ISC_DHCP 4.2.8rc2 is ready for download
tmark at isc.org
Thu Feb 26 17:39:06 UTC 2015
This is the second release candidate of ISC DHCP 4.2.8, a maintenance
which contains a number of bug fixes.
Due to a minor issue with the mailing lists, the announcements for the
releases, 4.2.8b1 and 4.2.8rc1, were not posted to all of the usual
apologize for any inconvenience this may have caused.
Field testing is an important part of our quality process. We welcome,
and need our user base to beta test our upcoming releases. Please report
bugs to dhcp-bugs at isc.org, and report that you have tried the release,
and any general observations, to dhcp-users at lists.isc.org. The final
release, 4.2.8, is anticipated to be released on 03/05/2015.
------ EOL NOTICE -------
Version 4.2.8 is the last regular maintenance release on the ISC DHCP
ISC will cease regular maintenance on this train at the end of March,
This is an exception to our stated policy that we keep every train until two
subsequent feature releases. We need to reduce the number of supported
and decided that keeping the 4.1.x train was important to provide
applications in constrained memory environments. We have extended support
for 4.1.x until at least December, 2015.
We feel that ISC DHCP 4.3.2 provides a stable platform for most users and we
are declaring it to be our next Extended Support Version. We plan to support
the 4.3.x train through 2017.
ISC Technical support will continue to provide commercial support for
ISC DHCP 4.2.8 through 2015 to provide plenty of time for migration. We will
provide back ported patches to affected customers where practical. In
we will normally also address critical security issues in recently EOLed
versions. However, we encourage users to start planning their migration
A list of the changes in this release has been appended to the end
of this message. For a complete list of changes from any previous
release, please consult the RELNOTES file within the source distribution.
They can also be found at:
Knowledge base articles about various features can be found starting from:
Webinars can be found here:
This release, and its OpenPGP-signatures are available now from:
ISC's Release Signing Key can be obtained at:
The following are some of the more intersting changes in this release.
As always you should consult the notes in RELNOTES or at the bottom
of this announcement for the complete list of fixes in this release.
We have made several changes (20558, 21323 and 36233) to try and
handle client hostnames and DNS more in line with the documentation.
use-host-decl-names and prepending domain-search strings should
now work correctly.
A failover server now supports a split value of 256 allowing the
primary to be configured to be responsible for all clients (36664)
instead of only 255/256 of the range.
We fixed a bug in the way we modfied the lists containing leases.
This should fix some odd bugs where the leases were expired in
clumps rather than when their timers elapsed, see 38002. While
this is not a security issue it does fix some potential weird
behavior and we encouage people to upgrade if possible.
If the configruation is changed such that a lease was in a range
that had a failover peer but no longer has one then the server
will update the lease to be availabe. Previously the lease could
be stuck in the backup state, this will cause it to move to the
free state. See 36960.
We corrected an issue, present under Linux with NIC drivers which
perfrom vlan-tag encapsulation, that was causing inbound packets on
a vlan to also be seen on the vlan's hosting interface. This means
that when interfaces are specified on the command line, you must specify
a vlan interface explicitly, such as "eth0:12" rather than "eth0".
The following is the list of all changes for this release.
Changes since 4.2.8rc1
- Corrected a compilation error introduced by the fix for ISC-Bugs #37415.
The error occurs on Linux variants that do not support VLAN tag
in packet auxiliary data. The configure script now only enables inclusion
of the VLAN tag-based logic if it is supported by the underlying OS.
Changes since 4.2.8b1
- Specifying the option, --disable-debug, on the configure script
now disables debug features. Prior to this, specifying --disable-debug
incorrectly enabled debug features. Thanks to Gustavo Zacarias for
- Unit test execution now uses a path augmented during configuration
processing of the --with-atf option to locate ATF runtime tools, atf-run
and atf-report. For most installations of ATF, this should alleviate the
need to manually include them in the PATH, as was formerly required.
If the configure script cannot locate the tools it will emit a warning,
informing the user that the tools must be in the PATH when running unit
Secondly, please note that "make check" will now exit with a failure
code (non-zero) if one or more unit tests fail. This means that invoking
"make check" from an upper level directory will cause the make process to
STOP after the first test subdirectory with failed test(s). To force all
tests in all subdirectories to run, regardless of individual test outcome,
use the command "make -k check".
