# Kea 2.0.0, Sep 29th 2021, Release Notes (DRAFT) Welcome to Kea 2.0.0, a new stable branch. Kea is a DHCP implementation developed by Internet Systems Consortium (ISC) that features DHCPv4 and DHCPv6 servers with DNS update and a REST API; optional database support (MySQL and PostgreSQL); optional RADIUS. Kerberos, and Yang/NETCONF support; and much more. Kea provides extensive management capabilities, including but not limited to: TLS support, run-time configuration monitoring and updates via a REST API, host reservations, client classification, and more. The text below references issue numbers. For more details, visit the Kea GitLab page at https://gitlab.isc.org/isc-projects/kea/issues. If you are upgrading from the previous stable version, the following major features have been implemented since the 1.8 series: 1. **Multi-threaded High Availability (HA).** Kea 1.8.0 introduced multi-threaded (MT) support that significantly increased packet-processing performance. However, many deployments were unable to take advantage of it because the relatively slow communication between HA partners was a bottleneck. This limitation has now been addressed. When HA+MT is enabled, the DHCPv4 and DHCPv6 daemons are now able to open HTTP sockets on their own and connect directly to each other, bypassing the Control Agent (CA). With its ability to run in a multiple threads/multiple connections regime, Kea 2.0.0 offers a substantial performance improvement in HA scenarios. Before using this feature, please read the new `16.15.15 Multi-threaded Configuration (HA+MT)` section in detail, as there are many configuration knobs to be tweaked that are deployment-specific; the HA+MT feature is disabled by default. This work has been conducted on many tickets [#1315, #1732, #1733, #1734, #1735, #1736, #1748, #1807, #1818, #1876, #1964, #2041, #2043, #2051]. 2. **TLS support.** Kea's Control Agent (CA) now supports TLS; three modes of operation are available. The first is plain HTTP with TLS completely disabled; this was the only mode in earlier releases. The second mode is encryption, where the CA accepts TLS connections. This is the typical mode when securing a website, where clients and servers are not under the control of the same organization. The third mode (and the default when TLS support is enabled) is mutual authentication between connecting clients and the CA server. In this mode, clients are required to identify themselves using TLS certificates: the clients verify the server's certificate and the server verifies the client's. See Section 23.1 of the Kea ARM for details. This work was done on many tickets [#1619, #1661, #1662, #1663, #1664, #1726, #1748, and #1758]. 3. **Security Improvements.** There is a new `Kea Security` section in the Kea Administrator Reference Manual (ARM). It covers topics such as which daemons to run, how to run without root access, and how to secure access. Some additional process-related issues are described as well [#1587]. Kea now obscures passwords in debug logs when the whole configuration is printed [#1721]. Authentication information is now logged on a dedicated logger, making it easier to implement security policies, such as logging to dedicated secure storage [#1590]. TLS support is now functional when building with either the Botan library or OpenSSL [#1665]. 4. **Cache threshold.** This popular ISC DHCP feature has now been implemented in Kea. Some clients renew their leases earlier than specified, either because they ignore the timer or they are broken. Frequent early renewals put an extra burden on the server, which has to write updated leases even though they may have been renewed only seconds earlier. The ``cache-threshold`` (expressed as a percentage) and ``cache-max-age`` (expressed in seconds) parameters help reduce that extra burden on Kea. Kea still responds to the client but merely resends the existing lease lifetime, thus eliminating the need to update the lease database [#1418]. 5. **New script hook.** Due to popular demand, a new hook that calls an arbitrary external script has been added. This script may initiate an external process, such as updating routing and firewall rules for provisioned devices. The script is called asynchronously, i.e. Kea starts the script, does not wait for its completion, and continues processing the packet. This approach has a performance impact, but may be viable if the traffic load is not substantial or a quick response is needed, without users needing to develop their own hooks [#899]. 6. **Client Classes in Configuration Backend (CB).** The Configuration Backend provides the ability to store some configuration elements in a MySQL database; this capability has now been extended with client classes. A number of new commands (`remote-class4-set`, `remote-class4-get`, `remote-class4-get-all`, `remote-class4-del`, `remote-class6-set`, `remote-class6-get`, `remote-class6-get-all`, and `remote-class6-del`) are now available in the `cb_cmds` subscriber hook library [#1928, #1167, #1965, #1972, #1977]. 7. **New GSS-TSIG hook (experimental, subscriber hook library).** Kea can update DNS records when devices are having their address assigned, updated, released, or expired. In earlier Kea versions, this update could be protected by a static TSIG key. Starting with this release, Kea is now able to use Kerberos mechanisms to retrieve dynamic keys and perform GSS-TSIG updates. This capability is of particular importance to Windows networks, as this is usually the only method available in an Active Directory environment. Kea supports two Kerberos implementations: MIT and Heimdal. The support is considered experimental; the typical scenario has been proven to work, but some parts of the standard are not implemented yet. In particular, fallback and error handling are somewhat lacking. Use with caution! The `gss-tsig` hook is available to Kea subscribers only. It is the first hook that can be loaded by the dhcp-ddns (D2) daemon [#1880, #1884, #1885, #1897, #1909, #1935, #1950, #1957, #1960, #1963, #2009, #2011, #2015, #2018, #2019, #2040, #2078, #2096, #2099]. 8. **Local access control.** Kea now supports basic HTTP authentication, as defined in RFC 6717. It is now possible to configure a list of credentials (pairs of user identifiers and passwords) that the user or script must provide to use Kea's REST API [#1304]. 9. **Performance: lease reclamation fix on MySQL.** Reclamation of leases stored in some older versions of MySQL was inefficient in earlier Kea versions, which caused the periodic lease reclamation process to take an increasing amount of time. The issue is now fixed, which should result in much better long-term performance and reduce reported performance degradation over time [#2030, #2063]. 10. **Multiple MAC reservations for the same IP.** Having more than one reservation for the same IP may cause conflicts, so Kea considers it a configuration error and does not allow it. However, in some deployments it makes sense to have more than one reservation for the same IP. For example, if an appliance has two interfaces, but at any given time only one of them will be connected, having multiple reservations helps conserve IP address space. To enable this mode of operation, a new parameter ``ip-reservations-unique`` has been added. The default behavior remains unchanged: multiple reservations are forbidden unless explicitly allowed. Care should be taken to never allow a situation where two or more devices are active with reservations for the same IP, since Kea has no way to meaningfully resolve such a conflict. [#1428]. 