# Kea 2.2.0, July 27th 2022, Release Notes Welcome to Kea 2.2.0, a new stable branch. Kea is a DHCP implementation developed by Internet Systems Consortium (ISC) that features DHCPv4 and DHCPv6 servers with DNS update and a REST API; optional database support (MySQL and PostgreSQL); optional RADIUS. Kerberos, YANG/NETCONF, and GSS-TSIG support; and much more. Kea provides extensive management capabilities, including but not limited to: TLS support, Role-Based Access Control, run-time configuration monitoring and updates via a REST API, host reservations, client classification, and more. The text below references issue numbers. For more details, visit the Kea GitLab page at https://gitlab.isc.org/isc-projects/kea/issues. If you are upgrading from the previous stable version, the following major features have been implemented since the 2.0 series: 1. **Native TLS support** Kea now features full native support for TLS in HA; it is now possible to establish a connection between HA partners over TLS. Naturally, this requires TLS certificates to be deployed properly [#1706]. MySQL and PostgreSQL backends now can be configured to use SSL/TLS support to protect connections between the database and the Kea server [#34]. The kea-admin tool now accepts extra arguments which are passed to the database command tool with -x, e.g. --ssl to mysql with kea-admin ... -x --ssl. While the primary goal of this capability is to pass TLS-related parameters, it is generic and can be used to tune other parameters as well [#2225]. 2. **PostgreSQL configuration backend**. The PostgreSQL-based Config Backend is now fully functional and there is feature parity between MySQL and PostgreSQL. With this addition, it is possible to store major elements of the configuration in a PostgreSQL database: subnets, shared networks, options, option definitions, global parameters, client classes, audit entries, and servers. Those can be managed either using REST API commands or by manipulating the database directly. The recommended way is to use the REST API. [#2183, #2244]. 3. **Role-Based Access Control (RBAC) hook**. A new hook is dedicated to access control. It is possible to control access to various parts of the REST API based on remote IP address, HTTP authentication username, or several of the TLS certificate fields. Rich ACL capabilities, with roles, default roles, access-list, and reject-list, can be defined. This is the first hook for the Control Agent. The RBAC hook is available only to support subscribers [#1263 (closed)]. 4. **Limits hook**. A new hook limits the rate and number of leases. It supports two major features: the first one - response rate limiting - lets users specify an upper limit to the number of responses Kea sends per unit of time, while the second - lease limiting - allows the administrator to limit the number of leases a targeted class (such as one customer or one building) can get. The limits hook is available only to support subscribers [#2422, #2438, #2444]. 5. **DDNS Tuning hook**. A new DDNS Tuning library adds custom behaviors related to Dynamic DNS updates on a per-client basis. It allows the host name used for DNS to be generated using an expression. Also, it permits DNS updates for certain clients to be selectively disabled. [#1548, #2387, #2386, #2354, #2384]. 6. **New subnet commands**. The subnet_cmds hook has been expanded with several new commands: `subnet4-delta-add`, `subnet4-delta-del`, `subnet6-delta-add`, and `subnet6-delta-del`. These commands allow incremental changes to be applied to existing subnets, which may be useful in a variety of scenarios, such as adding new or tweaking existing pools in an existing subnet or adding or removing DHCP options. The feature is considered experimental, as it has only been lightly tested so far [#2266]. 7. **Lease/HR lookup order**. In principle, Kea needs to do at least two lookups before assigning an address: lease lookup and host reservation lookup. Depending on specific deployments, doing one or the other first may give a small performance boost. There is no best approach here and therefore the `reservations-lookup-first` configuration parameter has been added. This parameter has effect only when multi-threading is disabled; when multi-threading is enabled, host reservations lookup is always performed first. The `reservations-lookup-first` parameter defaults to false when multi-threading is disabled [#2036]. 8. **Early global host reservation (HR) lookup**. During normal operation, Kea first selects a subnet based on topological information and then conducts an HR lookup for that specific subnet. This meant that the subnet selection could affect HR selection, but the opposite was not possible. In some scenarios, the opposite operation (do a global host reservation lookup first and then use the class defined in the host reservation to select a subnet) makes sense; this is now possible. A new boolean parameter `early-global-reservations-lookup` has been added to allow this behavior. This option is not compatible with RADIUS [#1543, #2249, #2304]. 9. **New statistics for failed allocations**. If the class requirements for your address pools are defined too tightly, it is possible that some clients will not get an address. To ease the investigation of this problem, many new statistics were added: `v4-allocation-fail`, `v4-allocation-fail-shared-network`, `v4-allocation-fail-subnet`, `v4-allocation-fail-no-pools`, `v4-allocation-fail-classes`, `subnet[X].v4-allocation-fail`, `subnet[X].v4-allocation-fail-shared-network`, `subnet[X].v4-allocation-fail-subnet`, `subnet[X].v4-allocation-fail-no-pools`, `subnet[X].v4-allocation-fail-classes`, `v6-allocation-fail`, `v6-allocation-fail-shared-network`, `v6-allocation-fail-subnet`, `v6-allocation-fail-no-pools`, `v6-allocation-fail-classes`, `subnet[X].v6-allocation-fail`, `subnet[X].v6-allocation-fail-shared-network`, `subnet[X].v6-allocation-fail-subnet`, `subnet[X].v6-allocation-fail-no-pools`, and `subnet[X].v6-allocation-fail-classes` [#2054]. 