max-preferred-lifetime, cache-max-age, cache-threshold,
ddns-generated-prefix, ddns-override-client-update,
ddns-override-no-update, ddns-qualifying-suffix,
ddns-replace-client-name, ddns-send-updates,
ddns-update-on-renew, ddns-use-conflict-resolution,
ip-reservations-unique, parked-packet-limit, reservations-global,
reservations-in-subnet, reservations-out-of-pool,
statistic-default-sample-age, statistic-default-sample-count,
store-extended-info, on-fail.
(Gitlab #2136)
1961. [func] tomek, tmark
The initial, stubbed version of the PostgreSQL CB hook
library has been created. The library is not yet functional
and does not installed.
(Gitlab #1848)
1960. [build] andrei
Froze sphinx dependency versions used to build documentation.
Added the update-python-dependencies Makefile rule to bump the
versions.
(Gitlab #2161)
1959. [doc] djt
Move documentation for acceptable format strings into the Kea
ARM. The relevant section of the ARM was previously referring
to a dead link in the Log4cpp documentation.
(Gitlab #2134)
1958. [func] tomek, tmark
PostgreSQL database schema has been extended with tables for
Config Backend (CB). This is the first step towards PostgreSQL
CB. However, as there is no code yet to use those new tables,
they're not not functional yet.
(Gitlab #90, #2166)
1957. [build] razvan
Library version numbers bumped for Kea 2.1.0 development
version.
(Gitlab #2141)
1956. [bug] tmark
Modified stat_cmds hook library to omit statistics
for non-existent subnets from results returned by
stat-lease4-get and stat-lease6-get commands.
(Gitlab #2033)
1955. [bug] tmark
kea-dhcp4 no longer sends DHCPNAKs in response to
DHCPREQUESTs for addresses for which it has no knowledge.
(Gitlab #1584)
1954. [doc] fdupont
Updated the Developer's Guide to explain what to do when
GSS-TSIG hook unit tests fail from a system Kerberos
incompatible configuration.
(Gitlab #2056)
1953. [build] fdupont
Changed the name of the GSS-TSIG hook library object to
libddns_gss_tsig.so.
(Gitlab #2115)
The following summarizes changes in the premium hooks since the 2.0.0
release:
154. [doc] rob2yall, vicky, tomek
The Kea Hooks Basic Commercial End User License Agreement (EULA)
has been updated to version 2.0.
(Gitlab #2501)
153. [func] fdupont
GSS sequence and anti-replay services can now be disabled using
the new "gss-sequence-flag" and "gss-replay-flag" boolean
parameters, at the global or DNS server levels, in the GSS-TSIG
hooks library configuration. The default is anti-replay only.
(Gitlab #2406)
152. [bug] jinmei
Fixed rekey-interval calculation for the GSS-TSIG hooks library.
(Gitlab #2404)
151. [func] andrei
Add lease-limit checking functionality to the limits hook
library.
(Gitlab #2448)
150. [func] razvan
Added lease4-delta-add, lease4-delta-del, lease6-delta-add,
and lease6-delta-del commands to subnet_cmds hooks library.
Using these commands, the user is able to only apply the
difference between the current subnet configuration and the
user data (either add - if missing - or update when using the
add commands or remove when using the del commands). Most
common case is to add or delete pools or pd-pools to a specific
subnet but it can also be used to update scalars or lists of
scalars or maps.
(Gitlab #2266)
149. [bug] fdupont
Handle exceptions thrown by TSIG exchange initialization
for instance when the server principal does not exist.
Previously the exception made the DDNS server to exit.
(Gitlab #2396)
148. [func] andrei
The limits hook library is now notified of limit changes brought
to client classes and subnets via config backend or subnet
commands. Previously, new limits were ignored and old limits were
used until a reconfiguration was triggered.
(Gitlab #2422)
147. [func] andrei
The limits hook library and its rate-limiting feature were added.
