# Kea 3.2.0 Release Notes, June 24, 2026 Welcome to Kea 3.2.0, a new stable release. Kea is a DHCP implementation developed by Internet Systems Consortium (ISC) that features DHCPv4 and DHCPv6 servers with DNS update and a REST API; optional database support (MySQL and PostgreSQL); optional RADIUS, YANG/NETCONF, and Kerberos GSS-TSIG support; and much more. Kea provides extensive management capabilities, including but not limited to: TLS support, Role-Based Access Control, run-time configuration monitoring and updates via a REST API, host reservations, and client classification. The text below references issue numbers. For more details, visit the Kea GitLab page at https://gitlab.isc.org/isc-projects/kea/-/issues. For details about Docker issues, visit the page at https://gitlab.isc.org/isc-projects/kea-docker/-/issues/. For details about packaging, visit the page at https://gitlab.isc.org/isc-projects/kea-packaging/-/issues/. **This release contains many backward-incompatible changes. We encourage users to read these release notes carefully, particularly the "Incompatible Changes" section below, before updating.** The following features and bug fixes have been implemented since the previous stable release, version 3.0.0: 1. **Control Agent (CA) removal**: The CA has been deprecated since late in the Kea 2.7 branch, and it has now been removed. Users who still use CA are advised to migrate their configurations to use native HTTP/HTTPS control sockets in the respective daemons [#3448]. The default configs now have `control-sockets` examples [#4412]. 2. **Shared Free Leases Queue (SFLQ)**: The Shared FLQ allocator, a mechanism for sharing the queue of available leases across a common database, is now available. When two or more Kea servers share the same database, earlier versions sometimes tried to allocate the same lease more than once. Kea was able to recover, but handling the conflict made the whole process inefficient. This is now solved with the SFLQ mechanism, which is particularly well-suited for situations where there are multiple Kea servers running with high pool utilization. This change requires a DB schema update [#4373, #4405, #4417, #4425, #4441, #4447, #4475, #4446, #4336, #4491, #4492]. Documentation was added [#4489]. New API commands were added for Shared FLQ: `sflq-pool4-del`, `sflq-pool4-get-all`, `sflq-pool4-get-by-range`, `sflq-pool4-get-by-subnet`, `sflq-pool4-rebuild`, `sflq-pool6-del`, `sflq-pool6-get-all`, `sflq-pool6-get-by-range`, `sflq-pool6-get-by-subnet`, and `sflq-pool6-rebuild` [#4466]. 3. **Socket starvation**: Earlier Kea versions could not handle significant traffic coming in on multiple interfaces; due to some coding logic, the first interface specified in the configuration was favored. If Kea received constant high traffic, the other interfaces could be under-serviced or starved. A new algorithm was implemented to handle multiple interfaces fairly. There are still limits to how much traffic any given Kea deployment can handle, but at least the handled traffic will be distributed more evenly [#4218, #4212, #4454]. 4. **Interface and sockets**: We updated the code for handling closed sockets [#4141]. We've improved the handling of external sockets [#4258]. The interface manager, a part of the code that handles interfaces and sockets, is now able to log certain errors. This might be useful for debugging socket and interface problems [#4248, #4259]. The `config-test` and `config-set` API commands now properly use a newly detected interface for testing or applying a new configuration [#3370]. We fixed a problem where the Kea server was binding on other interfaces when retrying to open sockets on configured interfaces [#3062, #3134, #3728, #4349]. We clarified that the DHCPv6 daemon does not bind on global IPv6 addresses by default [#2212]. We fixed a problem with the DHCPv6 daemon incorrectly stating the raw sockets being used [#4199]. Kea DHCP servers now properly handle traffic through VLAN interfaces [#1117, #1738, #3792]. Kea DHCPv6 servers can now receive packets sent to the All_DHCP_Servers (ff05::1:3) site multicast address, as required by the standard [#3574]. Multicast sockets are now properly opened after retrying [#4360]. 5. **New interface API**: The `interface-add`, `interface-list` and `interface-redetect` API commands were added, which can be used to add interfaces, list currently detected interfaces, and issue a re-detect procedure which updates the interface configuration, respectively. The re-detect procedure only adds newly discovered interfaces and addresses, without removing any previously detected interfaces or addresses [#3144]. 6. **RADIUS over TLS**: RADIUS over TLS (radsec) is now supported. There are several new parameters: `protocol` (accepts `TLS` or `UDP`), and a new `tls` section that includes `trust-anchor`, `cert-file`, `key-file` and more. For details, see the new `RADIUS/TLS Configuration` section in the Kea ARM [#4274]. Support for the Message-Authenticator attribute for legacy RADIUS over UDP is now available. It can be controlled using new `use-message-authenticator` parameters for the RADIUS hook library [#4333]. We implemented a generic TCP/TLS client. This code is now used for RADIUS over TLS [#4283]. 7. **RADIUS**: We implemented a status-server mechanism for RADIUS, as defined in RFC5997. This mechanism allows periodic checks ("keep alive") on the server. While it is somewhat useful in the current RADIUS over UDP, its biggest advantage will be its use with the new RADIUS over TLS [#4282]. We removed obsolete support for the `realm` parameter [#3103]. Several packet-drop statistics were implemented in the RADIUS hook: `pkt4-processing-failed`, `pkt4-receive-drop`, `pkt6-processing-failed`, and `pkt6-receive-drop` [#4185]. RADIUS now uses the user context of a lease to store RADIUS-specific information [#3251]. The RADIUS dictionary has been extended to support includes, vendor attributes, and integer translations to the RADIUS hook library [#3860]. Several RADIUS RFCs are now listed as supported [#4285]. We fixed several TSAN warnings in the RADIUS code [#4317]. 