10. **Retry opening sockets**. Earlier Kea versions produced an error message when socket opening failed, but otherwise attempted to continue normally. That was troublesome in some cases, especially during booting, when the interface had not yet completed initialization. In that case Kea started, printed an error, and then ran without open sockets. This created the illusion that the service was healthy, when in fact it was not usable. Kea can now be instructed to retry opening sockets, with a configurable number of retries. Also, Kea can be told to shut down when sockets fail to open completely after multiple retries [#1716]. 11. **Credentials in password files**. Support for using separate password files to configure basic HTTP credentials has been added. Instead of configuring a value directly in the main configuration, it can be taken from the content of a separate file. The new parameters are `user-file`, `password-file`, and `basic-auth-password-file` [#2006]. 12. **Split operator in expressions**. A new operator to split strings has been added to expressions. For example, to get the foo hostname from the fully qualified foo.example.org, the following expression can be used: `split('foo.example.org', '.', 1)`. A particular use case for this is the new DDNS Tuning hook that can split fully qualified domain names into separate labels; however, the function is generic and can also be used for other purposes [#2272 (closed)]. 13. **Authoritative mode improvements**. By default, Kea assumes it has full knowledge about the networks it governs. However, it can be told that there are other servers on the network (`"authoritative": "false"`). In such cases, Kea does not send NAK for leases it doesn't know about. This mechanism was implemented properly, but was buggy in some cases; this has been now corrected [#1584]. 14. **Multi-line support in Forensic Logging**. The Forensic Logging hook library can now log on multiple lines using the hex string 0x0a. Each line is prepended by the timestamp. This may be useful for expecially long log entries [#2087]. 15. **Netconf YANG modules updated**. The YANG modules used in NETCONF have been substantially updated and are now in sync with the regular Kea JSON configuration. `store-extended-info` was fixed; it was an operational node instead of a config node. Many containers and leaves were added: `compatibility`, `lenient-option-parsing`, `multi-threading`, `enable-multi-threading`, `packet-queue-size`, `thread-pool-size`, `valid-lifetime`, `min-valid-lifetime`, `max-valid-lifetime`, `preferred-lifetime`, `min-preferred-lifetime`, `max-preferred-lifetime`, `cache-max-age`, `cache-threshold`, `ddns-generated-prefix`, `ddns-override-client-update`, `ddns-override-no-update`, `ddns-qualifying-suffix`, `ddns-replace-client-name`, `ddns-send-updates`, `ddns-update-on-renew`, `ddns-use-conflict-resolution`, `ip-reservations-unique`, `parked-packet-limit`, `reservations-global`, `reservations-in-subnet`, `reservations-out-of-pool`, `statistic-default-sample-age`, `statistic-default-sample-count`, `store-extended-info`, and `on-fail` [#2136]. 16. **RADIUS and subnet selection**. The RADIUS hook is now able to reselect a subnet based on the address reserved by RADIUS. This new functionality will be useful for deployments that use RADIUS and several subnets, with or without shared networks [#2347]. 17. **Support for long options in DHCPv4**. IETF RFC 3396 is now partly implemented, allowing the kea-dhcp4 server to send and receive DHCP options longer than 255 bytes [#2227]. 18. **GSS-TSIG hook improvements**. The GSS-TSIG hook, which allows Kerberos integration when conducting DNS updates, has received numerous updates and improvements. The hook is now able to report statistics for GSS-TSIG keys (number of created GSS-TSIG keys, when TKEY exchange was created for each key, last successful use, last timeout, and last error) [#2124, #2089]. General library robustness has been improved. The TKEY exchange can now be cancelled, which is useful for clean reconfiguration or shutdown [#2092]. Building with GSSAPI enabled and without unit tests now works properly [#2114]. The code now handles a situation in which the server returns BADNAME, which can happen if the key identifier is duplicated [#2128]. The ARM section has been expanded with a description of how to configure Microsoft Windows Active Directory to work with Kea's GSS-TSIG library [#2113]. Unit-tests are now more robust and no longer fail on CentOS 8 and Fedora 34 [#2082, #2056]. The fallback parameter has been added to make it possible to indicate what to do if a DNS update is supposed to be carried out, but the key for it is not available [#2125]. GSS-TSIG now sets the environment variables correctly [#2109]. Additional safety checks for DNS update and TKEY exchange were implemented [#2121]. It is now possible to control key regeneration (rekey) using new REST API commands (`gss-tsig-rekey-all`, `gss-tsig-purge`) [#2127]. New timers (`rekey-interval`, `retry-interval`) are now configurable [#2138, #2175]. The TKEY exchange is now cleaned up properly during shutdown [#2170]. The Kea ARM section has now been expanded [#2173]. The exchange timeout is now configurable [#2174]. The old GSS-TSIG keys are now removed [#2177]. The Kea ARM now provides better guidance for integration with Microsoft Active Directory [#2179]. 