11. **DDNS improvements.**. It is now possible to configure Kea to perform DNS updates when the client renews a lease. Typically this is redundant, as the DNS update done during initial client configuration is sufficient. However, if there were problems with the DNS (e.g., misconfigured TSIG keys or the server was down), it may be useful to turn on the new ``ddns-update-on-renew`` parameter. This forces all DNS records to be updated for active clients. After some time (roughly equal to the value of the ``renewal-timer``), this parameter ensures that all records for current clients are properly updated [#1385]. The DNS query ID field randomization is improved [#1957]. There is now better control over the qualifying suffix [#1529]. A new parameter, ``ddns-use-conflict-resolution``, was added to kea-dhcp4 and kea-dhcp6, which determines whether conflict resolution rules (see RFC 4703) are followed. The default value is ``true``. Disabling conflict resolution should only be used after careful consideration [#1386]. 12. **Lease lifetimes in client classes.** It is now possible to configure preferred and valid lease lifetimes based on the client classification. That feature has been implemented for DHCPv4 [#1635] and DHCPv6 [#1172, #1710] and is supported by the Config Backend. 13. **HA improvements.** The Kea High Availability (HA) library has been expanded by introducing a new communication-recovery state. In this state, the load-balancing servers remain responsive to DHCP queries even when the communication between them is interrupted. The new feature is controlled using the ``delayed-updates-limit`` configuration parameter [#1402]. The ``dhcp-enable``/``dhcp-disable`` command can be independently used to enable or disable the DHCP service by the user, which no longer clashes with the database connection mechanics, or by the HA library. The DHCP service is disabled when any of those originators disable the service, and it is enabled when all those that previously disabled the service enable it. The ``dhcp-enable`` and ``dhcp-disable`` commands accept an "origin" parameter with valid values of "user," which is the default and indicates a user-generated command, and "ha-partner," which is used internally by the HA library [#1601]. The servers can now recover from situations where both went to ``partner-down`` state and the communication is broken in one direction, but works in the other [#1403]. The synchronization of the standby server is now more robust [#1959]. 14. **Database cluster improvements.** A number of database improvements have been made to make Kea work better with various clustering solutions. A hands-on study has been completed with many experiments involving Galera, Percona, NDB, and group replication. We set up clusters and ran unit and system tests, and found a few issues to address; overall, we found that Percona and Galera are the environments that are easiest to work with. A KB article, https://kb.isc.org/docs/experimental-mysql-clusters-for-kea, is now available with the results. Several code improvements were also made as a result of this activity [#1709, #1708, #1703]. 15. **Database connection recovery rework.** A new parameter ``on-fail`` now controls Kea's actions on database connection loss. It has three possible values, which govern whether the DHCP service should be disabled and Kea should shutdown, or Kea should continue DHCP service after all the configured tries have been exhausted: ``stop-retry-exit``, which indicates that DHCP service should stop, attempt to reconnect, and terminate if unable to reconnect; ``serve-retry-exit``, which instructs Kea to continue serving DHCP traffic, attempt to reconnect, and terminate if unable to reconnect; and ``serve-retry-continue``, which tells Kea to continue serving DHCP traffic, try to reconnect, and continue serving even if reconnection fails. This is particularly useful for forensic logging and configuration backend services [#1621]. 16. **Per-device access control.** Kea is now able to drop packets coming from devices that have matching host reservations with class set to DROP (i.e. ``DROP`` class is listed in the ``client-classes`` field in ``reservations``). This effectively allows the operator to selectively drop incoming packets from some devices, such as customers that have overdue payments or other misbehaving clients [#1815]. 17. **Forensic logging enhancements.** The forensic logging hook library is now able to log custom expressions. These expressions can include any option (such as relay option 82) or sub-option (such as circuit-id, remote-id, or any other sub-option), packet fields, network interface names, local or remote IP address, and more. It uses the same expressions engine as when defining client classification or flexible identifiers. Evaluating expressions is a relatively "expensive" operation, so more-customized, more complex logs and expressions will have greater performance impact than the default log. The forensic logging hook library also supports flexible rotation intervals (e.g. using seconds or days) and "pre-rotate" and "post-rotate" actions which can be used to call an external script, e.g. to move or compress respective files whenever the rotate action is performed [#1824, #1863, #1680, #1866, #1576]. 18. **NETCONF with Sysrepo 1.4.** Kea provides optional support for YANG modules accessible via the NETCONF protocol. Earlier versions used the now-obsolete Sysrepo 0.x for this capability. That external dependency has been updated to Sysrepo 1.4, which is a substantial architectural change. Compilation with Sysrepo has been simplified with the ``--with-sysrepo`` and ``--with-libyang`` switches, available in the configure script. However, due to external dependencies (both Sysrepo and its libyang library must be compiled with C++ bindings enabled), use of NETCONF remains non-trivial [#1077, #1991, #1626, #1844, #1556, #1987]. 19. **Performance statistics.** A new statistic, ``packet-queue-size``, has been added that reports packet-queue utilization. It reports an average for the last 10, 100, and 1000 packets. This uses an approach similar to the Unix ``top`` tool, which returns CPU utilization for the last 1, 5, and 15 minutes. This may be useful for fine-tuning Kea performance and its queue length [#1306]. 20. **The Cassandra backend is now deprecated.** See the Incompatible Changes section below [#1892]. See https://gitlab.isc.org/isc-projects/kea/-/wikis/Release-Notes for a complete list of all changes from versions 1.9.0-1.9.11 that are included in this release. If you are upgrading from the latest development version, the following bugfixes and features have been implemented since the Kea 1.9.11 release: 21. **Much better stability when the server is overloaded.