8. **Statistics**: New global address counters, packet statistics, and statistic commands (`statistic-global-get-all`) were introduced. A fix for the address miscount was introduced. The new statistics are: `pkt4-service-disabled`, `pkt6-service-disabled`, `assigned-addresses`, `assigned-nas`, and `assigned-pds` [#3213, #3239, #3925, #4096]. New statistics were added to better track the number of packets dropped for various reasons: `pkt4-limit-exceeded` and `pkt6-limit-exceeded` when dropped by the limits hook [#4134]; `pkt4-queue-full` and `pkt6-queue-full` when dropped due to the packet queue being full [#4157]; `pkt4-rfc-violation` and `pkt6-rfc-violation` when an incoming packet did not follow the RFC specifications [#4156]; `pkt4-admin-filtered` and `pkt6-admin-filtered` when the server was administratively configured to reject the packet, e.g. by the `DROP` class [#4127]; and `pkt4-processing-failed` and `pkt6-processing-failed` when the packet was dropped due to unexpected exceptions in the Kea code [#4133]. Complete documentation for all statistics added to the ARM in this and earlier releases was added [#3140]. The API commands provided by the Lease Commands hook library now update in-memory statistics [#4176]. We added `pkt4-duplicate` and `pkt6-duplicate` statistics to count incoming packets that are dropped because they are duplicates of packets currently being processed. Previously, such packets were counted as "queue full" [#4187]. High Availability (HA) now increments drop statistics such as `pkt4-not-for-us` and `pkt6-not-for-us` when inbound packets are deemed to be out-of-scope [#4184]. 9. **New API commands**: `kea-dhcp6` now supports a new `lease6-get-by-hw-address` command that can be used to get IPv6 leases by hardware address [#3826]. The Lease Commands hook now supports `lease{4,6}-get-by-state` commands that allow leases to be returned in a specified state [#4230]. We expanded the `config-get` command to include the location of the lease file in the "csv-lease-file" entry [#2305]. The legacy `service` parameter is no longer silently ignored: if it is a not-empty list, it must have only one element matching the name of the server the command was sent to. It is recommended not to add a service parameter, as the Control Agent was removed and the parameter can no longer be used. [#4341]. 10. **TLS support for Postgres**: Kea now properly supports PostgreSQL database connections over TLS. This requires setting up the `trust-anchor`, `cert-file`, and `ssl-mode` parameters [#3927, #4005]. 11. **Adaptive lease-time**: Kea now implements an adaptive lease-time mechanism that was available in ISC DHCP. If configured, Kea detects situations where pool utilization is high and there are not many addresses left. It then decreases the lease lifetimes to recycle the leases faster and thus delay or avoid running out of addresses completely [#226]. 12. **Vendor sub-options**: The `kea-dhcp4` server now supports configuring vendor option (code 125) with suboptions [#3861]. 13. **Option class tags in host reservations and config backends**: The DHCPv6 daemon now correctly supports option-class tags (i.e."client-classes") in host and config backends for both MySQL and PostgreSQL. The equivalent DHCPv4 support was added in the previous release [#3770]. 14. **Host reservation identifiers in config backend (CB)**: The `host-reservation-identifiers` parameter, previously supported only in the configuration file, is now also supported in the CB [#3944]. 15. **Flex-ID hook**: The `flex-id` hook library parameter `identifier-expression` is now optional; previously, it was mandatory [#4011]. 16. **Logging**: Debug-level logging has been expanded with additional packet details [#3531]. 17. **Ping check**: A debug log message is now printed instead of a misleading error message when the lease-cache threshold is used along with ping check [#4129]. We corrected a potential deadlock situation in ping check [#4140]. We fixed a data race in ping check [#4164]. 18. **Leasequery access list**: The leasequery access list can now allow whole subnets, not just single address. This might be useful to grant leasequery capabilities to all routers in a given network, instead of needing to enumerate them one by one [#4190]. 19. **Address registration improvements**: Kea supports the address registration mechanism defined in RFC9686; however, some administrators may prefer not to use this mechanism in their deployments. The DHCPv6 daemon now supports a global `allow-address-registration` parameter that allows disabling this mechanism. Also, an issue was corrected in which the server was not correctly enforcing a peer address match when ADDR-REG-INFORMs were received via relay [#4161]. 20. **Configurable lease-file error handling**: The memfile lease backend now supports the `on-fail` parameter, although the retry part of it is ignored. When set to either `stop-retry-exit` or `serve-retry-exit`, the server will exit on unrecoverable write errors. If set to `serve-retry-continue`, the server will continue to run but write errors will continue until corrective action is taken. These changes apply to both `kea-dhcp4` and `kea-dhcp6` [#4220]. 21. **Configuration**: Kea is now more strict when parsing the control-sockets configuration and will reject useless parameters, such as specifying any TLS parameters on non-TLS control sockets. The intention is to remove the false impression that some features, such as TLS, are enabled when they are not [#3970]. 22. **Role-Based Access Control (RBAC)**: A small tweak was implemented in the RBAC subscriber hook: log information about authentication being rejected is now logged at the INFO level, making it easier to spot [#4299]. 23. **Classification improvements**: The template classes `template-test` expressions can now test for membership in `KNOWN`/`UNKNOWN` [#4256]. 24. **Packaging**: The systemd scripts for our RPM and DEB packages were tweaked slightly; the running service now restarts automatically (`Restart=on-failure`). Thanks to Nathan Neulinger for reporting the issue and providing a patch [kea-packaging#60]. 25. **Removed JSON check in databases**: Auto-detection of JSON support in MySQL and PostgreSQL databases has been removed. All database versions with active support should now include JSON support [#4342]. 26. **Parsers**: Leading zeros in JSON integer and floating point values are not valid JSON syntax and thus are strongly discouraged. Incorrect number values in Kea config files are still accepted for now, but raise warnings. We also fixed a bug which caused a leading plus sign ("+") not to always be rejected [#4438, #4495]. The parsers are now more strict about invalid socket parameters [#3971]. We fixed a problem with parsing some floating-point values [#4493]. 27. **GSS-TSIG and Microsoft DNS**: It is now possible to use GSS-TSIG with faulty DNS implementations. We added an "ignore-bad-direction" workaround flag to the GSS-TSIG hook library to accept DNS update responses with the request signature sent by bogus servers [#4326]. 28. **NETCONF**: We fixed `kea-netconf` communication over HTTP sockets with the Kea DHCP daemons. The control-socket type is now mandatory for each server in the "managed-servers" configuration map [#4460]. The `kea-netconf` daemon now prints information about the control channel being opened [#331]. 29. **Temporary address leftovers**: RFC9915, an updated version of the DHCPv6 protocol specification, was published, so this Kea release introduces support for it. The actual changes are small: support for leftovers from partial temporary addresses (IA_TA) is now removed, as the feature was deprecated. Removal of old IA_TA types required DB schema changes [#4368, #4490]. 