19. **Packages**. Native DEB, RPM, and APK packages are now available for many recently released systems: Debian 11 [#2042, #2193], Red Hat Enterprise Linux 8 [#2410] and 9 [#2453, #2439], Alpine 3.14 and 3.15, and Ubuntu 22.04 [#2433]. See https://gitlab.isc.org/isc-projects/kea/-/wikis/Release-Notes for a complete list of all changes from versions 2.1.0-2.1.7 that are included in this release. If you are upgrading from the latest development version, the following bugfixes and features have been implemented since the Kea 2.1.7 release: 1. **Limits**: The lease-limits feature has been implemented and is now operational [#237]. A bug was fixed that caused a crash if the subnet was deleted from the configuration while packets coming from that subnet were processed [#2497]. Unit tests for lease limits were added [#2482]. The ARM has been updated with a lease-limits documentation section [#2481]. The client lease limits are now functional [#1290]. The core code has been updated to support lease limits [#244]. The PostgreSQL schema has been updated to be able to store lease-limits information [#2445]. The memfile backend has been updated to be able to store lease-limits information [#2436]. 2. **New statistics**: New statistics were have been added to kea-dhcp4 to counts cases of host reservation conflicts. They are tracked at both the global and subnet level as `v4-reservation-conflicts` and `subnet[id].v4-reservation-conflicts`, respectively [#2419]. 3. **New parameters in YANG/NETCONF**: New parameters have been added to YANG/NETCONF, including TLS parameters for database connections: `trust-anchor`, `cert-file`, `key-file`, and `cipher-list`. Parameters have also been added to govern the way the server behaves regarding detection of configured interfaces: `service-sockets-require-all`, `service-sockets-max-retries`, `service-sockets-retry-wait-time`; and parameters which govern reservations lookup: `early-global-reservations-lookup`, and `reservations-lookup-first` [#2224]. 4. **Performance improvements for PostgreSQL**. Indexes on the hosts table in the postgresql schema were modified to improve performance on host reservation searches. Thanks to Paul Kutzer for suggesting these changes [#2452]. 5. **Socket status operation reported**. The `status-get` command now shows the status of the sockets being opened for receiving DHCP requests, and a list of errors for the sockets that were not created successfully [#2434]. 6. **GSS-TSIG improvements**: The rekey interval used to be longer than the rekey-interval [#2404]. The GSS_C_SEQUENCE flag is now optional. This change increases compatibility with Microsoft Windows Active Directory implementation [#2440]. 7. **Logging**: Several log messages have been modified. Kea can pick the right subnet for an incoming packet based on many criteria, which are evaluated in sequence; this is a normal process and not a reason to worry. Previously, several log messages that indicated that one part of the selection process did not result in a selection and the next phase in the sequence should commence used the word "failure," which caused some concern among users. The text has been edited [#2387]. 8. **Bug fixes**: Under certain conditions, especially under heavy traffic when both High Availability and Multi-Threading were enabled, a rare race condition could occur that would lead to two threads processing the same structure, and caused Kea to crash. This has been fixed [#2473]. Lease queries are no longer affected by the load-balancing mechanism. Previously, Kea running HA in load-balancing mode responded to only 50% of the leasequery traffic [#1781]. The `config-set` command now works properly on CA when the RBAC hook is loaded [#2475]. 9. **Build improvements**: All Doxygen documentation errors were fixed [#2454]. The hammer building tool now has support for Alpine 3.16 [#2491]. An obsolete call to std::unary_function has been replaced [#2432]. Formatting tools have been updated to be more generic and work on code stored in other repositiories, not just the base Kea code [#2470]. The `check-hashes.sh` test was updated to no longer fail on systems with OpenSSL 3 [#2461]. The CI now checks for missing files in `src/share/api` [#2379]. The problem with undefined symbols when linking with mold linker was addressed [#2460]. 10. **Documentation**: The style of the ARM has been updated to align with BIND 9 and Stork. The bright red color was replaced with black, increasing contrast [#2437]. The return parameters for `lease4-get-by-*` commands are now properly described [#1391]. Several values of `max-response-delay` and `heartbeat-delay` have been tuned in the ARM [#2083]. A typo has been corrected in the Developer's Guide [#2447]. 11. **Paid Hooks End User License Agreement change**. The Kea Hooks Basic Commercial End User License Agreement (EULA) has been substantially updated. Please read it before using the commercial hooks. The core Kea code remains available under the Mozilla Public License, version 2.0, as before. ## Incompatible Changes There are several changes that can be considered backward-incompatible. 1. **Cassandra, benchmarks support removed** The Cassandra database has been deprecated for a while now and the code has been removed [#2116]. Cassandra support has been removed from the hammer tool [#2375]. Support for benchmarks, a developer feature that has not been maintained, has been removed [#2372]. 