# Kea 2.3.6 Release Notes, March 29th 2023

Welcome to Kea 2.3.6, the seventh monthly release of the 2.3 development 
series. As with any other development release, use this with caution: 
development releases are not recommended for production use.

Kea is a DHCP implementation developed by Internet Systems Consortium 
(ISC) that features DHCPv4 and DHCPv6 servers with DNS updating and a 
REST API; optional database support (MySQL and PostgreSQL); optional 
RADIUS, Kerberos, and YANG/NETCONF support; and much more. Kea provides 
extensive management capabilities, including but not limited to: TLS 
support, run-time configuration monitoring and updates via a REST API, 
host reservations, client classification, and more.

The text below references issue numbers. For more details, visit the Kea 
GitLab page at https://gitlab.isc.org/isc-projects/kea/issues.

The following features and bug fixes have been implemented since the 
previous release, version 2.3.5:

1. **Never-send**: With earlier Kea versions, it was difficult to 
configure an option that was supposed to be present everywhere except a 
small number of locations. A new flag `never-send` was introduced. It 
allows users to configure a given option globally and then suppress 
sending it in a particular subnet or shared network [#719].

2. **Multiple Vendor options**: The Kea DHCPv4 server can now handle 
multiple `vivco-suboptions` options with different enterprise IDs [#467].

3. **Usability: Better configuration checks**: New command line 
parameter `-T` allows testing the configuration file with extra checks 
for database connections, hook libraries, etc. [#1671].

4. **DDNS improvements**: Kea-dhcp4 and kea-dhcp6 support a new 
parameter, `ddns-ttl-percent`, which allows setting the DNS TTL as a 
percentage of a lease lifetime [#225].

5. **Accepting all traffic**: Earlier Kea versions followed an RFC2131 
rule that checked whether the `server-identifier` matched Kea's. If not, 
the packet was intended for some other DHCP server and was dropped. 
However, in certain advanced scenarios it is useful to be able to force 
Kea to accept everything. A new parameter, 
`ignore-dhcp-server-identifier` for kea-dhcp4 allows enabling this 
behavior [#2785].

6. **Early allocation**: RFC2131 states that leases are supposed to be 
allocated when the server receives a REQUEST message. However, that 
means that in certain situations, particularly when the server is almost 
out of addresses, the client can get a DISCOVER with an address, but 
when it actually requests the address, it gets doesn't get the address. 
This is a conformant behavior, but it differs from ISC DHCP, which 
assigned a short-lived (120s) lease when receiving DISCOVER. Kea-dhcp4 
now supports the `offer-lifetime` parameter allowing for the temporary 
allocation of leases during DHCPOFFER [#2719].

7. **RFC8572 compatibility:** Added support for Secure Zero Touch 
Provisioning options as per RFC8572. Kea can now handle DHCPv4 Option 
code #143 and DHCPv6 Option code #136 [#939].

8. **Compatibility:** Added a new `exclude-first-last-24` DHCPv4 
compatibility flag, which skips addresses in .0 and .255 in subnets 
larger than /24 [#720].

9. **Free Leases Queue**: Significant progress has been made with the 
implementation of FLQ. FLQ will be an alternative allocation strategy 
that will allow Kea to assign available addresses in pseudo-random 
order. This will be particularly advantageous for shared database 
scenarios as it will minimize the number of collisions between Kea 
instances. Also, it will provide some protection against scanning 
attacks. While the feature is not functional yet, two major milestones 
were achieved. First, the lease manager was instrumented, so it's now 
easy to perform specific additional tasks when the lease changes 
[#2764]. Second, the design for the feature has been written and is 
available on the project wiki [#1126].

10. **Bugfixes**: Fixed a bug that was changing the multi-threading 
settings when running `config-test` command when the settings were 
different from the server's configuration. Hooks now set the DROP flag 
on the dhcp4_srv_configured and dhcp6_srv_configured callouts if the 
configuration is invalid or an error occured [#2799]. The kea-dhcp4 and 
kea-dhcp6 reload function (triggered by SIGHUP) has been enhanced to 
roll back to the previously working configuration if the new 
configuration is invalid [#2722]. Fixed a bug that advertised 
re-assigned released leases with zero lifetimes [#2766]. Compatibility 
flags, e.g. `lenient-option-parsing`, are now saved by `config-get` and 
similar commands [#2790]. Corrected code that allowed `lease6-get-*` 
commands to return IA_NA leases with prefix length values of zero 
[#2660]. Kea-dhcp6 now consistently uses valid and preferred lifetime 
values provided via classes [#2739]. Added missing log messages for host 
commands hooks library [#2783].

11. **Documentation:** The ARM security section now explains how to tune 
the OpenSSL configuration file, so the Kea service can accept commands 
over HTTPS with the desired TLS version [#2784].

## License

This version of Kea is released under the Mozilla Public License, 
version 2.0.

https://www.mozilla.org/en-US/MPL/2.0

The premium and subscriber-only hook libraries are provided under the 
terms of a Kea Hooks Basic Commercial End User License Agreement.

## Download

Pre-built ISC packages for current versions of the most popular Linux 
operating systems are available at:

https://cloudsmith.io/\~isc/repos/

The Kea source and PGP signature for this release may be downloaded from:

https://www.isc.org/download

as well as from the Cloudsmith repository.

The signature was generated with the ISC code signing key, which is 
available at:

https://www.isc.org/pgpkey

ISC provides detailed documentation, including installation instructions 
and usage tutorials, in the Kea Administrator Reference Manual. 
Documentation is included with the installation or at 
https://kea.readthedocs.io/en/latest/index.html.

Limitations and known issues with this release can be found at 
https://gitlab.isc.org/isc-projects/kea/wikis/known-issues-list.