30. **Security**: Support for Botan 3 is now available. The older 2.x version that reached its End-Of-Life is no longer supported [#3553]. Kea High Availability (HA) now allows specifying HTTP authentication details in the password file using the `basic-auth-user-file` parameter [#4070]. Kea no longer logs the database password as clear text when `kea-dhcp4` or `kea-dhcp6` initializes the schema [#4086]. The control sockets created on disk are now group-writable by default. This allows other processes that belong to the same group, such as Stork, to communicate over the Kea API [#4260]. We implemented a recursion limit in procedures [#4288]. The build system was updated to install libraries, binaries, and directories to be installed with 755 permissions, as opposed to 750. The remaining files are installed with 644 permissions, as opposed to 640 [#3993, #4477, #4171]. We corrected an issue in `kea-dhcp4` that caused the server to abort if a client sent a unicast request with particular options, and Kea failed to find an appropriate subnet for that client. This addresses CVE-2025-40779 [#4048]. We corrected an issue where specific DDNS configuration parameters resulted in `kea-dhcp4` exiting unexpectedly when a client sent certain option content [#4142,#4152]. 31. **Relaxed security policy**: Fixes for recent security vulnerabilities introduced several strict checks, such as restrictions on file paths or on running the API without sufficient protection, among others. By default Kea prints an error if one of these restrictions is violated, and refuses to start. However, in some cases, such as running Kea in a lab, this might be considered unnecessarily strict. The recently introduced `-X` option enables a relaxed security policy. If used, Kea still performs its checks, but they produce warning messages instead of fatal errors. Please use this option with care [#3848]! 32. **Documentation**: We corrected a mistake in limit hook messages [#4135]. We fixed incorrect documentation about host reservations and basic access control [#2871]. We fixed broken links mainly pointing to design documents in the ARM and the developer's guide [#4138]. We addressed a small problem in the ping check hook section of the ARM [#4106]. We updated the KB article on using Kea packages to reflect the new hook layout [#3776]. Several new open source hooks developed by the community were added to the "Available Hooks" list in the project wiki [#4210]. We added a section to the Kea ARM that explains how to gather debugging information in the event of a Kea crash [#4147]. We documented the received and sent statistics of the leasequery hook library. We also moved initialization to the server, so the statistics are no longer deleted when the hook library is unloaded [#4186]. A new third-party hook, KEALint, is now listed on the wiki list of community hooks [#4337]. We fixed several grammatical errors in various files. Thanks to lyqfjcs for the patch [#4316]. We removed an outdated note about GSS-TSIG being subscriber-only, as it has been open source for a while [#4322]. We fixed an inaccurate reference to version 2.7.8 in the lease-caching section of the ARM [#4284]. The ARM documentation is now clearly labeled with the `-git` suffix if being built from git sources rather than release tarballs [#3985]. We made minor spelling corrections [#4304]. RFC references have been updated throughout the Kea ARM [#4340]. The NETCONF RFC reference was updated [#4208]. The developer's guide was updated and now covers how to run fuzzing locally [#3636]. An example for the NTP DHCPv6 option was added [#4314]. A mistake was corrected in the Kea ARM regarding incorrect EFI x86-64 architecture type [#4154]. Changelog formatting was fixed [#4473]. We updated the Kea ARM with a note that the `KEA_DHCP_DATA_DIR` variable also changes the `server-id` file location [#3984]. 33. **Bug fixes**: The code no longer adds the qualifying suffix to fully qualified host names specified in host reservations [#3949]. We fixed a bug where reused expired IPv6 leases wouldn't get a hardware address associated with them [#4058]. We improved the locking mechanism to use fchmod instead of umask [#4037]. We fixed an issue in `kea-dhcp-ddns` which was causing GSS-TSIG key exchanges to time out when NCR traffic was intermittent [#4049]. We removed a redundant call to a subnet selection routine [#4047]. Kea now rejects the `config-set` and `config-reload` commands while the lease file cleanup process is running, to avoid file corruption [#3986]. We fixed a race condition where starting two Kea servers could result in deletion of one of the PID files [#4107]. We added unified newline handling of the password-file directive in `kea` and the `auth-password-file` command-line argument in `kea-shell` [#4012]. We fixed a problem in the `flex-id` hook that caused the expression to be effectively always empty [#4181]. We corrected an issue that was causing an HA peer to not restart its dedicated listener after handling a config-test command, in both `kea-dhcp4` and `kea-dhcp6` [#4145]. We fixed potential memory corruption in MySQL handling [#4021]. We fixed a problem with `kea-admin` on MySQL 9.4.0 [#4119]. We fixed an unlikely race condition at LFC startup [#4090]. A potential data race in ping check was fixed [#4206]. We corrected an issue in the `ping-check` hook library that could result in the ICMP socket getting stuck in the read-ready state [#4221]. A potential crash during shutdown was fixed in the MySQL hook [#4207]. We fixed a bug which made the LFC attempt to use the wrong PID file when using the reload config-set and reload commands [#4198]. We fixed a small duplication in the extended version (`-V` command-line switch) handling [#4159]. The `exchange-timeout` parameter of the GSS-TSIG hook library configuration is no longer ignored [#4265]. We fixed a problem with handling incorrect prefix lengths [#4295]. The `lease{4,6}-write` commands now delete a file if writing to it fails [#4249]. We fixed a bug in the Limits hook that incorrectly checked the `retry-on-startup=true` and MySQL/PostgreSQL backends [#4242]. We fixed a harmless but annoying message about "Lease Expires On 01-01-1970" information from the `kea-dhcp-ddns` log messages [#4280]. We fixed an issue in `kea-dhcp6` that caused the server to not use a reserved host name or recognize a change to the selected subnet for subnet-level reservations within a shared network, when a lease existed for the reservation but was in either the RELEASED or EXPIRED-RECLAIMED state [#4262]. When reconfiguring Kea daemons after `config-set` while under heavy load, the high availability (HA) listener could fail to shut down properly and cause the new listener to not be fully