ISC_DHCP 4.4.1 is now available for download.
Thomas Markwalder
tmark at isc.org
Wed Feb 28 17:23:14 UTC 2018
ISC DHCP 4.4.1 is now available for download.
The release of ISC DHCP 4.4.1 is the first release on the 4.4. branch,
since 4.4.0 was withdrawn. This release contains several new features as
well as a number of bug fixes.
A list of the changes in this release has been appended to the end
of this message. For a complete list of changes from any previous
release, please consult the RELNOTES file within the source distribution.
They can also be found at:
https://kb.isc.org/article/AA-01571/0/DHCP-4.4.1-Release-Notes.html
Knowledge base articles about various features can be found starting from:
https://kb.isc.org/category/201/0/10/Software-Products/DHCP/Features/
Webinars can be found here:
http://www.youtube.com/user/ISCdotorg
This release, and its OpenPGP-signatures are available now from:
https://www.isc.org/downloads/DHCP/
http://ftp.isc.org/isc/dhcp/4.4.1/dhcp-4.4.1.tar.gz
http://ftp.isc.org/isc/dhcp/4.4.1/dhcp-4.4.1.tar.gz.sha512.asc
http://ftp.isc.org/isc/dhcp/4.4.1/dhcp-4.4.1.tar.gz.sha256.asc
http://ftp.isc.org/isc/dhcp/4.4.1/dhcp-4.4.1.tar.gz.sha1.asc
ISC's Release Signing Key can be obtained at:
https://www.isc.org/downloads/software-support-policy/openpgp-key/
The following is an excerpt from the 4.4.1 release notes:
Please note that that ISC DHCP is now licensed under the Mozilla Public
License,
MPL 2.0. Please see https://www.mozilla.org/en-US/MPL/2.0/ to read the
MPL 2.0
license terms.
The areas of focus for ISC DHCP 4.4 were:
1. Dynamic DNS additions
2. dhclient improvements
3. Support for dynamic shared libraries
Dynamic DNS Improvements:
- We added three new server configuration parameters which influence DDNS
conflict resolution:
1. ddns-dual-stack-mixed-mode - alters DNS conflict resolution behavior
to mitigate issues with non-compliant clients in dual stack
environments.
2. ddns-guard-id-must-match - relaxes the DHCID RR client id matching
requirement of DNS conflict resolution.
3. ddns-other-guard-is-dynamic - alters dual-stack-mixed-mode
behavior to allow unguarded DNS entries to be overwritten in certain cases
- The server now honors update-static-leases parameter for static DHCPv6
hosts.
dhclient Improvements:
- We've added three command line parameters to dhclient:
1. --prefix-len-hint - directs dhclient to use the given length as
the prefix length hint when requesting prefixes
2. --decline-wait-time - instructs the client to wait the given number
of seconds after declining an IPv4 address before issuing a discover
3. --address-prefix-len - specifies the prefix length passed by dhclient
into the client script (via the environment variable ip6_prefixlen) with
each IPv6 address. We added this parameter because we have changed the
default value from 64 to 128 in order to be compliant with RFC3315bis
draft (-09, page 64) and RFC5942, Section 4, point 1.
**WARNING**: The new default value of 128 may not be backwardly
compatible
with your environment. If you are operating without a router, such as
between VMs on a host, you may find they cannot see each other with
prefix
length of 128. In such cases, you'll need to either provide routing
or use
the command line parameter to set the value to 64. Alternatively you may
change the default at compile time by setting
DHCLIENT_DEFAULT_PREFIX_LEN
in includes/site.h.
- dhclient will now generate a DHCPv6 DECLINE message when the client
script
indicates a DAD failure
Dynamic shared library support:
Configure script, configure.ac+lt, which supports libtool is now provided
with the source tar ball. This script can be used to configure ISC DHCP
to build with libtool and thus use dynamic shared libraries.
Other Highlights:
- The server now supports dhcp-cache-threshold for DHCPv6 operations
- The server now supports DHPv6 address allocation based on EUI-64 DUIDs
- Experimental support for alternate relay port in the both the server
and relay for IPv4, IPv6 and 4o6 (see: draft-ietf-dhc-relay-port-10.txt)
For information on how to install, configure and run this software, as
well as how to find documentation and report bugs, please consult the
README file.