** Some users have reported that Kea does not behave well when overloaded with more traffic than it can handle. The performance was acceptable when traffic was below the threshold, but rapidly degraded if only slightly increased over the threshold. This was nicknamed a "cliff" scenario. The problem was investigated and its root cause was determined to be an unbounded packet-parking capability. If Kea was unable to keep up with the traffic, it parked incoming packets faster than its processing allowed. As a result, the parking lot queue grew larger and larger, which caused Kea to respond even more slowly, while also sending responses to older packets. This also caused increased memory consumption. All of those problems are now addressed. The length of the parking lot queue is now configurable; a default value of 256 is used. Lower values tend to provide more responsive service with a higher drop rate when overloaded, while larger values do the opposite [#1307, #2069, #2068, #2066, #2085]. 22. **The GSS-TSIG hook (experimental, subscriber-only).** The work on the GSS-TSIG hook completed a major milestone: DNS updates are now functional and can be protected with dynamic GSS-TSIG keys that were previously retrieved by Kea using TKEY exchange. Many smaller improvements contributed to this: the TKEY exchange code was fixed [#2015], the D2 server no longer crashes on exit [#2088], the D2 server now provides statistics [#2040], the GSS-TSIG key manager has been implemented [#2019, #2078], and it is now possible to have keys defined per-server (as opposed to previously possible keys defined per DNS domain) [#2011]. This hook is experimental; use it with caution. 23. **Client classes in Configuration Backend (CB) fixed.** Client classes in the CB had several flaws: in particular, they were not usable if they depended on option definitions stored in the CB. That is now functional. Also, there are no longer any dangling options left over after classes are deleted [#2028, #2077, #2094, #2091]. 24. **High Availability (HA) improvements.** The servers can now recover from situations where both went to ``partner-down`` state and the communication is broken in one direction, but works in the other [#1403]. The synchronization of the standby server is now more robust [#1959]. 25. **Basic configuration template: home power user.** By popular demand, we have begun to provide configuration examples for typical deployments. We are starting with a home network for a power user or a small office deployment. More deployment templates for wired ISP, wireless service provider, and more will be added. The examples are available as text files and also commented on in a new Kea Administrator Reference Manual (ARM) appendix [#2050]. 26. **DNS update flags in DHCPv6 leases with shared networks.** The DHCPv6 server now correctly determines DNS update flags when the allocation engine dynamically changes the selected network subnet [#1622]. 27. **Build improvements.** Packages for RHEL/CentOS 7 no longer link with OpenSSL 1.1, as it was clashing with a MySQL library dependency that was always linked with OpenSSL 1.0 [#2081]. Hammer now sets PostgreSQL methods better when setting up an environment for Kea builds [#2064]. 28. **Documentation updates.** Many documentation updates made it into this release: GSS-TSIG hook documentation now covers BIND 9 and Kerberos setup [#2096]. The Kea ARM has been proofread and corrected in many places [#2073]. An example showcasing how to use file includes has been added [#2080]. Several links have been fixed [#2067]. ## Incompatible Changes There are several changes that can be considered backward-incompatible. 1. **Global and subnet reservations**. Earlier Kea versions had a single configuration parameter called ``reservation-mode`` that governed whether host reservations were global (out-of-pool) or subnet-level (in pool), and it was not possible to use different reservation types at the same time. However, in some deployments there is a need to use several types at the same time. As a result, the ``reservation-mode`` parameter is now deprecated and replaced by three separate boolean parameters: ``reservations-global``, ``reservations-in-subnet``, and ``reservations-out-of-pool``, each of which can be controlled independently to give users more flexibility in their configuration. Caution is recommended, as enabling more lookups has performance implications. The older parameters still work in this version, with a warning, but they will be removed before Kea 2.2 [#1405, #1550]. 2. **Cassandra support is deprecated**. Cassandra support was added in Kea 1.1.0 in 2016, but never gained much traction. After much deliberation, the Kea team decided to initiate the procedure to remove the code. With more engineering resources available for other backends, we hope to implement features that will be useful to a much broader range of deployments, such as configuration backend support for PostgreSQL. As of Kea 2.0.0, the Cassandra backend is now deprecated, which means the code is functional and still works, but it prints a warning that it will be removed in the future. Kea 2.0 is likely the last stable series that will be able to use Cassandra. Support for it will be removed sometime in the upcoming 2.1 development series and will be gone in the next stable 2.2, which is expected roughly within a year. Any installations still using Cassandra should consider migrating to other backends or reach out to ISC. 3. **Sysrepo 1.4**. Kea 2.0 migrated to Sysrepo 1.4, which is needed to enable YANG/NETCONF support. Due to the substantial internal changes in the Sysrepo project, it is not feasible to maintain backward compatibility with the 0.x release. Also, as there are no C++ bindings available for Sysrepo 2.0, that particular version is not usable by Kea yet. Please see Section 21.1 of the Kea ARM for more YANG, NETCONF, and Sysrepo details. ## License This version of Kea is released under the Mozilla Public License, version 2.0. https://www.mozilla.org/en-US/MPL/2.0 The premium and subscriber-only hooks libraries are provided under the terms of an End User License Agreement. ## Download Pre-built ISC packages for current versions of the most popular Linux operating systems are available at: https://cloudsmith.io/~isc/repos/ The Kea source and PGP signature for this release may be downloaded from: https://www.isc.org/download The signature was generated with the ISC code signing key, which is available at: https://www.isc.org/pgpkey ISC provides detailed documentation, including installation instructions and usage tutorials, in the Kea Administrator Reference Manual. Documentation is included with the installation or at https://kea.readthedocs.io/en/latest/index.html in HTML, plain text, or PDF formats. ISC maintains a public open source code tree, wiki, issue tracking system, milestone planner, and roadmap at https://gitlab.isc.org//isc-projects/kea. Limitations and known issues with this release can be found at https://gitlab.isc.org/isc-projects/kea/wikis/known-issues-list. We ask users of this software to please let us know how it worked for you and what operating system you tested on. Feel free to share your feedback on the Kea Users mailing list (https://lists.isc.org/mailman/listinfo/kea-users). We would also like to hear whether the documentation is adequate and accurate. Please open tickets in the Kea GitLab project for bugs, documentation omissions and errors, and enhancement requests. We want to hear from you even if everything worked. ## Support