operational. This is now fixed [#4448]. The DDNS update now properly logs time-to-live (TTL) instead of lease length [#4376]. The code now properly handles the lease allocation if a client-reserved lease is not available because the hook has decided to skip the lease [#4434]. We fixed spurious warnings emitted when attempting to close already closed HTTP sockets [#4344]. A problem reported by fuzzing was fixed [#4367]. We fixed a problem where an interface created while retrying sockets was used unfiltered [#3062]. The extended config checking using the -T command-line argument now properly uses the "persist" value from the tested configuration [#4363]. We fixed a problem where Kea would not support small pools of just one address [#4444]. The state model library now uses signed/unsigned types consistently [#4348]. We fixed a minor problem with an excess placeholder in one HA log message [#4459]. An empty `client-classes` list is now accepted in the configuration [#4453]. The `ddns-ttl-max` parameter is now parsed properly [#4445]. Previously, the internal lease manager was not reconstructed after reconfiguration was attempted with an invalid configuration that would make it non-responsive to DHCP requests; this has been fixed [#4389]. A potential race was fixed on the DHCP packet receiver [#4231]. Previously, Kea servers accepted non-DHCP traffic on their DHCP sockets during startup; this has been fixed [#4279]. Previously, the Kea control agent would crash when being configured with a control socket that lacked a socket-name entry; this has been fixed [#4365]. 34. **Build improvements**: We added support for Botan crypto library v3; the old v2 version that reached EOL is no longer supported [#4057, #3553]. Netconf dependencies (libyang, sysrepo) were updated to 3.x versions [#3931]. We added shadowing detection for gcc and clang [#3451]. A missing header `eval/location.hh` is now part of the installation [#4150]. We fixed compilation errors for LLVM libc++ 21 [#4100]. The `meson.sh` build script now uses Meson 1.9.1 [#4139]. The value of the `-j` argument in `hammer.py` is now passed to Meson compile [#4166]. The locale is now restricted to avoid generating an unnecessary epsilon in the grammar [#4082]. We fixed a compilation problem with Boost 1.90 [#4264,#4266]. Hammer, the Kea build tool, now supports Alpine 3.23, Fedora 43, and FreeBSD 15 [#4245]. When compiling from sources, Kea now has optimization enabled by default [#4296]. We fixed a compilation problem on FreeBSD 15 [#4237, #4246]. Support for Meson 1.10 was added [#4263]. We fixed a problem with the hammer build tool to install package dependencies on FreeBSD 15 properly [#4332]. We fixed a compilation warning about unused lambda capture [#4335]. We slightly improved compatibility with OpenSSL when the OPENSSL_NO_DEPRECATED macro is defined [#4338]. The release procedure was updated slightly [#4330, #4381]. We removed a build check for an obsolete Boost header [#4410]. The hammer build tool was updated after the CA was removed [#4467]. A problem was fixed with the `kea-msg-compiler` being installed but unusable [#4160]. The build system no longer leaves an `rbac` symlink [#4487]. Cross-compilation was fixed in Meson [#3982]. The build system no longer attempts to download Google Test source, even when tests and fuzzing are disabled [#4488]. The library versions were updated [#4542]. Hammer was updated to allow control of the number of processes running when generating packages [#4528]. We fixed problems with hammer running on Rocky Linux [#4450]. Hammer is now able to prepare a system for Kea based on Fedora 44 [#4480]. 35. **Testing**: We fixed an instability in one FLQ unit test [#4163]. Log tests are now marked as part of the shell suite [#4151]. An unstable test for the lease file manager running under thread sanitizer was fixed [#4165]. We fixed several issues with `meson dist` running tests: YANG shell tests are now run, socket paths are unified, and problems with socket paths being too long are fixed [#4144]. Fuzz jobs were tweaked to no longer run automatically in the Gitlab CI [#4273]. We fixed a problem with `kea-dhcp{4,6}-tests` failing when the UNIX socket path was too long [#4311]. We fixed a problem with `logger_lock_test` on RHEL8 [#4308]. We fixed integer overflow problems in one CfgIfaceTest [#4351]. We fixed problems with HttpsCtrlChannelDhcpv{4,6}Test.controlChannelShutdown tests running on RHEL8 [#4328]. We implemented better handling of test cases where the socket path was too long [#4432]. The CI pipelines now perform changelog linting. This small improvement will help maintain a clearer and more readable ChangeLog [#4497]. Running RADIUS unit-tests was fixed on FreeBSD 15 [#4452]. We updated Valgrind running scripts and fixed several problems reported by Valgrind. In the process, the last old Perl script was removed. Kea is now officially Perl-free software [#4483]. The timeout of `dhcp-ha-lib` tests was adjusted [#4465]. A couple of IfaceMgr test timeouts were tweaked [#4464]. ## Incompatible Changes The following incompatible changes were introduced since Kea 3.0.0: 1. **CA removed**: The CA has been deprecated for a year; anyone who is still using it should change their configuration to use native HTTP or HTTPS control sockets. For details, see Section 18.8 of the ARM . 2. **RADIUS**: With the introduction of RADIUS over TLS, when the TLS transport protocol is configured, the `servers` and `idle-timer-interval` parameters are no longer allowed in the `access` and `accounting` scopes. RADIUS over UDP is still supported but by default requires a Message-Authenticator attribute in all received messages. Users are strongly encouraged to consider migration to TLS to mitigate the Blast RADIUS vulnerability. 3. Support for the `realm` parameter in RADIUS was removed; the parameter never worked and no one ever noticed. It is still possible to use the realm concept by specifying an explicit username, e.g. "user@myrealm" [#3103]. 4. **JSON check removed**: If a database is used, it must support JSON; Kea no longer checks whether JSON is supported. Since all current PostgreSQL, MySQL, and MariaDB versions support it already, this change should not affect anyone. Users of outdated databases may see an error; in that case, please upgrade to a recent database version. 5. The installed libraries and binaries have updated (relaxed) permissions [#3993]. This should not cause any problems in principle, but please take a close look if you have your own scripts built around Kea. 6. **REST API**: The legacy `service` parameter is no longer silently ignored: if it is a not-empty list, it must have only one element matching the name of the server the command was sent to. It is recommended not to add a service parameter, as the Control Agent was removed and the parameter can no longer be used. [#4341]. 