2. **The PostgreSQL schema has been updated**. Existing databases need to be upgraded. 3. **The YANG module has been updated**. Existing Sysrepo repositories need to be upgraded. 4. **End User License Agreement for Hooks**. The Kea Hooks Basic Commercial End User License Agreement (EULA) has been substantially updated. Please read it before using the commercial hooks. The core Kea code remains available under the Mozilla Public License, version 2.0, as before. ## License This version of Kea is released under the Mozilla Public License, version 2.0. https://www.mozilla.org/en-US/MPL/2.0 Some Kea hooks are provided under the MPL 2.0; others are licensed with the Kea Hooks Basic Commercial End User License. The source for each hook includes the applicable license. ## Download Pre-built ISC packages for current versions of the most popular Linux operating systems are available at: https://cloudsmith.io/~isc/repos/ The Kea source and PGP signature for this release may be downloaded from: https://www.isc.org/download The signature was generated with the ISC code signing key, which is available at: https://www.isc.org/pgpkey ISC provides detailed documentation, including installation instructions and usage tutorials, in the Kea Administrator Reference Manual. Documentation is included with the installation or at https://kea.readthedocs.io/en/latest/index.html in HTML, plain text, or PDF formats. ISC maintains a public open source code tree, wiki, issue tracking system, milestone planner, and roadmap at https://gitlab.isc.org//isc-projects/kea. Limitations and known issues with this release can be found at https://gitlab.isc.org/isc-projects/kea/wikis/known-issues-list. We ask users of this software to please let us know how it worked for you and what operating system you tested on. Feel free to share your feedback on the Kea Users mailing list (https://lists.isc.org/mailman/listinfo/kea-users). We would also like to hear whether the documentation is adequate and accurate. Please open tickets in the Kea GitLab project for bugs, documentation omissions and errors, and enhancement requests. We want to hear from you even if everything worked. ## Support Professional support for Kea is available from ISC. We encourage all professional users to consider this option; Kea maintenance is funded with support subscriptions. For more information on ISC's Kea and DHCP software support see https://www.isc.org/support/. Free best-effort support is provided by our user community via a mailing list. Information on all public email lists is available at https://www.isc.org/community/mailing-list. If you have any comments or questions about working with Kea, please share them to the Kea Users list (https://lists.isc.org/mailman/listinfo/kea-users). Bugs and feature requests may be submitted via GitLab at https://gitlab.isc.org/isc-projects/kea/issues. ## Changes The following summarizes changes and important upgrades since the 2.0.0 release. 2045. [build] tmark Bumped library version numbers for the Kea 2.2.0 stable release. (Gitlab #2504) 2044. [func] tmark Modified indexes on the hosts table in the postgresql schema to improve performance on host reservation searches. Thanks to Paul Kutzer for suggesting these changes. (Gitlab #2452) 2043. [func] andrei The status-get command now shows the status of the sockets being opened to receive DHCP requests, and a list of errors for the sockets that were not successfully created. (Gitlab #2434) 2042. [func] razvan Added missing parameters to YANG modules, including TLS parameters for database connections. (Gitlab #2224) 2041. [bug] tmark HA now applies load balancing and scoping only to inbound client packet types that apply to client lease fulfillment, e.g. DHCPDISCOVER, DHCPREQUEST, DHCPV6_SOLICIT, DHCPV6_REQUEST, etc. Previously, HA indiscriminately balanced and scoped all inbound packets, including those related to lease query. (Gitlab #1781) 2040. [func] djt Added support for Alpine 3.16 in hammer.py. (Gitlab #2491) 2039. [doc] andrei Updated the limits hook library ARM documentation to reflect support for lease limits. (Gitlab #2481) 2038. [func] djt Added a new statistic to kea-dhcp4 that counts host reservation conflicts. They are now tracked at both the global and subnet levels, as v4-reservation-conflicts and subnet[id].v4-reservation-conflicts, respectively. (Gitlab #2419) 2037. [bug] razvan, marcin Fixed a crash in the HA+MT scenario caused by a race condition which occurred between resetting the CalloutHandle state and accessing the hook point parameters, from different threads, when unparking packets. (Gitlab #2473) 2036. [build] andrei Added a tool that checks whether there are any missing REST commands from the API Reference section of the ARM. See tools/check-for-missing-api-commands.sh. It has been integrated into the Gitlab CI and runs on every push. (Gitlab #2379) 2035. [doc] Daniel Bjors The Developer's Guide now correctly uses the Lease4CollectionPtr and Lease6CollectionPtr types. Thanks to Daniel Bjors for reporting this typo. (Gitlab #2447) 2034. [func] andrei The PostgreSQL schema has been changed to provide initial support for the lease-limiting feature, part of the limits hook library. (Gitlab #2445) 2033. [func] tmark Functionality needed to support the lease-limiting feature of of the limits hook library has been added to Memfile_LeaseMgr. (Gitlab #2436) 2032. [build] razvan The library version numbers have been bumped for the Kea 2.1.7 development release. (Gitlab #2455) 2031. [func] fdupont Improved compatibility with OpenSSL 3.0.x, in particular recover system error messages. (Gitlab #1614) 2030. [doc] fdupont, tomek