Professional support for Kea is available from ISC. We encourage all professional users to consider this option; Kea maintenance is funded with support subscriptions. For more information on ISC's Kea and DHCP software support see https://www.isc.org/support/. Free best-effort support is provided by our user community via a mailing list. Information on all public email lists is available at https://www.isc.org/community/mailing-list. If you have any comments or questions about working with Kea, please share them to the Kea Users list (https://lists.isc.org/mailman/listinfo/kea-users). Bugs and feature requests may be submitted via GitLab at https://gitlab.isc.org/isc-projects/kea/issues. ## Changes The following summarizes changes and important upgrade notes since the 1.8.0 release. ``` Kea 2.0.0 (stable) released on September 29, 2021 1952. [build] razvan Library version numbers bumped for Kea 2.0.0 stable version. (Gitlab #2104) 1951. [doc] tomek A new appendix for configuration templates added to Kea ARM. the first of which is a home power user. (Gitlab #2050) 1950. [doc] slawek Added a description and an example of the usage of the "include" statement in the Kea configuration file to the ARM. (Gitalb #2080) 1949. [bug] tmark kea-dhcp6 now correctly determines DNS update flags when the allocation engine dynamically changes the selected network subnet. (Gitlab #1622) 1948. [func] tmark HTTP library will now emit a warning log when the queue of pending client requests for a given URL exceeds a threshold. (Gitlab #2085) 1947. [bug] marcin Corrected a bug in the High Availablity hooks library that could cause a standby server not to synchronize its lease database after a temporary communication interruption with its partner. (Gitlab #1959) 1946. [bug] marcin Fixes a bug in MySQL configuration backend schema. DHCP options associated with deleted client classes are now automatically deleted. (Gitlab #2094) 1945. [build] andrei Reverted qa#261 changes, which forced linking with OpenSSL 1.1 when available. This caused a segfault, when Kea's crypto library used OpenSSL 1.1, but the MySQL library it linked against, used OpenSSL 1.0. (Gitlab #2081) 1944. [bug] tmark kea-dhcp4 and kea-dhcp6 both now support a global parameter, parked-packet-limit, that can be used to limit the number of client responses the server may park pending completion of hook library callouts. (Gitlab #1307) 1943. [bug] marcin Fixed a bug in fetching client classes from the Config Backend. The bug resulted in failures during attempts to evaluate the classes for a received packet. (Gitlab #2077) 1942. [func] fdupont Added basic statistics to the DHCP-DDNS server. (Gitlab #2040) 1941. [func] fdupont Per DNS server TSIG keys are now supported in the DHCP-DDNS (aka D2) server configuration. A new callout point 'select_key' gives access to the selected TSIG key before sending DNS updates. (Gitlab #2011) Kea 1.9.11 (development) released on Aug 30, 2021 1940. [build] razvan Library version numbers bumped for Kea 1.9.11 development version. (Gitlab #2053) 1939. [bug] tmark Removed all MultiThreadingCriticalSections from lease_cmds hooks library which can cause a dead-lock when running HA+MT. The commands simply try to acquire the resource lock and fail if the resource is unavailable also logging an error message. (Gitlab #2051) 1938. [bug] razvan Fix dead locks caused by commands with CS on http listener threads and CS on main thread racing with CS on other threads. (Gitlab #2041, #2043) 1937. [bug] razvan The Config Backend is now capable of reestablishing database connection after a failure. (Gitlab #1982) 1936. [build] andrei Kea attempts to first link with compatibility library OpenSSL 1.1 (usually found on CentOS 7) before falling back to the system OpenSSL (1.0 on CentOS 7 which is out of support). (Gitlab qa#261) 1935. [func] andrei The store-extended-info config entry was added to Kea YANG modules at root-level and at subnet-level. (Gitlab #1944) 1934. [func] tmark Kea-dhcp6 now supports specifying valid-lifetime and preferred-lifetime values in client classes (via both configuration file and Config Backend). Prior to this it could only be specified at the global, shared-network, and subnet scopes. (Gitlab #1710) 1933. [doc] fdupont, tomek Added a new ARM section about GSS-TSIG. Currently it describes how to build Kea with GSS-API support. It will be expanded in the future. (Gitlab #2018) 1932. [func] tmark MySQL indexing of leases database has been improved. It now behaves better on older MySQL versions. In particular, the lease reclamation no longer causes full scans to be performed. This fix introduces MySQL schema update to 11.0. This should reduce the periodic performance slowdowns. (Gitlab #2030) 1931. [bug] tomek Two hook messages HOOKS_CALLOUT_ERROR and HOOKS_CALLOUT_MESSAGES are now printing the hook name and index properly. Thank you to Shawn Routhier for reporting the issue. (Gitlab #2020) 1930. [doc] razvan Extended documentation section about setting up the timezones in MySQL and PostgreSQL databases. (Gitlab #1978) 1929. [build] andrei Compatibility with upcoming boost 1.77 has been improved. Thanks to Brad Smith for the patch! (Gitlab #1980) 1928. [bug] tmark Modified kea-dhcp4 and kea-dhcp6 to only append the ddns-qualifying-suffix if the input name does not already end with that suffix. Prior to this the suffix was always added which could lead to names including the suffix twice. (Gitlab #1529) Kea 1.9.10 (development) released on Jul 30, 2021 1927. [build] razvan Library version numbers bumped for Kea 1.9.10 development version. (Gitlab #1984) 1926. [func]* marcin Server tags in the MySQL database are now represented as strings with a maximum length of 64 characters. Previously, the server tags could be up to 256 characters long, and it could cause database migrations to fail on the systems with UTF-8 encoding configured for MySQL. Shorter server tags avoid hitting the limitation on the maximum length of an indexed table column. (Gitlab #1976) 1925. [build] fdupont Updated parsers to bison 3.3 or later. (Gitlab #453) 1924. [bug] razvan The MultiThreadingCriticalSection is now thread-safe and can be called from http client or http listener processing threads. (Gitlab #1964) 1923. [func] andrei Integrate with Sysrepo v1.x branch. Building with support for Sysrepo now requires the latest v1.x versions: sysrepo v1.4.140 + libyang v1.0.240. Support for legacy Sysrepo versions v0.x has been dropped. (Gitlab #1077) 1922. [func] marcin Added support for storing client classes in the MySQL config backend. (Gitlab #1920, #1928, #1965, #1972, #1977) 1921. [func] fdupont The D2 d2_srv_configured hook point used DROP status to notify the D2 server that an error has occurred and the configuration is rejected. The error message is passed to the D2 server through the new 'error' hook parameter. (Gitlab #1950) Kea 1.9.9 (development) released on June 30, 2021 1920. [build] andrei Bump library versions for the Kea 1.9.9 development release. (Gitlab #1947) 1919. [bug] razvan Fix the run script hook library leaving behind defunct processes. (Gitlab #1878) 1918. [bug] razvan When parsed, PSID was incorrectly ignoring the PSID value when psid-len was 16 instead of ignoring it when the values is 0 as per the RFC. (Gitlab #1858) 1917. [func] tomek DHCPv4 and DHCPv6 are now more consistent when logging the reasons why a packet was dropped. This information is now available on debuglevel 15. Also added a section in the ARM discussing the debug levels. The subnet selection failed log message now provides more useful information about the subnet. (Gitlab #1915, #1916) 1916. [func] razvan The Kea DHCPv4 server accepts requests using server identifier configured at client class level. (Gitlab #1836) 1915. [func] andrei DOCSIS options are no longer offered to any vendor other than Cable Labs (vendor-id == 4491). This was not an explicit check previously and the match to the vendor relied on a technicality such that other vendors could have received these options under certain conditions. (Gitlab #1894) 1914. [func]* tomek The Cassandra (CQL) support is being deprecated, both for leases and host backends. For the time being the features will produce a warning, but will otherwise function normally. However, the functionality will be removed in the future Kea releases. (Gitlab #1892) 1913. [doc] tomek Kea adopted Developer Certificate of Origin for incoming contributions. Please see the CONTRIBUTING.md file for details. (Gitlab #1895) 1912. [doc] fdupont, tomek The Kea configuration syntax is now documented in BNF notation. See new appendix in the ARM. (Gitlab #504, #745) 1911. [bug] andrei Fixed a minor regression where kea-admin and keactrl would output technical errors like "unbound variable" instead of more helpful messages like "missing backend" because of the undefined variable checks introduced in 1.9.4. Added tests to further prevent it. (Gitlab #1653) 1910. [func] andrei Extended perfdhcp to send v4 DHCPRELEASE messages via -F flag. (Gitlab #1119) 1909. [build] fdupont Experimental support for Heimdal implementation of GSS-API with Kerberos 5 added. (Gitlab #1909) 1908. [func] razvan Added export for V4 option 82 (DHO_DHCP_AGENT_OPTIONS) and respective suboptions 1 (RAI_OPTION_AGENT_CIRCUIT_ID) and suboption 2 (RAI_OPTION_REMOTE_ID) in the run script hooks library. (Gitlab #1840) 1907. [doc] peterd, andrei, razvan Many Kea ARM corrections and updates. (Gitlab #1917) 1906. [func] fdupont Added support for the TKEY DNS resource record. (Gitlab #1880) 1905. [build] fdupont Added an optional --with-gssapi switch to the configure script. It checks for the presence and suitability of packages pertinent to GSS-TSIG. This has been added in anticipation of future work and does not add any functionality to Kea. (Gitlab #1884) Kea 1.9.8 (development) released on May 26, 2021 1904. [build] wlodek Library version numbers bumped for Kea 1.9.8 development version. (Gitlab #1882) 1903. [func] andrei Kea now recognizes requests sent from vendors that include their information in DHCPv6 Vendor Class option (code 16) for the purpose of offering custom options in the response. Previously, only the Vendor-specific Information option (code 17) was searched for a vendor ID. For the purpose of classification, both options are looked into, now, just as before. (Gitlab #1837) 1902. [func] andrei, fdupont All logs that expose configuration, either in full or in snippets now have the values of "password" and "secret" entries replaced with asterisks "*****". (Gitlab #1721) 1901. [bug] marcin Corrected a bug in DHCPv4 subnet selection. The server ignored the Subnet Selection option supplied by a client if its query contained a Relay Agent Information (RAI) option without a Link Selection option. After this change, the server respects the Subnet Selection option when RAI lacks the Link Selection option. If RAI includes it, it takes precedence over the Subnet Selection option. (Gitlab #1816) 1900. [bug] tmark Fixed a sporadic failure caused by a wrong assertion in unit test, testMtHttpClientTest.workPauseResumeShutdown, introduced by #1818. (Gitlab #1876) 1899. [func] tmark,razvan In HA+Mt mode, the HA hook library now pauses and resumes its worker threads when Kea core enters and exits critical sections, respectively. This eliminates race conditions during core processing such as reconfiguration, shutdown, and certain RESTful API commands. (Gitlab #1818) 1898. [func] fdupont The DROP class may now depend on the KNOWN or UNKNOWN classes and may be used after the host reservation lookup. (Gitlab #1815) 1897. [func] andrei Kea has a new configuration section called "compatibility" geared towards non-compliant clients. The only boolean parameter added for now called "lenient-option-parsing" changes the way DHCPv6 option 16's vendor-class-data field is parsed. When enabled, instead of complaining that a length exceeds the rest of the option's buffer, the value is considered to be the rest of the buffer. This also applies to custom options defined with the tuple type for both DHCPv4 and DHCPv6. (Gitlab #1860) 1896. [func] wlodek Perfdhcp extended to send v6 traffic from multiple networks. (Gitlab #1416) 1895. [func] razvan Added additional evaluation tokens to extract and print data: addrtotext, int8totext, int16totext, int32totext, uint8totext, uint16totext, uint32totext. (Gitlab #1680) 1894. [func] fdupont Implemented 'auth' logger, dedicated to logging access control information, such as basic HTTP authentication. (Gitlab #1590) 1893. [func] fdupont Botan 2.14 or later can now be used as a crypto library for the TLS/HTTPS support in Kea. (Gitlab #1665) 1892. [func] fdupont Added + operator as an convenient alias to concat() function in expressions. (Gitlab #1824) Kea 1.9.7 (development) released on Apr 28, 2021 1891. [build] razvan Library version numbers bumped for Kea 1.9.7 development version. (Gitlab #1820) 1890. [doc] fdupont Added a new section to the ARM, Kea Security, which describes various security related topics and how to address them. (Gitlab #1587) 1889. [func] fdupont Accept comments (shell '#', C++ '//' and C '/*...*/') in JSON commands sent via the control channel or the Control Agent. (Gitlab #1652) 1888. [func] tmark Added a new operational mode, HA+MT, to the HA hook library. HA+MT provides direct, multi-threaded HTTP communication between peers for the exchange HA protocol commands and responses. (Gitlab #1736) 1887. [build] andrei, fdupont Migrated autoconf macros, which became warningly deprecated since autoconf 2.70, to supported macros. (Gitlab #1632, #1651) 1886. [doc] tomek Added a section in the ARM explaining the relationship between keactrl and systemd scripts. (Gitlab #1759) 1885. [func] andrei kea-admin is now able to interactively ask for a password if no parameter follows the -p or the --password parameters. This requires the user to give it as the last parameter. The entered password is not echoed back to the terminal in order to prevent over-the-shoulder snooping or other social engineering techniques. Alternatively, you can set the password via the KEA_ADMIN_DB_PASSWORD environment variable. (Gitlab #1675) 1884. [doc] fdupont HTTP_CONNECTION_HANDSHAKE_FAILED log message got a description. (Gitlab #1779) Kea 1.9.6 (development) released on March 31, 2021 1883. [build] andrei Bump library versions for Kea 1.9.6 release. (Gitlab #1772) 1882. [func] razvan Implemented database connection recovery for forensic logging. To achieve this, the "on-fail" connection parameter has been added to control the action performed