7. The database schema was updated. ## Packaging Changes The following important packaging changes were made since 3.0.0. 1. All binaries are now packaged with more strict permissions (750 as opposed to the previous 755), but they are now added to the kea/_kea group [kea-packaging#22]. If you were relying on a custom user to have the permission to run these binaries, you can prepare upfront by making sure the user is added to the kea/_kea group before upgrading the Kea packages. 2. The isc-kea-ctrl-agent package was dropped following the deprecation of the control agent [kea-packaging#63]. 3. Systemd services now have the Restart=on-failure directive. This can decrease downtime in case of unexpected issues [kea-packaging#60]. 4. Services were not restarted on upgrade on Debian-based systems leaving old versions running [kea-packaging#51]. This change was also backported to 3.0.1. ## License This version of Kea is released under the Mozilla Public License, version 2.0. https://www.mozilla.org/en-US/MPL/2.0 Some Kea hook libraries are provided under the MPL 2.0; others are licensed with the [Kea Hooks Basic Commercial End User License](https://www.isc.org/kea-premium-license/). The source for each hook library includes the applicable license. ## Download Pre-built ISC packages for current versions of the most popular Linux operating systems are available at: https://cloudsmith.io/~isc/repos/ Pre-built Docker images, as well as Docker files, are available. For details, see: https://gitlab.isc.org/isc-projects/kea-docker The Kea source and PGP signature for this release may be downloaded from: https://www.isc.org/download The signature was generated with the ISC code-signing key, which is available at: https://www.isc.org/pgpkey ISC provides detailed documentation, including installation instructions and usage tutorials, in the Kea Administrator Reference Manual. Documentation is included with the installation or at https://kea.readthedocs.io/en/latest/index.html in HTML, PDF, or EPUB formats. ISC maintains a public open source code tree, wiki, issue tracking system, milestone planner, and roadmap at https://gitlab.isc.org/isc-projects/kea. Limitations and known issues with this release can be found at https://gitlab.isc.org/isc-projects/kea/-/wikis/known-issues-list. We ask users of this software to please let us know how it worked for you and what operating system you tested on. Feel free to share your feedback on the Kea Users mailing list (https://lists.isc.org/mailman/listinfo/kea-users). We would also like to hear whether the documentation is adequate and accurate. Please open tickets in the Kea GitLab project for bugs, documentation omissions and errors, and enhancement requests. We want to hear from you even if everything worked. ## Support Professional support for Kea is available from ISC. We encourage all professional users to consider this option; Kea maintenance is funded with support subscriptions. For more information on ISC's Kea software support, see https://www.isc.org/support/. Free best-effort support is provided by our user community via a mailing list. Information on all public email lists is available at https://www.isc.org/community/mailing-list. If you have any comments or questions about working with Kea, please share them to the Kea Users list (https://lists.isc.org/mailman/listinfo/kea-users). Bugs and feature requests may be submitted via GitLab at https://gitlab.isc.org/isc-projects/kea/-/issues. ## Changes The following summarizes the changes since the previous stable release, version 3.0.0: Kea 3.2.0 (stable) released on June 24, 2026 2497. [build] andrei The library version numbers have been bumped up for the Kea 3.2.0 stable release. (Gitlab #4601) 2496. [doc] andrei All the configuration examples from doc/examples are now included in the ARM. (Gitlab #3232) 2495. [bug] fdupont Limited recursive unpacking of DHCPv6 options. Thank you to Qifan Zhang from Palo Alto Networks for reporting the issue. (Gitlab #4565) 2494. [bug] andrei Errors about failed attempts to connect to the database are no longer shadowed by kea-admin trying to initialize the schema. Some log messages were added. (Gitlab #4111, #4500) 2493. [bug] tmark kea-dhcp4 and kea-dhcp6 now catch negative values of lease lifetime parameters: min-valid-lifetime, valid-lifetime, max-valid-lifetime, min-preferred-lifetime, preferred-lifetime, max-preferred-lifetime. (Gitlab #4498) 2492. [func] fdupont Reconfigure commands that trigger fatal a error that leads to server shutdown now return an error response. Changed socket open failure log messages from INFO to either ERROR or FATAL as appropriate. Applies to kea-dhcp4 and kea-dhcp6. (Gitlab #4507) 2491. [func] fdupont Added a new special client class "REJECT" which makes incoming requests in this class to skip the resource allocation part in processing and return DHCPNAK on DHCPREQUEST by the DHCPv4 server, or put status code NoAddrsAvail in all IA_NA options by the DHCPv6 server. Proposed by Philip Prindeville. (Gitlab #4110) 2490. [perf] fdupont Improved efficiency and correctness of the existence check done before adding a new lease in the memory database. Thank you to Qifan Zhang from Palo Alto Networks for reporting the issue. (Gitlab #4551) 2489. [bug] tmark Treat allocator initialization failures caused by database connectivity issues as a recoverable condition. Prior to this the server would exit with a fatal error even when configured to retry. Applies to both kea-dhcp4 and kea-dhcp6 when using either the FLQ or SLFQ allocators. (Gitlab #4508) 2488. [bug] fdupont Extended DHCPv6 relayed query processing to consider the 'interface-id' option (18) in subnet selection even when no relay sets its link-address to a global unicast address, e.g. is a layer-2 relay. (Gitlab #4358) 2487. [func] fdupont Extended lenient parsing of v4 "fqdn" and v6 "client-fqdn" options to fix options with bad flags. (Gitlab #4443) 2486. [func] razvan Updated yang modules: added 'ssl-mode' to database connection parameters, added 'adaptive-lease-time-threshold', removed 'consistency', 'serial-consistency', 'request-timeout', 'tcp-keepalive', 'tcp-nodelay' from to database connection parameters, added 'allow-address-registration' to the kea-dhcp6 model. (Gitlab #4461) 2485. [doc] sanua356, razvan Added documentation about internal type of option 121 (classless-static-route). Thank you sanua356 (GitHub nickname) for reporting this issue and providing a patch. (Gitlab #4149) 2484. [bug] razvan Do not allow invalid prefix/prefix-length pair for IPv6 PD leases. Thank you to Qifan Zhang from Palo Alto Networks for reporting the issue. (Gitlab #4518) 2483. [bug] razvan Fixed a bug which was causing the dhcpv4 server to crash when reusing expired reservations and hook libraries set the SKIP flag to deny address allocation. Thank you to Qifan Zhang from Palo Alto Networks for