It can apply a specified limit of a certain number of packets per
time unit to a given client class or subnet.
(Gitlab #562, #1650)
146. [func] tmark
The ddns-tuning hook library now supports the use of a new
built-in class, "SKIP_DDNS", to skip performing DDNS updates for
a given client.
(Gitlab #2354)
145. [func] fdupont
The RBAC (role-based access control) hook library for the control
agent has been added.
(Gitlab #1263)
144. [func] tmark
Upon reconfiguration or modification of subnets via the config
backend, the ddns-tuning hook library now reparses the
hostname expressions for all configured subnets. This allows
any invalid expressions to be detected up front. Previously,
the expressions were parsed on demand (i.e. lazy init).
(Gitlab #2384)
143. [doc] tmark
Added stub ddns_tuning.dox
(Gitlab #2387)
142. [func] tmark
Added ddns-tuning hook library.
(Gitlab #1548)
141. [func]* razvan
The support for Cassandra database backend has been removed.
(Gitlab #2116)
140. [bug] andrei
The RADIUS hook library now reselects the assigned subnet to
another subnet containing the reserved address, if such a subnet
is configured, if it is different than the one initially
selected and if "reselect-subnet-address" is true. Prior to
this, the subnet reselection based on the reserved address was
stricter and in some cases returned SUBNET_ID_UNUSED resulting
in NAK or NoAddrsAvail.
(Gitlab #2347)
139. [func] fdupont
Added a configuration error for the RADIUS hook library
when the early-global-reservations-lookup global flag is
set to true.
(Gitlab #2304)
138. [func] razvan
Added support for multiple IA_NA with multiple OPTION_IAADDR
sub-options and multiple IA_PD with multiple OPTION_IAPREFIX
sub-options to be logged by the forensic log hook by matching
each allocated or released lease with the packet options.
(Gitlab #2181)
137. [func] tirsek, razvan
Added new parameter "timestamp-format" in forensic log hook
library to be able to configure the timestamp format for log
file. Also adds the '%Q' extra format which adds the
microseconds subunits.
(Gitlab #2208)
136. [bug] razvan
Fixed race condition on initialization of flex_id_expr member
when using multi-threading in flex id hook library.
(Gitlab #2251)
135. [func] fdupont
Added SSL/TLS support to the MySQL backend for
the forensic logs. New parameters are "cert-file",
"key-file", "trust-anchor" and "cipher-list".
The negotiated cipher name is logged.
(Gitlab #34)
134. [func] razvan
Added exchange-timeout, rekey-interval, retry-interval
configuration entries to GSS-TSIG.
(Gitlab #2138, #2174)
133. [func] fdupont
Added the gss-tsig-rekey and the gss-tsig-rekey-all API commands
to create new GSS-TSIG keys.
(Gitlab #2127)
132. [func] razvan
The forensic logging hook library can now log on multiple lines
using the hex string 0x0a. Each line is prepended by the
timestamp.
(Gitlab #2087)
131. [func] fdupont
Implemented a configure flag which governs the behavior
when GSS-TSIG is enabled but no key is available.
The default (and previous) behavior is to skip this
DNS server, the flag allows instead to fallback to
the disabled GSS-TSIG one.
(Gitlab #2125)
130. [func] fdupont
Added statistics to the GSS-TSIG hook library to follow the
GSS-TSIG key and TKEY activity.
(Gitlab #2124)
129. [bug] fdupont
The GSS-TSIG hook library now sets and restores environment
variables when configured.
(Gitlab #2109)
128. [build, bug] fdupont
The nsupdate test tool of the GSS-TSIG hook library is
correctly built even without Google Test.
(Gitlab #2114)
127. [build] fdupont
Changed the name of the GSS-TSIG hook library object to
libddns_gss_tsig.so.
(Gitlab #2115)
Thank you again to everyone who assisted us in making this release
possible.
We look forward to receiving your feedback.