ISC DHCP uses standard GNU configure for installation. Please review the
output of "./configure --help" to see what options are available.
The system has only been tested on Linux, FreeBSD, and Solaris, and may not
work on other platforms. Please report any problems and suggested fixes to
<dhcp-users at isc.org>.
ISC DHCP is open source software maintained by Internet Systems
Consortium. This product includes cryptographic software written
by Eric Young (eay at cryptsoft.com).
Changes since 4.4.0 (New Features)
- none
Changes since 4.4.0 (Bug Fixes)
- A delayed-ack value of 0 (the default), now correctly disables the delayed
feature. A change in 4.4.0 prohibited lease updates marking leases active
from be written to the lease file when delayed-ack is 0. This in turn,
caused servers to lose active lease assignments upon restart.
[ISC-Bugs #47141]
! Option reference count was not correctly decremented in error path
when parsing buffer for options. Reported by Felix Wilhelm, Google
Security Team.
[ISC-Bugs #47140]
CVE: CVE-2018-5733
! Corrected an issue where large sized 'X/x' format options were causing
option handling logic to overwrite memory when expanding them to human
readable form. Reported by Felix Wilhelm, Google Security Team.
[ISC-Bugs #47139]
CVE: CVE-2018-5732
Changes since 4.4.0b1 (New Features)
- Duplicate address detection when binding to a new IPv6 address was added
to the following dhclient scripts: linux,freebsd,netbsd,openbsd, and
macos.
The scripts will check for DAD errors after binding to a new IPv6 address
for at most --dad-wait-time seconds. If a DAD error is detected the
script
will exit with a value of 3, instructing dhclient to decline the
address. If
dad-wait-time is zero (the default), DAD error checking is not peformed.
[ISC-Bugs 46805]
- Support for sending and receiving additional DHCP4 options has been added
to both the dhcpd and dhclient. Specifically: option codes 93,94, and 97
(RFC 4578); code 150 (RFC 5859); and codes 209,219, and 211 (RFC 5071).
Beyond configuring, sending, requesting, and receiving these options
neither
server nor client apply any additional logic based on their values.
Thanks to Peter Lewis for requesting this change.
[ISC-Bugs 47062]
Changes since 4.4.0b1 (Bug Fixes)
- Added clarifying text to dhcpd.conf.5 explaining the class match
expressions
cannot rely on the results of executable statements.
[ISC-Bugs #45451]
- Fixed a bug which causes dhcpd and dhclient to crash on certain
systems when given relative path names for lease or pid files on
the command line. Affected systems are those on which the C library
function, realpath() does not support a second parameter value of
NULL (see manpages for realpath(3)).
[ISC-Bugs #46957]
- Fixed a build issue when building with embedded BIND9 under OpenBSD that
was causing BIND9 build to not generate dns/enumclass.h and
dns/enumtype.h.
[ISC-Bugs #46971]
- Added <dhcp>/m4/README to the distribution tarball. Some versions of
ac_local() treat the absence of the m4 subdirectory as error rather than
warning. This was causing the call to autoreconf, necessary for building
with libtool, to fail.
[ISC-Bugs #47075]
Changes since 4.4.0a1 (New Features)
- Added experimental support for relay port
(draft-ietf-dhc-relay-port-10.txt)
feature for DHCPv4, DHCPv6 and DHCPv4-over-DHCPv6. Relay port has to be
enabled at compile time via --enable-relay-port and is fully backward
compatible (i.e. works with previous implementations of servers and relays
using the standard ports). A new --rp <relay-port> command line option
specifies to dhcrelay an alternate source port for upstream (i.e. toward
the server) messages. Thanks to Naiming Shen and Enke Chen of Cisco
systems for submitting these patches.
[ISC-Bugs #44535]
- Added --release-on-roam to dhcpd server. When enabled and the server
detects
that a DHCPv6 client (IAID+DUID) has roamed to a new network, it will
release
the pre-existing leases on the old network and emit a log statement
similar
to the following:
"Client: <id> roamed to new network, releasing lease: <address>"
The server will carry out all of the same steps that would normally occur
when a client explicitly releases a lease. This behavior is disabled by
default and may only be specified globally. Prior to this the server
renders
the leases unavailable until they expire or the server is restarted.