on connection loss. The supported values are "stop-retry-exit", "serve-retry-exit" and "serve-retry-continue". They indicate if the server should disable the service on connection loss ("stop-retry-exit") or if on recovery failure the server should shut down ("stop-retry-exit" and "serve-retry-exit") or continue ("serve-retry-continue"). The default value used (if not configured) is "stop-retry-exit" for lease, host and config backends, and "serve-retry-continue" for forensic log. (Gitlab #1621) 1881. [func] fdupont Moved errors about URLs using names (vs addresses) or https (vs http) scheme in High Availability hook configuration from connection opening time to configuration time. (Gitlab #1758) 1880. [build] fdupont TLS support is now reported by configure in the cryptographic backend section. (Gitlab #1774) 1879. [func] fdupont The Control Agent now supports TLS/HTTPS. This works with OpenSSL and there are known problems with Botan, which will be addressed in the future. (Gitlab #1662) 1878. [bug] razvan Request enabling DHCP service when the HA hooks library is unloaded. It may remain disabled if it had been disabled outside of the HA hooks library. Prior to this change, if the HA hooks library disabled the DHCP service it would always remain disabled after the hooks library was unloaded. (Gitlab #1697) 1877. [func] fdupont kea-shell supports TLS/HTTPS. This is limited to the python 3 version i.e. if kea-shell is configured with python 2 it still works in 1.9.6 but raises an error if a new TLS/HTTPS argument is specified. (Gitlab #1663) 1876. [doc] fdupont Added documentation for TLS/HTTPS support. (Gitlab #1664) 1875. [func] fdupont TLS/HTTPS support was added to asiolink and http libraries. (Gitlab #1661) 1874. [doc] marcin Added notes in the ARM highlighting that the address and delegated prefix pools must be split when HA load-balancing mode is used. (Gitlab #1726) 1873. [func] andrei kea-admin now accepts the -P|--port parameter with a custom port used to connect to the database. (Gitlab #1674) Kea 1.9.5 (development) released on Feb 24, 2021 1872. [build] razvan Library version numbers bumped for Kea 1.9.5 development version. (Gitlab #1713) 1871. [bug] andrei The cache threshold feature introduced in 1.9.4 modified previously versioned schema 9.5. This caused problems for people who had already upgraded to 9.5 which in Kea versions means 1.9.2 and 1.9.3. In this change, the upgrade commands were moved to schema 9.6 and are only applied if the database does not contain the required columns. Affected Kea installments can now be upgraded to 1.9.5 and above seamlessly. (Gitlab #1698) 1870. [bug] razvan Fixed a crash when using the Kea Legal Log Hooks Library with multi-threading. This bug was affecting only database backends. The log file backend was not affected by this bug. (Gitlab #1711) 1869. [func] tmark Kea-dhcp4 now supports specifying valid-lifetime in client classes. Prior to this it could only be specified at the global, shared-network, and subnet scopes. (Gitlab #1635) 1868. [func] andrei The forensic log hook library has gained an auto-increment primary key column in it's logs table. It is now able to function in a MySQL Percona cluster which requires a primary key for all it's tables when configured with pxc_strict_mode = ENFORCING which is also the default value. (Gitlab #1709) 1867. [bug] andrei MySQL connection unit tests have been modified to work with Percona cluster. This change doesn't fix all problems, but it improves the situation sufficiently to be able to run unit tests with positive results on a Percona cluster. (Gitlab #1708) 1866. [func] marcin Added new log messages issued when a dynamic lease allocation fails. The new messages provide comprehensive information about the circumstances in which the failure occurred. In particular, they state whether the client is connected to a shared network or not. If it is, the shared network name is provided. Otherwise, the client's subnet id is logged. The new messages also inform from how many subnets the server attempted to allocate a lease and how many subnets could not be used because of non-matching client classes. (Gitlab #1701) 1865. [func] razvan Implemented the Run Script hooks library which can be used to run external scripts for specific packet processing hook points. There are several exported environment variables available for the script. Currently the implementation is nonblocking and Kea will not wait for the script to finish execution before continuing to the next step. For this reason, the next step provided by the script is ignored. (Gitlab #899) 1864. [func] fdupont New parameters to handle TLS support added in Control Agent config: "trust-anchor", "cert-file", "key-file" and "cert-required". They can be configured, but their values are not yet used. (Gitlab #1662) 1863. [func] andrei The perfdhcp tool now supports the -x l option that exports the assigned leases to stdout in CSV format. This new capability is very useful for the ongoing DB cluster experiments, where we need to correlate leases between multiple Kea instances sharing the same cluster. (Gitlab #1703) 1862. [build] andrei Added execution permissions to the upgrade scripts in Kea's installation. Previously kea-admin db-upgrade would fail with a permission denied error. It started manifesting in 1.9.3 and affected 1.9.4 as well. Additionally, now, when running make in the source repository to recreate scripts e.g. kea-admin, after a change to the .in files e.g. kea-admin.in, they maintain the execution permissions granted in the initial build. This makes development more seamless. (Gitlab #1681) 1861. [bug]* tmark kea-dhcp4 now uses the value for each fixed field (e.g. next-server, server-hostname, boot-file-name) from the first class in query's list of classes that specifies the field. Prior to this it used the value from the last class which specified the field. It may be necessary to revise existing configurations to get the desired values. (Gitlab #1672) Kea 1.9.4 (development) released on Jan 27, 2021 1860. [build] razvan Library version numbers bumped for Kea 1.9.4 development version. (Gitlab #1666) 1859. [doc] wlodek Added example files with configured Vendor Specific Information option (code 43) and Vendor-Identifying Vendor-specific Information option (code 125) with several suboptions each. (Gitlab #1546) 1858. [bug] razvan The DHCP service can be independently enabled or disabled by the user command, by the database connection mechanics or by the HA library. The DHCP service is disabled when any of those originators disables the service, and it is enabled when all those who previously disabled the service enable it. The 'dhcp-enable' and 'dhcp-disable' commands accept 'origin' parameter with valid values of 'user' (which is the default) indicating a user generated command and 'ha-partner' which is used internally by the HA library. (Gitlab #1601) 1857. [build] andrei Code format styles meant to be as close as possible to the recommended coding guidelines are now included with the Kea source repository in the form of .clang-format and .uncrustify.cfg. The clang-format.sh and uncrustify.sh scripts in the tools directory can be used to apply these styles to chosen files. See coding guidelines in CONTRIBUTING.md for more