reporting the issue. (Gitlab #4512) 2482. [bug] razvan Fixed a bug related to dhcpv6 Lease Query which was causing a crash of the server if the retrieved lease is still present in the lease storage but the associated subnet has been deleted. Thank you to Qifan Zhang from Palo Alto Networks for reporting the issue. (Gitlab #4530) 2481. [bug] razvan Fixed an undefined behavior when processing empty options in dhcp4over6 packets. Thank you to Qifan Zhang from Palo Alto Networks for reporting the issue. (Gitlab #4576) 2480. [bug] razvan Fixed ARM documentation examples related to "hostname-char-set" and "hostname-char-replacement". (Gitlab #4486) 2479. [bug] razvan Fixed a crash on server exit when database and interface reconnect mechanism is enabled and neither the database nor the interface can be recovered. Also added DHCP_IFACE_OPEN_SOCKET debug message which logs the interface name, address and port opened. (Gitlab #4527) 2478. [bug] razvan Fixed an issue that caused kea-dhcp6 to incorrectly emit a DDNS_TUNING6_PROCESS_ERROR when subnet selection has failed. (Gitlab #4499) Kea 3.1.9 (development) released on May 27, 2026 2477. [build] andrei The library version numbers have been bumped up for the Kea 3.1.9 development release. (Gitlab #4542) 2476. [func] fdupont Added the "ignore-bad-direction" workaround flag to the GSS-TSIG hook library to accept DNS update responses with the request signature sent by bogus servers. (Gitlab #4326) 2475. [func]* fdupont Disallowed leading zeros in JSON floating point values. Now incorrect number values in Kea config files are still accepted but raise warnings. Also fixed the bug which made leading plus '+' not be always rejected. (Gitlab #4495) 2474. [func] fdupont Removed the 'socket-name' vs 'socket-address' exclusivity check when parsing config files. Note that configuring both for the same control socket is still rejected but because 'socket-name' makes sense only for the 'unix' type, and 'socket-address' for the 'http' and 'https' types. (Gitlab #3971) 2473. [func] tmark IA_TA lease6 lease type has been removed from the MySQL and PostgreSQL schemas. (Gitlab #4490) 2472. [bug] fdupont Corrected an issue that prevented using pools of only one element (e.g. address or prefix) with either the Random or FLQ allocators. (Gitlab #4444) 2471. [bug] tmark Corrected an issue in PostgreSQL SFLQ allocation that was generating one too many free leases. SFLQ pool creation automatically rebuilds pools whose delegated length has changed (MySQL and PostgreSQL). These changes required a schema update. (Gitlab #4491) 2470. [func] tmark Added API commands for managing SFLQ Allocator pools to lease-cmds hook library. (Gitlab #4492) 2469. [build] fdupont Kea can now be cross-compiled using Meson. (Gitlab #3982) 2468. [func]* fdupont Added support for the last DHCP RFC 9915 including the deprecation of the unicast option. (Gitlab #4368) 2467. [bug] fdupont The from JSON double value to string no longer produces an incorrect output when there is only an exponent part. (Gitlab #4493) 2466. [doc] tmark Added documentation for the Shared FLQ Allocator to the ARM. (Gitlab #4489) 2465. [func]* fdupont Disallowed leading zeros in JSON integer values as required by the standard to become compatible with some other JSON tools e.g. the go implementation used by Stork. Now incorrect integer values in Kea config files are still accepted but raise warnings. (Gitlab #4438) 2464. [func] fdupont Extended the parser to accepted an empty "client-classes" list in Kea server configuration files. (Gitlab #4453) 2463. [bug] razvan Fixed kea-netconf communication over HTTP sockets with the kea dhcp demons. The control socket type is now mandatory for each server in the "managed-servers" configuration map. (Gitlab #4460) 2462. [func] razvan Added 'interface-add', 'interface-list' and 'interface-redetect' which can be used to add interfaces, list currently detected interfaces and issue a re-detect procedure which updates the interface configuration respectively. The re-detect procedure only adds newly discovered interfaces and addresses, without removing any previously detected interfaces or addresses. (Gitlab #3144) Kea 3.1.8 (development) released on April 29, 2026 2461. [bug] fdupont Fixed spurious warnings emitted when attempting to close already closed HTTP sockets. (Gitlab #4344) 2460. [func] fdupont More bad Unix control socket configuration parameters are now rejected, before they were silently ignored. For instance it is now forbidden to configure HTTP or TLS parameters on not HTTP nor HTTPS control sockets. (Gitlab #3970) 2459. [func] tmark Added an experimental allocator type, 'shared-flq'. It implements a free lease queue mechanism for MySQL and Postgresql lease back ends. It is intended for use in configurations that share lease data between multiple servers (i.e. shared lease backends). (Gitlab #4336, #4373, #4405, #4417, #4425, #4441, #4447) 2458. [func]* fdupont The deprecated control agent has been removed. (Gitlab #3448) 2457. [bug] mgodzina Corrected "Lease Length" label in logged DHCPSRV_DHCP_DDNS_NCR_SENT to "TTL". (Gitlab #4376) 2456. [func] tmark Auto detection of JSON support in MySQL and PostgreSQL databases has been removed. All database versions with active support should now include JSON support. (Gitlab #4342) 2455. [build] razvan The library version numbers have been bumped up for the Kea 3.1.8 development release. (Gitlab #4472) 2454. [bug] razvan Properly handle high availability listener shutdown on hook unload under heavy load. (Gitlab #4448) 2453. [bug] razvan Properly handle lease allocation if client reserved lease is not available because the hook has decided to skip the lease. (Gitlab #4434) Kea 3.1.7 (development) released on March 25, 2026 2452. [build] andrei The library version numbers have been bumped up for the Kea 3.1.7 development release. (Gitlab #4419) 2451. [func] razvan The kea servers return a new status ("result" with value 5) for commands which have failed and have partially altered the running configuration. The rollback mechanism was not able to restore the previous configuration. (Gitlab #4389) 2450. [bug] fdupont Kea DHCPv6 servers can now receive packets sent to the All_DHCP_Servers (ff05::1:3) site multicast address as required by the standard. (Gitlab #3574) 2449. [sec] razvan Fix a null dereference when configuring the control agent with a control socket that lacks a socket-name entry. (Gitlab #4365) 2448. [func] razvan When using raw sockets, Kea now properly handles VLAN interfaces and VLAN tagged packets. (Gitlab #1117, #1738, #3792) Kea 3.1.6 (development) released on February 25, 2026 2447. [sec]* fdupont Added the 'use-message-authenticator' parameter to the RADIUS hook library. When true (the default when the transport protocol is not TLS) a Message-Authenticator is added to messages sent by Kea, and required in