We ask users of this software to please let us know how it worked for 
you and what operating system you tested on. Feel free to share your 
feedback on the Kea Users mailing list 
(https://lists.isc.org/mailman/listinfo/kea-users. We would also like to 
hear whether the documentation is adequate and accurate. Please open 
tickets in the Kea GitLab project for bugs, documentation omissions and 
errors, and enhancement requests. We want to hear from you even if 
everything worked.

## Support

Professional support for Kea is available from ISC. We encourage all 
professional users to consider this option; Kea maintenance is funded 
with support subscriptions. For more information on ISC's Kea and DHCP 
software support see https://www.isc.org/support/.

Free best-effort support is provided by our user community via a mailing 
list. Information on all public email lists is available at 
https://www.isc.org/community/mailing-list.

## Changes

The following summarizes changes and important upgrade notes for core 
Kea since the previous release, version 2.3.5:

2120.	[build]		razvan
	The library version numbers have been bumped up for the Kea 2.3.6
	development release.
	(Gitlab #2807)

2119.	[func]		tmark
	Added a new parameter, ddns-ttl-percent, to kea-dhcp4
	and kea-dhcp6, that may be used to calculate DNS TTL
	as a simple percentage of the lease life time.
	(Gitlab #225)

2118.	[bug]		razvan
	Fixed a bug which was changing the multi-threading settings when
	running config-test command and the settings were different from
	the server's configuration. This also fixes the rollback on the
	multi-threading settings if there is a configuration error
	detected. Also hooks now set DROP flag on the
	dhcp4_srv_configured and dhcp6_srv_configured callouts if the
	configuration is invalid or an error occured. Proper shutdown
	of the HTTP listener is performed now instead of generating a
	server crash if the provided address is not valid.
	(Gitlab #2799)

2117.	[func]		fdupont
	Added a new ignore-dhcp-server-identifier DHCPv4 compatibility
	flag which when set to true (default is false) makes any query
	to be accepted even when the address in the DHCP Server
	Identifier option belongs to another server (standard behavior
	is to drop such queries).
	(Gitlab #2785)

2116.	[func]		piotrek
	Added support of Secure Zero Touch Provisioning options as per
	RFC8572. Kea can now handle DHCPv4 Option code #143 and DHCPv6
	Option code #136.
	(Gitlab #939)

2115.	[func]		tmark
	Added the parameter, offer-lifetime, to kea-dhcp4.  When
	greater than zero, the server temporarily allocates and
	persists leases during DHCPOFFER processing.
	(Gitlab #2719)

2114.	[func]		razvan
	Added the -T command line parameter to kea-dhcp4 and kea-dhcp6
	for testing configuration files, similar to -t, but with extra
	checks like checking database connections, checking hook
	libraries parameters, and others.
	(Gitlab #1671)

2113.	[bug]		razvan
	The reload functionality (by sending SIGHUP) of the kea-dhcp4
	and kea-dhcp6 servers has been enhanced to rollback to
	previously working configuration if the new configuration is
	invalid. There are still cases that can leave the server in an
	unrecoverable state, and such case is indicated by a FATAL
	log message. The same logic applies to the "config-set" command
	available to the server through the control channel.
	(Gitlab #2722)

2112.	[doc]		fdupont
	Added in the ARM security a section explaining how
	to tune the OpenSSL configuration file for Kea service
	accepting commands over HTTPS.
	(Gitlab #2784)

2111.	[bug]		fdupont
	Fixed a bug which advertised re-assigned released leases
	with zero lifetimes.
	(Gitlab #2766)

2110.	[func]		fdupont
	A new boolean configuration flag called "never-send" has been
	added to the option data scope. When enabled, the option is not
	sent in a response to the client, even if the client explicitly
	requests it.
	(Gitlab #719)

2109.	[bug]		fdupont
	Compatibility flags e.g. lenient-option-parsing were not
	saved by config-get and similar commands.
	(Gitlab #2790)

2108.	[func]		fdupont
	Added a new exclude-first-last-24 DHCPv4 compatibility flag
	which when set to true (default is false) skips addresses
	in .0 and .255 in subnets with prefix length less than 24
	in the allocation engine routine picking a free address.
	(Gitlab #720)

2107.	[func]		fdupont
	The Kea DHCPv4 server can now handle multiple vivco-suboptions
	options with different enterprise IDs.
	(Gitlab #467)

2106.	[bug]		tmark
	Corrected code that allowed lease6-get-* commands to return
	IA_NA leases with prefix length values of zero and logic in
	kea-dhcp6 that was incorrectly generating duplicate iaaddr
	options with lifetimes of zero for such leases in REPLYs to
	RENEWs.
	(Gitlab #2660)

2105.	[bug]		tmark
	kea-dhcp6 now consistently uses valid and preferred lifetime
	values provided via classes.  Prior to this it was not
	utilizing class-supplied lifetimes when renewing existing
	leases or when reusing expired leases.
	(Gitlab #2739)

And for Kea premium:

165.	[bug]		razvan
	Hooks now set DROP flag on the dhcp4_srv_configured and
	dhcp6_srv_configured callouts if the configuration is invalid
	or an error occured. Proper shutdown of the HTTP listener is
	performed now instead of generating a server crash if the
	provided address is not valid.
	(Gitlab #2799)

164.	[bug]		razvan
	Added missing log messages for host commands hooks library.
	There are three messages that can be logged when any command is
	issued: one INFO message when the hook starts processing the
	command and one INFO message when it finishes with no error or
	one ERROR message then an error occurs.
	(Gitlab #2783)

See https://gitlab.isc.org/isc-projects/kea/-/wikis/Release-Notes for a 
complete list of release notes.

Thank you again to everyone who assisted us in making this release 
possible.

We look forward to receiving your feedback.