Clients
that need leases in multiple networks must supply a unique IAID in
each IA.
When release-on-roam is disabled (the default) the server maintains the
prior behavior of making such leases unavailable until they expire or the
server is restarted. Clients that need leases in multiple networks must
supply a unique IAID in each IA. This parameter may only be specified at
the global level. Thanks to Fernando Soto from BlueCat Networks for
suggesting this change.
[ISC-Bugs #44576]
[ISC-Bugs #46849]
- Support for delayed-ack is now compiled in by default. Prior to this
it had to be enabled at compile time via --enable-delayed-acks. The
default value for delayed-ack, however, has been changed from 28 to 0
(i.e. disabled). This was done to minimize the impact on users not
currently using the feature. Please note that the delayed-ack feature
is not currently compatible with support for DHPCv4-over-DHCPv6 so
when a 4to6 port command line argument enables this in the server the
delayed-ack value is reset to 0.
[ISC-Bugs #42446]
- The server (-6) now honors the parameter, update-static-leases, for static
(fixed-address6) DHCPv6 leases. It is worth noting that because stateful
data is not retained by the server for static leases, each time a client
requests or renews a static lease, the server will perform DDNS
updates for
it. This may have significant performance implications for environments
with many clients that request or renew static leases often. Similarly,
the DNS entries will not be removed by server when a client issues a
RELEASE
nor if the lease is deleted from the configuration. In such cases the DNS
entries must be removed manually. This feature is disabled by default.
Thanks to both Bill Shirley and dgutier-at-cern-dot-ch for requesting
this change.
[ISC-Bugs #34097]
[ISC-Bugs #41054]
[ISC-Bugs #41450]
- Added to the server (-6) a new statement, local-address6, which specifies
the source address of packets sent by the server. An additional flag,
bind-local-address6, disabled by default, binds the service socket to
to local-address6. Note that bind-local-address does not work with direct
clients: a relay has to forward packets to the server using the
local-address6 destination.
[ISC-Bugs #46084]
Changes since 4.4.0a1 (Bugs)
- The server now recognizes environment variables PATH_DHCPD_DB and
PATH_DHCPD_PID. These had been incorrectly compiled out of the code
unless DHCPv6 support was disabled. Additionally, the server man
pages were corrected to accurately reflect how the server chooses
file names (see lease-file-name and pid-file-name statements). Thanks
to Fernando Soto at Bluecat Networks for bringing this matter to our
attention.
[ISC-Bugs #46859]
- Removed an "Impossible condition" error upon exit in the dhcpd server that
has been shutdown via OMAPI. This condition was only apparent under
Solaris
when building with --enable-use-sockets and --enable-ipv4-pktinfo.
[ISC-Bugs #36118]
- Corrected some minor Coverity issues: CID 1426059, 1426058, and 1426057.
[ISC-Bugs #46836]
- Added missing text to dhclient.8 and expanded release note coverage
for --address-prefix-len changes.
Changes since 4.3.6 (New Features)
- Added --enable-bind-install to install embedded bind includes and
libraries. Default is to not install them (it was the previous
behavior). If you'd like to change the includedir and/or libdir
installation directories to something different than for ISC DHCP
you must pass them using the --with-bind-extra-config configuration
arguments.
[ISC-Bugs #39318]
- Added support of dynamic shared libraries with libtool. A new
--enable-libtool configuration parameter is available but
should not be used directly: *please* read the build configuration
section in the README file for the recommended procedure.
[ISC-Bugs #29402]
- IPv6 operation now supports an EUI-64 based address allocation which will
calculate addresses for clients with EUI-64 DUIDs based on those DUIDs
when
enabled by setting use-eui-64 true. The parameter may defined down to the
pool scope. Note this feature must be compiled in by defining EUI_64 in
includes/site.h. This flag is undefined by default.
[ISC-Bugs #43927]
- The directory includes/isc-dhcp and it's only occupant, dst.h, have
been removed from the source tree. They are obsolete for branches
other than v4_1_esv.