GSS-TSIG examples updated. The recommendation to not use client-keytab and credentials-cache at the same time added. (Gitlab #2247) 2029. [bug] fdupont The check of the subnet id in configuration is stricter: values outside the 0..4294967295 are rejected. Note that the value 0 means to leave Kea to assign itself the id. (Gitlab #2086) 2028. [build] orbea, fdupont Compatibility with LibreSSL 3.5.2 improved. (Github #121, Gitlab #2411) 2027. [func] fdupont The TLS is now supported with Multi-Threaded HA (HA+MT) scenario. Additional parameters (trust-anchor, cert-file, key-file, require-client-certs) are now supported in the HA configuration. (Gitlab #1706) 2026. [func] andrei The MySQL schema has been changed to provide initial support for the lease limiting feature, part of the limits hook library. (Gitlab #2438) 2025. [bug] tmark Added missing support for client-class user-context to both MySQL and PostgreSQL CB hook libraries. (Gitlab #2430) 2024. [func] djt The ALLOC_ENGINE_V4_ALLOC_FAIL_SUBNET log message format has been slightly modified, so that when it is emitted for a subnet that is not within a shared network, it emits "(none)" for the value of the shared network. The ARM documentation for this parameter has been updated to reflect that subnets within shared networks will in fact display which shared network the subnet belongs to. The ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET log message format has changed to be consistent with the format of ALLOC_ENGINE_V4_ALLOC_FAIL_SUBNET. (Gitlab #2395) 2023. [bug] tmark Corrected a MySQL CB issue that caused subnets to be updated without having audit entries created when the affiliated shared-network is deleted. This can cause the subnets to be excluded from subsequent CB refresh cycles. (Gitlab #2299) 2022. [func] andrei, djt kea-admin lease-upload now calls the lease file cleanup (LFC) process to clean up entries with duplicate addresses in the input CSV file, to avoid a conflict error when inserting the leases in the database. kea-admin also no longer asks for input on non-interactive shells. A new -y|--yes flag has been added that enables automatic overwriting of any file that kea-admin writes to, when dumping or uploading leases. (Gitlab #2293) 2021. [build] razvan The library version numbers have been bumped for the Kea 2.1.6 development release. (Gitlab #2421) 2020. [doc] andrei The rate-limiting feature of the new limits hook library has been documented. It can apply a specified limit of a certain number of packets per time unit to a given client class or subnet. (Gitlab #562, #1650) 2019. [func] tmark A new built-in class, "SKIP_DDNS", was added, which can be used in conjunction with the ddns-tuning hook library to skip performing DDNS updates for a given client. (Gitlab #2354) 2018. [func] razvan The kea-dhcp4 server now supports portions of RFC 3396, allowing it to send and receive DHCP options longer than 255 bytes. (Gitlab #2227) 2017. [bug] marcin A bug in the allocation engine, which caused it to write an allocated lease under the wrong subnet ID within a shared network, has been corrected. This was occurring when multiple clients matched the same fixed address reservation. The first client is now assigned the fixed address, while a subsequent client is then given a dynamically allocated address from a different subnet in the shared network. (Gitlab #2409) 2016. [doc] fdupont Documentation for the role-based access control (RBAC) premium hook library was added to the ARM. (Gitlab #1263) 2015. [bug] tmark Fixed an issue in kea-dhcp6 that was causing the server not to update the FQDN option in outbound responses when the ddns-tuning hook lib calculates a new host name. (Gitlab #2392) 2014. [bug] tmark Correct an issue that was causing reconfigure to fail in kea-dhcp4 and kea-dhcp6 when using ddns-tuning hook library. (Gitlab #2390) 2013. [build] razvan Library version numbers bumped for Kea 2.1.5 development version. (Gitlab #2385) 2012. [doc] andrei Documented whether it's OK or not to have overlapping pools, including PD pools in IPv6. (Gitlab #1842) 2011. [func] djt Added CTRL_AGENT_COMMAND_RECEIVED log line with command and source address to the kea-ctrl-agent for commands which are not forwarded on to another daemon. Added client remote-address to CTRL_AGENT_COMMAND_FORWARDED log message if it is available. (Gitlab #687) 2010. [func] razvan Several extra log messages now detail the subnet selection process. The messages are available on debuglevel 40. (Gitlab #2352) 2009. [func] tmark Added new hook callout points: ddns4_update to Kea DHCPv4 server and ddns6_update to Kea DHCPv6 server. This enables use of the ddns-tuning hook library. (Gitlab #1548) 2008. [func]* tomek The support for benchmarks have been removed. (Gitlab #2372) 2007. [func] tmark Added split() function to classification expression language. (GitLab #2272) 2006. [func] slawek Added ``service-sockets-require-all`` parameter to specify mandatory successfully binding all needed service sockets to initialize DHCP services (defaults to false). If any socket is unavailable, then the service fails to start. Added ``service-sockets-max-retries`` parameter (defaults to 0) to specify the number of retries to open unavailable sockets and ``service-sockets-retry-wait-time`` parameter to specify a time interval to wait between attempts. (Gitlab #1716) 2005. [func]* razvan The support for Cassandra database backend has been removed. (Gitlab #2116) 2004. [build] razvan Library version numbers bumped for Kea 2.1.4 development version. (Gitlab #2363) 2003. [func] fdupont Added the support of