details. (Gitlab #1455) 1856. [bug] razvan When using the config backend, the server converts the old 'reservation-mode' global parameter internally to new reservation flags. The new flags are listed when issuing the config-get command. (Gitlab #1598) 1855. [func] marcin Improved failover procedure in Kea High Availability library by introducing new communication-recovery state. In this state the load balancing servers remain responsive to DHCP queries when the communication between them is interrupted. The new feature is controlled using the delayed-updates-limit configuration parameter. (Gitlab #1402) 1854. [func, perf] fdupont Implemented "lease caching", a feature similar to ISC DHCP's dhcp-cache-threshold. Lease caching is configured through two new parameters: cache-max-age and cache-threshold, and is supported by both kea-dhcp4 and kea-dhcp6. When enabled, lease-caching allows the server to skip updating lease storage, when a client is requesting it's own pre-existing lease whose age falls under the cache threshold and for which there are no substantive changes to lease values such as the hostname. (Gitlab #1418) 1853. [func] fdupont Populated the space field of option definitions. This solved reported bugs where a specific standard option processing was applied to an option from another space but sharing the same code. In particular, this fixes the problem reported with vendor suboption 125. (Gitlab #1585) 1852. [bug] razvan Corrected the value of unacked-clients-left returned in response to the status-get command and the corresponding log messages. The previously returned value was too low by 1. (Gitlab #1578) 1851. [func] fdupont Removed methods fetching leases by both client identifier and hardware addresses from the API. (Gitlab #1540) 1850. [build] andrei Add two scripts to help with code aesthetics, insight on how Kea is built or minor build optimizations: * ./tools/check-for-duplicate-includes.sh: warns you if there is a source file that includes the same header twice. While this wouldn't normally result in any errors, it is an unusual practice. If you feel that a header should be included twice in a file, add the file under "# Exceptions:" in the script. * ./tools/print-generated-files.sh: prints all the files that are generated which may or may not be part of the repository. These consist of messages, parser files, and "built sources" (as called in Makefile.am files). (Gitlab #1602) 1849. [doc] tomek Two known DHCPv4 RFC violations are now documented in the ARM. They are both cases where Kea deliberately deviates from the RFC to accommodate some common broken-client behaviors. (Gitlab #1608, #1615) 1848. [bug] razvan The cql upgrade script from schema v3.0 to v4.0 was broken in Kea-1.9.3 and has been fixed also enabling the unittest. (Gitlab #1616) Kea 1.9.3 (development) released on Dec 16, 2020 1847. [bug] andrei Harden shell scripts and fix some of the resulted test failures. * #!/bin/sh for all scripts * set -eu in all scripts * shellcheck all scripts, and fix all shellcheck warnings * and more... (Gitlab #1574) 1846. [build] razvan Library version numbers bumped for Kea 1.9.3 development version. (Gitlab #1605) 1845. [func] marcin Kea configuration now allows for using database passwords which include whitespace. (Gitlab #692) 1844. [bug] marcin Corrected a bug in Kea Control Agent error responses when a malformed command was sent. In some cases a map with an error response was returned instead of a list. (Gitlab #432) 1843. [func] andrei Allow perfdhcp to request options via option 55 PRL. perfdhcp adds option 55 with a few requested options by default so in order to allow `perfdhcp -o 55,abcd` special logic to merge all the buffers of option 55 was implemented. Works with multiple `-o` arguments. (Gitlab #1508) 1842. [func] razvan Fixed the db connection reconnect implementation to honor each connection backend configuration. The most important improvement is that only the affected manager will be recreated when a connection is lost. Previously, even managers which were not affected had to be recreated on any connection loss. Also fixed an issue with recovery when multi-threading is enabled. (Gitlab #1375) 1841. [bug] marcin Corrected issues with inheritance of the DHCPv6 interface-id parameter. When interface-id is set at shared network level but not at the subnet level this setting is properly propagated to the config backend and reported when responding to the config-get command. Prior to this change, if the interface-id was set for a shared network, it was always returned for the subnets belonging to this shared network, even when subnet specific value was not specified. (Gitlab #652) 1840. [bug] fdupont Fixed the inheritance of the triple min-valid-lifetime, valid-lifetime and max-valid-lifetime parameters from the global scope, and fixed it for preferred-lifetime too. Added a sanity check refusing incorrect settings, e.g. the lifetime not being between min and max values. (Gitlab #1456) 1839. [bug] tmark kea-dhcp4 and kea-dhcp6 now calculate the DDNS TTL value based on RFC 4702, Section 5 which suggests that the TTL value be 1/3 of the lease's valid life time with a minimum value of 10 minutes. Prior to this the servers set the TTL to equal to the lease's valid life time. (Gitlab #936) 1838. [bug] fdupont The DHCPv6 sent multiple instances of an option or a sub-option when it seems to be requested more than once directly by the client or using the always-send flag. (Gitlab #1449) 1837. [doc] cstrotm Several Kea ARM corrections. (Gitlab #1514) Kea 1.9.2 (development) released on Nov 25, 2020 1836. [build] razvan Library version numbers bumped for Kea 1.9.2 development version. (Gitlab #1555) 1835. [doc] peterd Several Kea ARM corrections. (Gitlab #1536) 1834. [func] fdupont Added two new callouts (hook points) in the control agent. The "auth" callout is executed after the basic authentication (if configured) and the command processing. The "response" callout is executed after the command processing and before the HTTP response is returned. (Gitlab #1421) 1833. [doc] sgoldlust Many documentation corrections. (Gitlab #1539) 1832. [func] tomek, wlodek Perfdhcp extended with functionality to gradually increase elapsed time in solicit and secs field in offer. (Gitlab #1332) 1831. [bug] razvan Fixed the DHCPv6 server implementation of the reservations-out-of-pool flag to match the DHCPv4 one. When the flag is true: * the server assumes that all reserved address do not belong to the dynamic pool. * the server will not assign reserved addresses that are inside the dynamic pool to the respective clients. * addresses matching the respective reservations from inside the dynamic pools (if any) can be dynamically assigned to any client. (Gitlab #1550) 1830. [func] fdupont, razvan Added new configuration options reservations-global, reservations-in-subnet and reservations-out-of-pool to replace the old reservation-mode parameter. The new flags can be configured independently, adding support for new configuration scenarios when global and in subnet reservations are both active. (Gitlab #1405) 1829. [bug] fdupont, razvan Fixed a bug in the hasAddressReservation function which was causing the search for reservations to end as soon as no global reservation was found when configuring a