[ISC-bugs #45541]
- Replaced ISC licensing with Mozilla Public License, MPL 2.0 licensing
throughout. Please see https://www.mozilla.org/en-US/MPL/2.0/ to read
the MPL 2.0 license terms.
[ISC-Bugs #45541]
- Load balancing for failover peers can now be disabled by setting
"load balance max secs" to 0. Doing so for both peers means both
servers will respond to all DHCPDISCOVERs or DHCPREQUESTs as soon as
they are received.
[ISC-Bugs #39669]
- Added a new dhclient command line parameter, --prefix-len-hint <length>.
When used in conjunction with -P, it directs dhclient to use the given
length as the prefix length hint when requesting prefixes. Thanks to both
Indy, of the FireballISO open source project and H. Peter Anvin for
suggesting this change.
[ISC-Bugs #43792]
[ISC-Bugs #35112]
[ISC-Bugs #32228]
[ISC-Bugs #29470]
- dhclient will now wait for 10 seconds after declining an IPv4 address
before issuing a discover. This is in keeping with RFC 2131, section
3.1.5.
Prior to this dhclient did not wait at all. The amount of time dhclient
waits can be specified via a new command line parameter:
--decline-wait-time <seconds>. A value of zero equates to no wait at all.
Thanks to Pavel Kankovsky for bringing this matter to our attention.
**NOTE: THIS IS CHANGE IN DEFAULT BEHAVIOR.
[ISC-Bugs #45457]
- dhclient will now include the lease address when logging DHCPOFFERs,
DHCPREQUESTs, DHCPACKs, DHCPRELEASEs, and DHCPDECLINEs. Additionally,
DHCPOFFERs will be logged before their corresponding DHCPREQUESTs are
sent and logged.
[ISC-Bugs #2729]
- When given the -T command line argument, in addition to reading the
current lease file, the server will write the leases to a temporary
lease file. This can help detect issues in server configuration that
only surface when leases are written to the file. The current lease
file will not be modified and the temporary lease file is removed upon
completion of the test.
[ISC-Bugs #22267]
- dhclient will now generate a DHCPv6 DECLINE message containing all IA_NA
addresses which for which the client script indicates a DAD failure. After
receiving the DECLINE reply, dhclient will restart the solicit process.
Note, the client script must exit with a value of 3 to signify that the
address failed DAD. Thanks to Jiri Popelka of Red Hat for submitting the
patch that was the foundation for this change.
**NOTE: THIS IS CHANGE IN DEFAULT BEHAVIOR.
[ISC-Bugs #21237]
[ISC-Bugs #23357]
[ISC-Bugs #36966]
- Replaced compilation option, enable-secs-byteorder, with a run-time,
server
configuration parameter, check-secs-byte-order. When enabled, the
server will check for clients that do the byte ordering on the secs field
incorrectly. This field should be in network byte order but some clients
get it wrong. When this parameter is enabled the server will examine the
secs field and if it looks wrong (high byte non zero and low byte
zero) swap
the bytes. The default is disabled. This parameter is only useful when
doing load balancing within failover.
[ISC-Bugs #45364]
- The default value for server (-6) parameter, prefix-length-mode, has been
changed from "exact" to "prefer". In "prefer" mode the server will offer
the first available prefix with the same length as that requested by the
client. If none are found then it will offer the first available prefix of
any length. This is more in line with with RFC 8168 and should improve
the out-of-the-box user experience.
**NOTE: THIS IS CHANGE IN DEFAULT BEHAVIOR.
[ISC-Bugs #45615]
- Added support for 'dhcp-cache-threshold' to IPv6 operation: If a client
renews before 'dhcp-cache-threshold' percent of its lease has elapsed
(default 25%), the server will reuse the allocated lease (provide a
lease within the currently allocated lease-time) rather than extend or
renew the lease. This allows the server to reply without needlessly
writing leases to disk. The preferred and valid lease lifetimes
sent to the client will be reduced by the age of the lease. The option
may be specified down to the pool level and is supported for all three
pool types: NA, TA, and PD.