sub-options in the flex_option hook library. (GitLab #2314) 2002. [bug] tmark Fixed a bug in MySql config backend that caused it to store unspecified, client-class valid and preferred life time values as zero in the database. (Gitlab #2344) 2001. [bug] razvan Fixed a bug which causes client classes with empty test expressions to fail class evaluation when those classes are retrieved from config backend. (Gitlab #2336) 2000. [func] fdupont Added the ``early-global-reservations-lookup`` configuration parameter which allows to perform a search for global host reservations and set client classes before the subnet selection. This is achieved when explicitly configured to ``true`` and it defaults to ``false`` if not configured. (Gitlab #2249) 1999. [func] tmark, razvan The kea-dhcp6 server fully supports using PostgreSQL for config backend. This should be considered an experimental feature. (Gitlab #2355, #2356) 1998. [func] tmark, razvan With the addition of support for client classes, the kea-dhcp4 server now fully supports using PostgreSQL for config backend. (Gitlab #2322) 1997. [bug] tmark The obsolete log message, DHCP4_NCR_CREATE, has been removed from kea-dhcp4. (GitLab #2301) 1996. [build] razvan Library version numbers bumped for Kea 2.1.3 development version. (Gitlab #2317) 1995. [func] tmark kea-dhcp4 now supports using PostgreSQL for config backend for everything except client classes. The new hook library is libdhcp_pgsql_cb.so. This should be considered an experimental feature. (Gitlab #95) 1994. [func] razvan Added support for Server Identifier Override RAI sub-option (RFC 5107). The implementation is not complete according to the RFC, because the server does not store the RAI, but the functionality handles expected use cases. (Gitlab #1695) 1993. [func] razvan Added global and per subnet counters for allocation failures: ``v4-allocation-fail``, ``v4-allocation-fail-shared-network``, ``v4-allocation-fail-subnet``, ``v4-allocation-fail-no-pools``, ``v4-allocation-fail-classes``, ``subnet[X].v4-allocation-fail``, ``subnet[X].v4-allocation-fail-shared-network``, ``subnet[X].v4-allocation-fail-subnet``, ``subnet[X].v4-allocation-fail-no-pools``, ``subnet[X].v4-allocation-fail-classes``, ``v6-allocation-fail``, ``v6-allocation-fail-shared-network``, ``v6-allocation-fail-subnet``, ``v6-allocation-fail-no-pools``, ``v6-allocation-fail-classes``, ``subnet[X].v6-allocation-fail``, ``subnet[X].v6-allocation-fail-shared-network``, ``subnet[X].v6-allocation-fail-subnet``, ``subnet[X].v6-allocation-fail-no-pools``, ``subnet[X].v6-allocation-fail-classes``. There is a warning log message emitted in the logs each time one of the allocation failure counters is incremented. (Gitlab #2054) 1992. [bug] razvan The ``maxver`` and ``maxsize`` logger parameters are excluded from ``config-get`` command response if the logger output is ``stdout``, ``stderr`` or ``syslog``. (Gitlab #2288) 1991. [bug] jinmei, razvan Fixed keactrl exit code when netconf is not build. (Gitlab #2262) 1990. [func] razvan Added the ``reservations-lookup-first`` configuration parameter which controls whether host reservations lookup should be performed before lease lookup. This parameter has effect only when multi-threading is disabled. When multi-threading is enabled, host reservations lookup is always performed first. The ``reservations-lookup-first`` parameter defaults to ``false`` when multi-threading is disabled. (Gitlab #2036) 1989. [build] razvan Library version numbers bumped for Kea 2.1.2 development version. (Gitlab #2281) 1988. [bug] tmark Kea core logic now ensures options belonging to client classes are properly created when classes are read from configuration backends. (Gitlab #2246) 1987. [bug] tmark Fixed an issue in PostgreSQL support code that caused asserts when compiled with: -Wp,-D_GLIBCXX_ASSERTIONS. (Gitlab #2284) 1986. [func] fdupont The kea-admin command now accepts extra arguments which are passed to the database command tool, e.g. '--ssl' to 'mysql' with `kea-admin ... -x --ssl'. Quotes are not preserved but multiple arguments can be given. (Gitlab #2225) 1985. [func] fdupont Added support for using files to configure basic HTTP credentials. Instead of configuring a value, it is taken from the content of a file. The new parameters of the Control Agent configuration are: - 'user-file' pointing to a file vs 'user' - 'password-file' pointing to a file vs 'password' - 'password-file' pointing to a file with the secret (which is :) vs 'user' and 'password'. For the High Availability hook library the new parameter is 'basic-auth-password-file' which can be used as an alternative to 'basic-auth-password'. (Gitlab #2006) 1984. [func] andrei Introduced the lease-upload command to kea-admin which can upload leases from a memfile CSV file to a database backend. (Gitlab #2039) 1983. [bug] fdupont Minimum and maximum values of lifetimes are no longer skipped when the configuration is retrieved even when they are the same as the default value. (Gitlab #2222) 1982. [bug] andrei The config for an HA peer now accepts an IPv6 address as a valid value for the "url" entry. (Gitlab #2264) 1981. [func] tomek The default-url DHCPv4 option has been replaced with v4-captive-portal, as defined in RFC8910. (Gitlab #1684) 1980. [func]* andrei The kea-admin lease-dump command now outputs a CSV file that is compatible with the memfile backend. This is useful when migrating from database to memfile. The generated output is backwards incompatible. Any tools that depend on it would need to adapt. (Gitlab #2038) 1979. [bug] fdupont Update and delete operations on leases no longer