# Kea 2.1.7, June 29 2022, Release Notes

Welcome to Kea 2.1.7, the eighth monthly release of the 2.1 development 
branch. As with any other development release, use this with caution: 
development releases are not recommended for production use.

Kea is a DHCP implementation developed by Internet Systems Consortium 
(ISC) that features DHCPv4 and DHCPv6 servers with DNS updating and a 
REST API; optional database support (MySQL and PostgreSQL); optional 
RADIUS, Kerberos, and YANG/NETCONF support; and much more. Kea provides 
extensive management capabilities, including but not limited to: TLS 
support, run-time configuration monitoring and updates via a REST API, 
host reservations, client classification, and more.

The text below references issue numbers. For more details, visit the Kea 
GitLab page at https://gitlab.isc.org/isc-projects/kea/issues.

The following bugfixes and features have been implemented since the 
previous release versioned 2.1.6:

1. **TLS support for HA**: It is now possible to establish a connection 
between HA partners over TLS. This requires TLS certificates to be 
deployed properly [#1706].

2. **New subnet commands**: The `subnet_cmds` hook has been expanded 
with several new commands: `subnet4-delta-add`, `subnet4-delta-del`, 
`subnet6-delta-add`, and `subnet6-delta-del`. They allow incremental 
changes to be applied to existing subnets. This may be useful for a 
variety of scenarios, such as adding new or tweaking existing pools in 
an existing subnet, adding or removing DHCP options, and much more. The 
feature is considered experimental for now, as it has only been lightly 
tested so far [#2266].

3. **Packages for new systems**: In preparation for the upcoming 2.2 
stable branch, Kea now provides native RPM, DEB, and APK packages for 
several recently released OSes: RHEL 9 [#2453], Alpine 3.14 and 3.15, 
and Ubuntu 22.04 [#2433]. Tarballs, with their associated ISC 
signatures, are now available alongside packages in the Cloudsmith 
repository. 

4. **Limits**: The limits hook will eventually support multiple 
features. The first one - response rate limiting - is functional and 
lets users specify an upper limit to the number of responses Kea will 
send per unit of time. This capability has gotten several small tweaks 
[#2422]. The second ability - lease limiting - is under development. It 
will limit the number of leases a targeted group (such as one customer) 
can get. This feature is not functional yet, but several code changes to 
reach this goal have been implemented: the MySQL schema has been updated 
to support lease limits [#2438], and the LeaseMgr interface has been 
added for limits checking [#2444].

5. **GSS-TSIG improvements**: The server no longer shuts down when the 
GSS-TSIG Kerberos principal is non-existent [#2396]. Documentation and 
examples for GSS-TSIG were updated. Client keytab and cache credentials 
should generally not be used together [#2247].

6. **User contexts in configuration backends**: Kea has a flexible 
mechanism called user context, which allows arbitrary use data to be 
attached to most configuration and run-time elements. This capability 
has now been brought to both the MySQL and PostgreSQL config backends 
[#2430]. The PostgreSQL config backend has also been updated with the 
ability to expand client classes with user contexts [#2431]. User 
context data is not used by Kea in any way, but Kea makes it available 
to hooks for processing.

7. **Build improvements**: Support has been added for the latest OpenSSL 
3 cryptographic library [#1614], LibreSSL 3.5.2 [#2411], Red Hat 
Enterprise Linux (RHEL) 9 support [#2439], and Ubuntu 22.04 [#2433]. The 
logger unit tests no longer fail when compiled without logger checks 
[#2425]. The Gitlab CI is now enabled for premium code. The additional 
checks will positively impact quality of the code in the long term 
[#2268].

8. **Bugfixes**: Subnet-id limits are now checked properly; earlier 
versions silently wrapped oversize (equal to or greater than maxuint32) 
subnet-ids to the allowed limits, which caused some unexpected 
behaviors. Now Kea refuses a configuration with oversize subnet-id 
values  [#2086]. The `reservation-get-by-hostname` API command now 
provides `subnet-id` in its response, making it consistent with the 
other API commands in the `reservation-get` group [#2209]. The 
`ALLOC_ENGINE_V4_ALLOC_FAIL_SUBNET` message was misleading and suggested 
that a subnet was part of a shared network; this is now clarified 
[#2395]. A problem with MySQL-cascaded foreign keys not activating 
triggers has now been fixed [#2299].

9. **Documentation**: Several example configurations claimed Kea 
supported four different backends, which is no longer the case since 
Cassandra support was retired; this is now corrected [#2418]. The hooks 
list in the ARM has been improved [#2403]. The RBAC documentation has 
been corrected slightly [#2435]. Several more user-context examples have 
been added to the ARM [#1475].

## Incompatible Changes

* The `reservation-get-by-hostname` API command now returns an 
additional field, `subnet-id`. This may affect users who wrote their own 
scripts to use this command, if the scripts are not able to handle an 
additional field. This new field was added to maintain consistency with 
other API commands from the `reservation-get` group.

* The MySQL schema has been updated.

* The PostgreSQL schema has been updated.