received messages. (Gitlab #4333) 2446. [doc] fdupont Added supported RADIUS standards to the RADIUS hook library documentation in the ARM. (Gitlab #4285) 2445. [func] fdupont Implemented RADIUS/TLS in the RADIUS hook library. (Gitlab #4274) 2444. [bug] tmark Fixed an issue in kea-dhcp6 that caused the server to not use a reserved host name or recognize a change to the selected subnet for subnet-level reservations within a shared-network when a lease exists for the reservation but is in either the RELEASED or EXPIRED-RECLAIMED states. (Gitlab #4262) 2443. [func] razvan Removed "Lease Expires On" information from the kea-dhcp-ddns log messages. (Gitlab #4280) 2442. [func] tmark Template classes template-test expressions may now test for membership in 'KNOWN'/'UNKNOWN'. (Gitlab #4256) 2441. [build] razvan The library version numbers have been bumped up for the Kea 3.1.6 development release. (Gitlab #4354) 2440. [bug] razvan Fixed a bug which was causing kea-dhcp servers to bind on other interfaces while retrying to open sockets on configured interfaces. (Gitlab #3062, #3134) 2439. [bug] razvan The "config-test" and "config-set" commands can now properly use newly detected interfaces for testing or applying a new configuration. (Gitlab #3370) 2438. [bug] razvan Removed a log that incorrectly stated that the v6 socket was using raw format. (Gitlab #4199) Kea 3.1.5 (development) released on January 28, 2026 2437. [build] razvan The library version numbers have been bumped up for the Kea 3.1.5 development release. (Gitlab #4306) 2436. [sec] razvan Restrict number of recursive calls when parsing config. CVE:2026-3608 (Gitlab #4288) 2435. [build] fdupont Fixed Kea build with Boost 1.90: BOOST_STATIC_ASSERT was replaced by C++ static_assert, and deadline_timer by system_timer. This change was included in the 3.1.5 release, but its changelog entry was not. (Gitlab #4264, #4266) 2434. [build] andrei Hammer was extended to prepare additional systems: Alpine 3.23, Fedora 43, FreeBSD 15. "-w sanitizers" can now be passed to install LLVM sanitizer libraries. Valgrind is also installed when "-w unittest" is passed. To address version mismatch errors in FreeBSD, package installation is now retried with repo updates enabled if it first fails without repo updates. This change was included in the 3.1.5 release, but its changelog entry was not. (Gitlab #4245) 2433. [build] andrei Fixed errors about missing includes appearing on BSD clang v19 and above when compiling under C++23 standard or higher. This change was included in the 3.1.5 release, but its changelog entry was not. (Gitlab #4246) 2432. [sec] fdupont Added to the RADIUS hooks library and security documentation a warning about the Blast-RADIUS vulnerability which affects the RADIUS protocol. (Gitlab #4254) 2431. [build] fdupont Set debug to true and optimization to 2 by default in meson project default so the same as the 'debugoptimized' buildtype. (Gitlab #4296) 2430. [func] fdupont The RADIUS hook library no longer accepts the 'realm'` config parameter which was never implemented i.e. it was silently ignored. (Gitlab #3103) 2429. [func] fdupont Create UNIX sockets as group writable so a tool is allowed to connect to them as soon as it is run by a member of the group (vs. requiring to be run by the owner). Note to disallow this the group execute permission can be removed from the socket parent directory. (Gitlab #4260) 2428. [func] fdupont Added to the RADIUS hooks library a new per service "idle-timer-interval" parameter which makes a "Status-Server" message to be periodically sent. The value 0 (default) disables this. (Gitlab #4283) 2427. [doc] fdupont Added a section in the ARM explaining how to generate core dump files. (Gitlab #4147) 2426. [bug] fdupont The "exchange-timeout" parameter of GSS-TSIG hook library configuration is no longer ignored. (Gitlab #4265) 2425. [bug] fdupont Added check for prefix length in ipv6-prefix option data type. (Gitlab #4295) 2424. [bug] tmark API commands provided by the lease-cmds hook library now update in-memory statistics. (Gitlab #4176) 2423. [func] fdupont Documented received and sent statistics of the lease query hook library. Also moved initialization to the server so they are no longer deleted when the hook library is unloaded. (Gitlab #4186) 2422. [func] fdupont Added 'pkt4-duplicate' and 'pkt6-duplicate' statistics to count incoming packets that are dropped because they are duplicates of packets currently being processed. Previously such packets were counted as queue full. (Gitlab #4187) 2421. [func] fdupont HA now increments drop statistics such as 'pkt4-not-for-us' and 'pkt6-not-for-us' when inbound packets are deemed to be out of scope. (Gitlab #4184) 2420. [func] tmark Memfile lease back end now supports the ``on-fail`` parameter though without retry. When set to either ``stop-retry-exit`` or ``serve-retry-exit`` the server will exit on unrecoverable write errors. If set to ``serve-retry-continue`` the server will continue to run but write errors will continue until corrective action is taken. Applies to both kea-dhcp4 and kea-dhcp6. (Gitlab #4220) 2419. [func] fdupont Added 'lease4-get-by-state' and 'lease6-get-by-state' commands to retrieve leases by state and optionally subnet. (Gitlab #4230) Kea 3.1.4 (development) released on November 26, 2025 2418. [bug] fdupont, tmark Fixed a bug which made the lfc running check in config set and reload command to use the wrong file. (Gitlab #4198) 2417. [bug] tmark Corrected an issue in the ping-check hook library that could result in the ICMP socket stuck in the read ready state. (Gitlab #4221) 2416. [func] tmark Added a global parameter, "allow-address-registration", to kea-dhcp6. It enables or disables client address registration (see RFC 9686). It also corrects an issue in which the server was not correctly enforcing a peer address match when ADDR-REG-INFORMs are received via relay. (Gitlab #4161) 2415. [func] tmark The lease query hooks configuration parameter, 'requesters', now also accepts address ranges expressed in CIDR format. Prior to this it was restricted to one or more IP addresses. (Gitlab #4190) 2414. [func] fdupont Added "pkt4-queue-full" and "pkt6-queue-full" statistics which are increased when an incoming packet was dropped because it was queued and the queue is full. Added "pkt4-rfc-violation" and "pkt6-rfc-violation" statistics which are increased when an incoming packet has to be dropped according to protocol specifications. Added "pkt4-admin-filtered" and "pkt6-admin-filtered" statistics which are increased when an incoming packet was dropped because the server was configured to do so, e.g. by classifying the query into the DROP class. Added "pkt4-not-for-us" and "pkt6-not-for-us" statistics which are increased when an incoming packet was dropped because it has to be handled by another server. Added "pkt4-processing-failed" and "pkt6-processing-failed" statistics which are increased when an incoming packet was dropped because an unexpected error occurred during processing. Added "pkt4-limit-exceeded" and "pkt6-limit-exceeded" statistics which are increased when an incoming packet was dropped by the limits hook library. (Gitlab #3140, #4157, #4146, #4127, #4126, #4133, #4134) 2413. [sec]* andrei Restrict the path of the UNIX socket to which kea-netconf connects the same way the path is restricted for other servers on creation of UNIX sockets. (Gitlab #3969) Kea 3.1.3 (development) released on October 29, 2025 2412. [build] andrei The library version numbers have been bumped up for the Kea 3.1.3 development release. (Gitlab #4175) 2411. [sec] tmark When a hostname or FQDN received from a client is reduced to an empty string by hostname sanitizing, kea-dhcp4 and kea-dhcp6 will now drop the option. CVE:2025-11232 (Gitlab #4142) 2410. [build] andrei -Wshadow was added to the compiler flags and its warnings addressed. (Gitlab #3451) 2409. [build] andrei Kea now builds with Clang 21. Thanks to Khem Raj for reporting the problem and suggesting a fix. (Gitlab #4100) 2408. [bug] andrei Fixed a bug introduced in flex-id in 3.1.2 which caused the expression to always be empty even when a value was configured under "identifier-expression". (Gitlab #4181) 2407. [bug] tmark Corrected an issue that was causing an HA peer to not restart its dedicated listener after handling a config-test command. Applies to both kea-dhcp4 and kea-dhcp6. (Gitlab #4145) 2406. [bug] razvan Removed logging an error in ping check hook library if using lease cache threshold. (Gitlab #4129) 2405. [bug] razvan, liyunqing_kylin Fixed a data race in ping-check hooks library. Thanks to liyunqing_kylin for reporting and testing the fix for this issue. (Gitlab #4164) 2404. [bug] razvan, liyunqing_kylin Fixed deadlock in ping-check hooks library. Thanks to liyunqing_kylin for reporting and providing a patch. (Gitlab #4140) Kea 3.1.2 (development) released on September 24, 2025 2403. [func] fdupont Added "pkt4-service-disabled" and "pkt6-service-disabled" statistics which are increased when an incoming packet was dropped because the DHCP service is disabled. (Gitlab #4096) 2402. [func] fdupont When Kea is configured to use the memfile lease backend, the "status-get" command returns the location of the CVS backup file in the "csv-lease-file" entry. (Gitlab #2305) 2401. [sec] tmark Removed logging of database password as clear text when kea-dhcp4 or kea-dhcp6 initializes the schema. (Gitlab #4086) 2400. [bug] fdupont Fixed a race condition in pid file handling (used by servers, agents and lease file cleanup). (Gitlab #4107) 2399. [func] fdupont Added support of RADIUS dictionary includes, vendor attributes and integer translations to the RADIUS hook library for compatibility with previous versions using the FreeRADIUS client library. (Gitlab #3860) 2398. [sec] fdupont Added the "basic-auth-user-file" parameter to the HA hook library. This allows the basic HTTP auth user ID to be read from a file rather than specified as clear text in the configuration. (Gitlab #4070) 2397. [func] tmark Additional packet details are now emitted in debug level logs by kea-dhcp4 for both inbound and outbound packets. (Gitlab #3531) 2396. [func] tmark The flex-id hook library parameter, ``identifier-expression``, is now optional. Prior to this, it was mandatory. (Gitlab #4011) 2395. [build] razvan The library version numbers have been bumped up for the Kea 3.1.2 development release. (Gitlab #4120) 2394. [func] razvan Added new 'statistic-global-get-all' command for kea-dhcp4 and kea-dhcp6 servers, which returns all statistics except subnet counters. (Gitlab #3213) 2393. [func] razvan Added global counters for 'assigned-addresses', 'assigned-nas' and 'assigned-pds'. The 'stat-lease4-get' and 'stat-lease6-get' now properly return 'assigned-addresses' and 'assigned-nas' containing also the 'declined-addresses' address count. (Gitlab #3239, #3925) 2392. [func] razvan Reject 'config-set' and 'config-reload' commands when lease file cleanup process is running. (Gitlab #3986) Kea 3.1.1 (development) released on August 27, 2025 2391. [bug] fdupont When reusing an expired lease, kea-dhcp6 now correctly saves the client hardware address in the lease. (Gitlab #4058) 2390. [func] fdupont Added the new "adaptive-lease-time-threshold" parameter for the FLQ (Free Lease Queue) allocator which reduces the lifetime of leases when pools of a subnet have an occupancy rate above a configured threshold (new feature from ISC DHCP). (Gitlab #226) 2389. [bug] tmark Corrected an issue in kea-dhcp4 which caused broadcasted client queries to fail to match subnets restricted to classes assigned during early global host lookups. (Gitlab #4047) 2388. [bug] tmark Fixed an issue in kea-dhcp-ddns which was causing GSS-TSIG key exchanges to timeout when NCR traffic is intermittent. (Gitlab #4049) 2387. [func]* andrei, razvan Updated kea-netconf to libyang and sysrepo version 3. (Gitlab #3931) 2386. [sec] tmark Corrected an issue in kea-dhcp4 that caused the server to abort if a client sent a unicast request with a particular options, and Kea failed to find an appropriate subnet for that client. CVE:2025-40779 (Gitlab #4048) 2385. [bug] tmark Avoid adding the qualifying-suffix to fully qualified host names specified in host reservations. (Gitlab #3949) 2384. [bug] tmark kea-dhcp6 now correctly supports option class-tags (i.e."client-classes") in host and config back ends for both MySQL and PosgreSQL. (Gitlab #4014) 2383. [func] razvan The kea-dhcp4 server now supports configuring vivso options with suboptions. (Gitlab #3861) 2382. [func] razvan Implemented the 'lease6-get-by-hw-address' command used to query IPv6 leases by HW Address. (Gitlab #3826) Kea 3.1.0 (development) released on July 30, 2025 2381. [build] razvan The library version numbers have been bumped up for the Kea 3.1.0 development release. (Gitlab #4030) 2380. [build]* fdupont Moved Botan crypto backend support to version 3. (Gitlab #3553) 2379. [bug] tmark kea-dhcp4 now correctly supports option class-tags (i.e."client-classes") in host and config back ends for both MySQL and PosgreSQL. (Gitlab #3770) 2378. [func] razvan Added SSL/TLS support for PostgreSQL database connection in the Kea configuration. Available parameters are: "trust-anchor", "cert-file", "key-file", and "ssl-mode". (Gitlab #3927) 2377. [sec]* tmark Additional runtime security checks were added to kea-dhcp4, kea-dhcp6, kea-dhcp-ddns, and kea-ctrl-agent (Gitlab #3848) 2376. [func] razvan Added support for global list parameters (containing only scalar elements) in CB. The "host-reservation-identifiers" is now supported in CB. (Gitlab #3944) Thank you again to everyone who assisted us in making this release possible. We look forward to receiving your feedback.