raise an error with infinite valid lifetime (used by BOOTP) and MySQL or PostgreSQL backends where timestamps can be limited to 32 bits. (Gitlab 897) 1978. [doc] tomek The Kea Administrator Reference Manual now correctly states that DHCPv6 authentication option has code 11, not 10. (Gitlab #2207) 1977. [bug] razvan Use only MAX_HWADDR_LEN (20) bytes from remote-id when extracting the MAC from relay options. (Gitlab #2201) 1976. [func] andrei Added hwtype and hwaddr_source columns to v6 memfile. (Gitlab #2236) 1975. [func] tmark Additional changes and corrections relating to Config Backend were made to the PostgreSQL database schema. In addition, the upgrade scripts were renamed to ensure proper file name ordering. Note that PostgreSQL CB is not yet functional. (Gitlab #2183, #2244, #2245) 1974. [func] fdupont The global parameter lookup has been refactored to provide better performance. Proper return error code (CONTROL_RESULT_ERROR) has been fixed in some cases when trying to apply the new configuration. Old code was using wrong hardcoded '2' value (CONTROL_RESULT_COMMAND_UNSUPPORTED). (Gitlab #1082) 1973. [func] fdupont MySQL backends now can be configured to use the SSL/TLS support to protect connections to the server. New database parameters are "cert-file", "key-file", "trust-anchor" and "cipher-list". The negotiated cipher name is logged so the MySQL service configuration can be checked. PostgreSQL accepts the same parameters but they only trigger the call to the OpenSSL generic initialization in the Pq C-API. (Gitlab #34) 1972. [func] andrei Kea servers now can accept trailing commas in file configurations. While parsing, a warning is printed with the location of the comma to give the user the ability to correct a mistake. (Gitlab #2084) 1971. [func] tmark, jad Added support for embedded DHCPv6 DUIDs within DHCPv4 Client Identifier options per RFC 4361. This allows Kea to support DDNS in dual stack environments per RFC 4703(Sec 5.2). Thanks to John Dickinson for contributing the patch! (Gitlab #1934) 1970. [build] razvan Library version numbers bumped for Kea 2.1.1 development version. (Gitlab #2195) 1969. [build] andrei Fixed "make check -j N" running tests in parallel in src/lib/log. (Gitlab #2172) 1968. [build] andrei Fixed make check failing when googletest support was disabled. (Gitlab #2167) 1967. [bug] andrei Fixed a bug where keactrl did not color the active status code for kea-dhcp-ddns as it did for the other servers. (Gitlab #2117) 1966. [func] djt Allow Kea to pack opaque data tuples within options with zero length to accommodate some DHCP clients who have been observed to send DHCPv4 option 124 with zero length tuples. (Gitlab #2021) 1965. [func] andrei Increase the value that "maxsize" can take from 2GB to 2PB. (Gitlab #2130) 1964. [func] wlodek Added support for Debian 11 in hammer.py. (Gitlab #2042, #2193) 1963. [func] andrei hammer.py has had several improvements. NETCONF and PostgreSQL will be properly configured when running prepare-system on Fedora and FreeBSD. vagrant will be automatically upgraded if it is too outdated. Error messages are more clear when running on unsupported systems. hammer.py is now able to detect Arch Linux distributions and offers limited support for it, being able to prepare-system with freeradius and netconf support. (Gitlab #2111, #2112) 1962. [func] andrei kea-netconf updates: fixed store-extended-info, it was an operational node instead of a config node. Added several containers and leaves: compatibility, lenient-option-parsing, multi-threading, enable-multi-threading, packet-queue-size, thread-pool-size, valid-lifetime, min-valid-lifetime, max-valid-lifetime, preferred-lifetime, min-preferred-lifetime, max-preferred-lifetime, cache-max-age, cache-threshold, ddns-generated-prefix, ddns-override-client-update, ddns-override-no-update, ddns-qualifying-suffix, ddns-replace-client-name, ddns-send-updates, ddns-update-on-renew, ddns-use-conflict-resolution, ip-reservations-unique, parked-packet-limit, reservations-global, reservations-in-subnet, reservations-out-of-pool, statistic-default-sample-age, statistic-default-sample-count, store-extended-info, on-fail. (Gitlab #2136) 1961. [func] tomek, tmark The initial, stubbed version of the PostgreSQL CB hook library has been created. The library is not yet functional and does not installed. (Gitlab #1848) 1960. [build] andrei Froze sphinx dependency versions used to build documentation. Added the update-python-dependencies Makefile rule to bump the versions. (Gitlab #2161) 1959. [doc] djt Move documentation for acceptable format strings into the Kea ARM. The relevant section of the ARM was previously referring to a dead link in the Log4cpp documentation. (Gitlab #2134) 1958. [func] tomek, tmark PostgreSQL database schema has been extended with tables for Config Backend (CB). This is the first step towards PostgreSQL CB. However, as there is no code yet to use those new tables, they're not not functional yet. (Gitlab #90, #2166) 1957. [build] razvan Library version numbers bumped for Kea 2.1.0 development version. (Gitlab #2141) 1956. [bug] tmark Modified stat_cmds hook library to omit statistics for non-existent subnets from results returned by stat-lease4-get and stat-lease6-get commands. (Gitlab #2033) 1955. [bug] tmark kea-dhcp4 no longer sends DHCPNAKs in response to DHCPREQUESTs for addresses for which it has no knowledge. (Gitlab #1584) 1954. [doc] fdupont Updated the Developer's Guide to explain what to do when GSS-TSIG hook unit tests fail from a system Kerberos incompatible configuration. (Gitlab #2056) 1953. [build] fdupont Changed