## License

This version of Kea is released under the Mozilla Public License, 
version 2.0.

https://www.mozilla.org/en-US/MPL/2.0

The premium and subscriber-only hook libraries are provided under the 
terms of an End User License Agreement.

## Download

Pre-built ISC packages for current versions of the most popular Linux 
operating systems are available at:

https://cloudsmith.io/\~isc/repos/

The Kea source and PGP signature for this release may be downloaded from:

https://www.isc.org/download, as well as from the Cloudsmith repository.

The signature was generated with the ISC code signing key, which is 
available at:

https://www.isc.org/pgpkey

ISC provides detailed documentation, including installation instructions 
and usage tutorials, in the Kea Administrator Reference Manual. 
Documentation is included with the installation or at 
https://kea.readthedocs.io/en/latest/index.html.

Limitations and known issues with this release can be found at 
https://gitlab.isc.org/isc-projects/kea/wikis/known-issues-list.

We ask users of this software to please let us know how it worked for 
you and what operating system you tested on. Feel free to share your 
feedback on the Kea Users mailing list 
(https://lists.isc.org/mailman/listinfo/kea-users. We would also like to 
hear whether the documentation is adequate and accurate. Please open 
tickets in the Kea GitLab project for bugs, documentation omissions and 
errors, and enhancement requests. We want to hear from you even if 
everything worked.

## Support

Professional support for Kea is available from ISC. We encourage all 
professional users to consider this option; Kea maintenance is funded 
with support subscriptions. For more information on ISC's Kea and DHCP 
software support see https://www.isc.org/support/.

Free best-effort support is provided by our user community via a mailing 
list. Information on all public email lists is available at 
https://www.isc.org/community/mailing-list.

## Changes

The following summarizes changes and important upgrade notes since the 
2.1.6 release for Kea core:

2032.	[build]         razvan
	The library version numbers have been bumped for the Kea 2.1.7
	development release.
	(Gitlab #2455)

2031.	[func]		fdupont
	Improved compatibility with OpenSSL 3.0.x, in particular
	recover system error messages.
	(Gitlab #1614)

2030.	[doc]		fdupont,tomek
	GSS-TSIG examples updated. The recommendation to not use
	client-keytab and credentials-cache at the same time added.
	(Gitlab #2247)

2029.	[bug]		fdupont
	The check of the subnet id in configuration is stricter:
	values outside the 0..4294967295 are rejected. Note that
	the value 0 means to leave Kea to assign itself the id.
	(Gitlab #2086)

2028.	[build]		orbea, fdupont
	Compatibility with LibreSSL 3.5.2 improved.
	(Github #121, Gitlab #2411)

2027.	[func]		fdupont
	The TLS is now supported with Multi-Threaded HA (HA+MT) scenario.
	Additional parameters (trust-anchor, cert-file, key-file,
	require-client-certs) are now supported in the HA configuration.
	(Gitlab #1706)

2026.	[func]		andrei
	The MySQL schema has been changed to provide initial support for
	the lease limiting feature, part of the limits hook library.
	(Gitlab #2438)

2025.	[bug]		tmark
	Added missing support for client-class user-context to
	both MySQL and PostgreSQL CB hook libraries.
	(Gitlab #2430)

2024.	[func]		djt
	The ALLOC_ENGINE_V4_ALLOC_FAIL_SUBNET log message format has been
	slightly modified, so that when it is emitted for a subnet that
	is not within a shared network, it emits "(none)" for the value
	of the shared network. The ARM documentation for this parameter
	has been updated to reflect that subnets within shared networks
	will in fact display which shared network the subnet belongs to.
	The ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET log message format has
	changed to be consistent with the format of
	ALLOC_ENGINE_V4_ALLOC_FAIL_SUBNET.
	(Gitlab #2395)

2023.	[bug]		tmark
	Corrected a MySQL CB issue that caused subnets to be
	updated without having audit entries created when the
	affiliated shared-network is deleted.  This can cause
	the subnets to be excluded from subsequent CB refresh
	cycles.
	(Gitlab #2299)

And for Kea premium:

150.	[func]		razvan
	Added lease4-delta-add, lease4-delta-del, lease6-delta-add,
	and lease6-delta-del commands to subnet_cmds hooks library.
	Using these commands, the user is able to only apply the
	difference between the current subnet configuration and the
	user data (either add - if missing - or update when using the
	add commands or remove when using the del commands). Most
	common case is to add or delete pools or pd-pools to a specific
	subnet but it can also be used to update scalars or lists of
	scalars or maps.
	(Gitlab #2266)

149.	[bug]		fdupont
	Handle exceptions thrown by TSIG exchange initialization
	for instance when the server principal does not exist.
	Previously the exception made the DDNS server to exit.
	(Gitlab #2396)

148.	[func]		andrei
	The limits hook library is now notified of limit changes brought
	to client classes and subnets via config backend or subnet
	commands. Previously, new limits were ignored and old limits were
	used until a reconfiguration was triggered.
	(Gitlab #2422)

See https://gitlab.isc.org/isc-projects/kea/-/wikis/Release-Notes for a 
complete list of release notes.

Thank you again to everyone who assisted us in making this release 
possible.

We look forward to receiving your feedback.