[ISC-Bugs #45292]
- Added three new server configuration parameters which influence DDNS:
1. ddns-dual-stack-mixed-mode - alters DNS conflict resolution behavior
to mitigate issues with non-compliant clients in dual stack environments.
2. ddns-guard-id-must-match - relaxes the DHCID RR client id matching
requirement of DNS conflict resolution.
3. ddns-other-guard-is-dynamic - alters dual-stack-mixed-mode behavior to
allow unguarded DNS entries to be overwritten in certain cases
[ISC-Bugs #42620]
[ISC-Bugs #42621]
[ISC-Bugs #44753]
- A "key-algorithm <algorithm>" statement has been added to omshell to
allow the specification of the key algorithm to use during transaction
authentication. Prior to this it was hard-coded to be hmac-md5. It now
supports all of the same algorithms as the dhcpd server: hmac-md5 (the
default), hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, and
hmac-sha512.
[ISC-Bugs #46771]
- Added a server configuration parameter, persist-eui-64-leases, which
determines whether or not EUI-64 based leases are written to the
leases file. Default is true.
[ISC-Bugs #45046]
- Changed the default value of the prefix length passed by dhclient into the
client script for each IPv6 address from 64 to 128. This was done to
comply
with RFC3315bis draft (-09, page 64) and RFC5942, Section 4, point 1.
In addition, dhclient now supports a command line argument,
--address-prefix-len, which may be used to override the default value.
**WARNING**: This change may not be backwardly compatible with your
environment. If you are operating without a router, such as between VMs on
a host, you may find they cannot see each with prefix length of 128. In
such cases, you'll need to either provide routing or use the command line
parameter to set the value to 64. Alternatively you may change the default
at compile time by setting DHCLIENT_DEFAULT_PREFIX_LEN in includes/site.h.
[ISC-Bugs #23252]
[ISC-Bugs #37221]
- Modified dhclient (-6) to bypass sending a confirm (INIT REBOOT) when
it has
only expired address associations. Thanks to Jiri Popelka at Red Hat for
raising the issue and submitting the patch.
[ISC-Bugs #22675]
Changes since 4.3.6 (Bugs):
- Corrected an issue where the server would return a client's previously
released prefix lease even when the client provides a prefix length
hint that does not match the prior lease. Now the server will only
return the previous lease if it exactly matches the hint. If not
it will attempt to allocate a new prefix based on the hint and the
prefix-length-mode. Thanks to Tim DeNike - Lightspeed Communications
for pointing out the error of our ways.
[ISC-bugs #45780]
- Added explicit include of BIND9 isc/util.h to adapt to revisions
in BIND9 (see BIND9 ticket #46311). Prior to this the build was failing
with implicit function declarations errors for POST() and INSIST().
[ISC-bugs #46332]
- Added to code ignore empty IPv4 host name option (code 12). While RFC 2132
states the option cannot be empty, some clients are apparently capable of
sending it. Prior to this the server was attempting to use it and store it
in the lease file causing issues with DDNS and so forth.
[ISC-bugs #43786]
- Corrected dhclient command line parsing for --dad-wait-time that causes
even valid values to fail as invalid on some environments.
[ISC-Bugs #46535]
- Replaced iasubopt::heap_index with separate values for active and inactive
heaps: iasubopt::active_index and iasubopt::inactive_index. This was done
to accommodate a change in behavior in BIND9 isc_heap_delete().
[ISC-bugs #46719]
! Plugged a socket descriptor leak in OMAPI, that can occur when there is
data pending to be written to an OMAPI connection, when the connection
is closed by the reader. Thanks to Pavel Zhukov at RedHat for bringing
this issue to our attention and whose patch helped guide us in the right
direction.
[ISC-Bugs #46767]
- The ability of the server to send back dhcp6.vendor-opts values has been
restored. A change in 4.3.5 (see #29246) which enabled it to send back the
FQDN option unfortunately broke its ability send back dhcp6.vendor-opts.
Thanks to Sumant Gupta (sumantgupta at gmail dot com) of Landis+Gry for
bringing this issue to our attention.
[ISC-Bugs #46427]
More information about the dhcp-announce
mailing list