Changes since 4.2.7
- Corrected parser's right brace matching when a statement contains an
- TSIG-authenticated dynamic DNS updates now support the use of these
additional algorithms: hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384,
- Added check for invalid failover message type. Thanks to Tobias Stoeckmann
working with the OpendBSD project who spotted the issue and provided the
- Corrected rate limiting checks for bad packet logging. Thanks to Tobias
Stoeckmann working with the OpendBSD project who spotted the issue and
provided the patch.
- Addressed Coverity issues reported as of 07-31-2014:
[ISC-Bugs #36712] Corrects Coverity reported "high" impact issues.
[ISC-Bugs #36933] Corrects Coverity reported "medium" impact issues
[ISC-Bugs #37708] Fixes compilation error in dst_api.c seen in older
compilers that was introduced by #36712
- Server now supports a failover split value of 256.
- Remove unneeded error #defines. These defines were included in case
external programs required the older versions of the macro. They
have been #ifdeffed for now and will be removed at a future date.
See site.h for the #define to include them again, but you should
switch to using the DHCP_R_* versions instead of the ISC_R_* versions.
Also ISC_R_MULTIPLE has been removed as it is also deifned in bind.
- Added checks in range6 and prefix6 statement parsing to ensure addresses
are within the declared subnet. Thanks to Jiri Popelka at Red Hat for the
bug report and patch.
- Addressed checksum issues:
Added checksum readiness check to Linux packet filtering which eliminates
invalid packet drops due to checksum errors when checksum offloading is
in use. Based on dhcp-4.2.2-xen-checksum.patch made to the Fedora
Inbound packets with UPD checksums of 0xffff now validate correctly rather
than being dropped.
- Added support of the configuration parameter, use-host-decl-names, to
BOOTP request handling.
- When the server cannot attribute an inbound request to a known subnet
and returning the server identifier in NAKS is enabled; the server
will use value of the configuration parameter server-identifier if it
is defined globally.
- By default, the server will now choose the value to use in the forward DNS
name from the following in order of preference:
1. FQDN option if provided by the client
2. Host name option if provided by the client
3. Configured option host-name if defined
As before, this may be overridden by defining ddns-hostname to the desired
value (or expression). In addition, the server logic has been extended to
use the value of the host name declaration if use-host-decl-names is
and no other value is available.
- Added logic to ignore the signal, SIGPIPE, which ensures write failures
will be delivered as errors rather than as SIGPIPE signals on all OSs.
Thanks to Marius Tomaschewski from SUSE who reported the issue and
the patch upon which the fix is based.
- In the failover code, handle the case of communications being interrupted
when the servers are dealing with POTENTIAL-CONFLICT. This patch allows
the primary to accept the secondary moving from POTENTIAL-CONFLICT to
RESOLUTION-INTERRUPTED as well as handling the bind update process better.
In addition the code to resend update or update all requests has been
modified to send requests more often.
- Corrected an issue which caused dhclient to incorrectly form the
prepending or appending to the IPv4 domain-search option,received from the
server, when either of the values being combined contain compressed
- During startup, when the server encounters a lease whose binding state is
FTS_BACKUP but whose pool has no configured failover peer, it will
lease's binding state to FTS_FREE. This allows the leases to be reclaimed
by the server after a pool's configuration has changed from failover to
standalone. Prior to this such leases would remain stuck in the backup
making them unavailable for assignment. This behavior is off by default.
It is enabled by defining CONVERT_BACKUP_TO_FREE in includes/site.h and
will occur whether or not the server is compiled for failover.
- Avoid calling pool_timer() recursively from supersede_lease(). This could
result in leases changing state incorrectly or delaying the running of the
lease expiration code.
- Move the check for a PID file and process to be before we rewrite the
lease file. This avoids the possibility of starting a second instance
of a server which changes the current lease file confusing the first
instance. This check is only included if the admin hasn't disabled PID
- In the client code change the way preferred_life and max_life are printed
for environment variables to be unsigned rather than signed.
Thanks to Jiri Popelka at Red Hat for the bug report and patch.
- Modified linux packet handling such that packets received via VLAN are now
seen only by the VLAN interface. Prior to this, such packets were seen by
both the VLAN interface and its parent (physical) interface, causing the
server to respond to both. Note this remains an issue for non-Linux OSs.
Thanks to Jiri Popelka at Red Hat for the patch.
- Corrected inconsistencies in dhcrelay's setting the upper interface
limit such that it now sets it to 32 when the upstream address is a
address per RFC 3315 Section 20. Prior to this if the -u argument preceded
the -l argument on the command line or if the same interface was specified
for both; the logic to set the hop limit count for the upper interface was
skipped. This caused the hop count limit to be set to the default value
(typically 1) in the outbound upstream packets.
More information about the dhcp-announce