subnet or shared network with global reservations enabled. (Gitlab #1405) 1828. [bug] andrei, razvan Fix trivial logic error in handling the "lease4-update" command manifesting itself on v4 if multi-threading is enabled. Notable affected environment is a HA with the "send-lease-updates" configuration setting explicitly set to true. Prior to this fix, lease updates would not go through to other HA nodes, even though some log lines would say they would. A simple workaround prior to this fix is to disable multi-threading. (Gitlab #1542) 1827. [build] andrei Add `tools/add-config-h.sh` script that can add `#include ` lines to non-generated source files that are missing it. (Gitlab #1453) Kea 1.9.1 (development) released on Oct 28, 2020 1826. [build] razvan Library version numbers bumped for Kea 1.9.1 development version. (Gitlab #1481) 1825. [doc] andrei Examples for option definitions, option data, standardized option spaces other than "dhcp[46]", custom option spaces, option embedding under doc/examples/kea[46]/all-options.json. (Gitlab #1298) 1824. [func] tmark Added a new parameter, ddns-use-conflict-resolution, to kea-dhcp4 and kea-dhcp6. This parameter is passed per request to kea-dhcp-ddns which uses it to determine whether or not conflict resolution rules (see RFC 4703) are followed for that request. The default value is true. Disabling conflict resolution should only be used after careful consideration. (Gitlab #1386) 1823. [doc] tomek Updated options documentation for DHCPv4 and DHCPv6. (Gitlab #1436, #1460) 1822. [func] fdupont When multi-threading is enabled the status-get command displays the average length of the multi-threading packet queue for last 10, 100 and 1000 packets. (Gitlab #1306) 1821. [func] anonymous, fdupont The forensic log hook library now logs release and decline events. (Gitlab #1445) 1820. [bug] razvan Fixed lease update when using HA and lease_cmds hooks with database backend. Previously, HA updates were rejected because the database backend rejects operations on the lease if the old expiration time is different than what it is already stored, to act as a protection mechanism for parallel updates from several threads or processes. (Gitlab #1434) 1819. [func] fdupont Improved error messages for bad escapes in JSON strings. (Gitlab #151) 1818. [doc] andrei Add to the reservation documentation: * instructions on how to choose "reservation-mode" * priority of "reservation-mode" specified at all levels * priority of file reservations vs database reservations (Gitlab #1299) 1817. [func] fdupont Redact control agent logs to hide basic HTTP authentication passwords from the configuration files. Note that when HTTP headers are logged credentials are present in clear text. (Gitlab #1459) 1816. [func] fdupont The message logged when basic HTTP authentication succeed is now informative (was DEBUG, is INFO now). (Gitlab #1450) 1815. [bug] marcin Fixed libdhcpsrv build failures when building without database backends. (Gitlab #1468) 1814. [func] marcin Added ip-reservations-unique global parameter which controls whether or not it is allowed to create multiple host reservations for the same IP address or delegated prefix. By default, it is not allowed to create multiple reservations for the same lease within the same subnet. This change facilitates the use case in which a single host can communicate with the DHCP server over multiple network interfaces but should be assigned the same reserved lease regardless of which interface is used. (Gitlab #1428) 1813. [func] tmark A new parameter, ddns-update-on-renew, has been added to kea-dhcp4 and kea-dhcp6 configuration. When true, the server will always update DNS when a lease is renewed even if the DNS information for the lease has not changed. The prior, and now default, behavior is for the server to only update DNS for a renewing lease if its DNS information has changed. (Gitlab #1385) 1812. [doc] andrei Document how MAC addresses can be formatted for use as attributes in RADIUS authentication (Gitlab #1441) 1811. [func] fdupont Two new parameters were added: cache-threshold and cache-max-age to the DHCPv4 and DHCPv6 global scopes. They will govern the upcoming cache threshold feature. The parameters can be set and retrieved, but they're not used yet. (Gitlab #1418) Kea 1.9.0 (development) released on Sep 30, 2020 1810. [build] fdupont, razvan Bump up libs version for Kea 1.9.0 release. (Gitlab #1400) 1809. [func] razvan Added csv-format option to flex_option hook to be able to insert option data in csv format. The implicit value is false, maintaining compatibility with the previous default raw format. (Gitlab #1373) 1808. [func] razvan Support for new IPv6-only-preferred option for DHCPv4 has been added. It lets Kea to signal to compatible devices that the IPv6 connectivity is available and they can disable their IPv4 stack. This implements support for draft-ietf-dhc-v6only-08, which is expected to be soon published by IETF as an RFC. (Gitlab #1351) 1807. [doc] tomek Added separate table with DHCPv4 options that are governed by Kea itself, rather than configured by administrator. (Gitlab #1323, #1398) 1806. [bug] tmark The DNS update code behaving better when there is a shared network and the code initially selected one subnet, but then later determined that a different subnet will be used. There is still a corner-case in DHCPv6 if the client requests multiple addresses or multiple prefixes and some of them is serviced from one subnet and some from another. (Gitlab #1389) 1805. [doc] tomek API documentation for lease4-get-* and lease6-get-* commands has been updated. (Gitlab #1392) 1804. [func] fdupont Added a new reservation-get-by-id command to retrieve all host reservations with an identifier value and type. Made the subnet-id optional in the reservation-get-page command. (Gitlab #1163) 1803. [doc] fdupont Corrected Kea ARM sections describing how to send DHCPv6 Vendor-specific Information Option (code 17) with sub-options. (Gitlab #1025) 1802. [bug] fdupont Removed the bug which allowed for repeating the same configuration parameter multiple times in the same scope. The second occurrence of the parameter overwrote the first occurrence causing server misconfiguration. Starting from this change an error is raised when the same parameter occurs multiple times in a given scope the location of the first value. (Gitlab #1102) 1801. [doc] fdupont Moved JSON files describing commands to the share directory and adding a new access entry taking read or write values. (Gitlab #1240) 1800. [func] fdupont Added support of basic HTTP authentication in HTTP library, control agent, kea shell and high availability hook. (Gitlab #1304) 1799. [bug] fdupont Checked execution of queries to get schema versions of MySQL and PostgreSQL database in kea-admin. (Gitlab #828) 1798. [bug] tmark kea-dhcp4 now correctly updates DNS when a client returns for lease after the lease has expired. Prior to this, the server would remove the entries but then fail to add them unless the hostname (or FQDN) changed. This change also eliminates redundant DNS removes when expired leases are reclaimed and given to different clients. (Gitlab #1409) ``` Thank you again to everyone who assisted us in making this release possible. We look forward to receiving your feedback.