the name of the GSS-TSIG hook library object to libddns_gss_tsig.so. (Gitlab #2115) The following summarizes changes in the premium hooks since the 2.0.0 release: 154. [doc] rob2yall, vicky, tomek The Kea Hooks Basic Commercial End User License Agreement (EULA) has been updated to version 2.0. (Gitlab #2501) 153. [func] fdupont GSS sequence and anti-replay services can now be disabled using the new "gss-sequence-flag" and "gss-replay-flag" boolean parameters, at the global or DNS server levels, in the GSS-TSIG hooks library configuration. The default is anti-replay only. (Gitlab #2406) 152. [bug] jinmei Fixed rekey-interval calculation for the GSS-TSIG hooks library. (Gitlab #2404) 151. [func] andrei Add lease-limit checking functionality to the limits hook library. (Gitlab #2448) 150. [func] razvan Added lease4-delta-add, lease4-delta-del, lease6-delta-add, and lease6-delta-del commands to subnet_cmds hooks library. Using these commands, the user is able to only apply the difference between the current subnet configuration and the user data (either add - if missing - or update when using the add commands or remove when using the del commands). Most common case is to add or delete pools or pd-pools to a specific subnet but it can also be used to update scalars or lists of scalars or maps. (Gitlab #2266) 149. [bug] fdupont Handle exceptions thrown by TSIG exchange initialization for instance when the server principal does not exist. Previously the exception made the DDNS server to exit. (Gitlab #2396) 148. [func] andrei The limits hook library is now notified of limit changes brought to client classes and subnets via config backend or subnet commands. Previously, new limits were ignored and old limits were used until a reconfiguration was triggered. (Gitlab #2422) 147. [func] andrei The limits hook library and its rate-limiting feature were added. It can apply a specified limit of a certain number of packets per time unit to a given client class or subnet. (Gitlab #562, #1650) 146. [func] tmark The ddns-tuning hook library now supports the use of a new built-in class, "SKIP_DDNS", to skip performing DDNS updates for a given client. (Gitlab #2354) 145. [func] fdupont The RBAC (role-based access control) hook library for the control agent has been added. (Gitlab #1263) 144. [func] tmark Upon reconfiguration or modification of subnets via the config backend, the ddns-tuning hook library now reparses the hostname expressions for all configured subnets. This allows any invalid expressions to be detected up front. Previously, the expressions were parsed on demand (i.e. lazy init). (Gitlab #2384) 143. [doc] tmark Added stub ddns_tuning.dox (Gitlab #2387) 142. [func] tmark Added ddns-tuning hook library. (Gitlab #1548) 141. [func]* razvan The support for Cassandra database backend has been removed. (Gitlab #2116) 140. [bug] andrei The RADIUS hook library now reselects the assigned subnet to another subnet containing the reserved address, if such a subnet is configured, if it is different than the one initially selected and if "reselect-subnet-address" is true. Prior to this, the subnet reselection based on the reserved address was stricter and in some cases returned SUBNET_ID_UNUSED resulting in NAK or NoAddrsAvail. (Gitlab #2347) 139. [func] fdupont Added a configuration error for the RADIUS hook library when the early-global-reservations-lookup global flag is set to true. (Gitlab #2304) 138. [func] razvan Added support for multiple IA_NA with multiple OPTION_IAADDR sub-options and multiple IA_PD with multiple OPTION_IAPREFIX sub-options to be logged by the forensic log hook by matching each allocated or released lease with the packet options. (Gitlab #2181) 137. [func] tirsek, razvan Added new parameter "timestamp-format" in forensic log hook library to be able to configure the timestamp format for log file. Also adds the '%Q' extra format which adds the microseconds subunits. (Gitlab #2208) 136. [bug] razvan Fixed race condition on initialization of flex_id_expr member when using multi-threading in flex id hook library. (Gitlab #2251) 135. [func] fdupont Added SSL/TLS support to the MySQL backend for the forensic logs. New parameters are "cert-file", "key-file", "trust-anchor" and "cipher-list". The negotiated cipher name is logged. (Gitlab #34) 134. [func] razvan Added exchange-timeout, rekey-interval, retry-interval configuration entries to GSS-TSIG. (Gitlab #2138, #2174) 133. [func] fdupont Added the gss-tsig-rekey and the gss-tsig-rekey-all API commands to create new GSS-TSIG keys. (Gitlab #2127) 132. [func] razvan The forensic logging hook library can now log on multiple lines using the hex string 0x0a. Each line is prepended by the timestamp. (Gitlab #2087) 131. [func] fdupont Implemented a configure flag which governs the behavior when GSS-TSIG is enabled but no key is available. The default (and previous) behavior is to skip this DNS server, the flag allows instead to fallback to the disabled GSS-TSIG one. (Gitlab #2125) 130. [func] fdupont Added statistics to the GSS-TSIG hook library to follow the GSS-TSIG key and TKEY activity. (Gitlab #2124) 129. [bug] fdupont The GSS-TSIG hook library now sets and restores environment variables when configured. (Gitlab #2109) 128. [build, bug] fdupont The nsupdate test tool of the GSS-TSIG hook library is correctly built even without Google Test. (Gitlab #2114) 127. [build] fdupont Changed the name of the GSS-TSIG hook library object to libddns_gss_tsig.so. (Gitlab #2115) Thank you again to everyone who assisted us in making this release possible. We look forward to receiving your feedback.