ISC_DHCP 4.2.8rc2 is ready for download

Thomas Markwalder tmark at
Thu Feb 26 17:39:06 UTC 2015

This is the second release candidate of ISC DHCP 4.2.8, a maintenance
which contains a number of bug fixes.

Due to a minor issue with the mailing lists, the announcements for the
releases, 4.2.8b1 and 4.2.8rc1, were not posted to all of the usual
lists. We
apologize for any inconvenience this may have caused.

Field testing is an important part of our quality process.  We welcome,
and need our user base to beta test our upcoming releases. Please report
bugs to dhcp-bugs at, and report that you have tried the release,
and any general observations, to dhcp-users at  The final
release, 4.2.8, is anticipated to be released on 03/05/2015.

                        ------ EOL NOTICE -------

Version 4.2.8 is the last regular maintenance release on the ISC DHCP
4.2 train.
ISC will cease regular maintenance on this train at the end of March,
2015, as
previously announced. 

This is an exception to our stated policy that we keep every train until two
subsequent feature releases. We need to reduce the number of supported
and decided that keeping the 4.1.x train was important to provide
options for
applications in constrained memory environments.  We have extended support
for 4.1.x until at least December, 2015.

We feel that ISC DHCP 4.3.2 provides a stable platform for most users and we
are declaring it to be our next Extended Support Version. We plan to support
the 4.3.x train through 2017.

ISC Technical support will continue to provide commercial support for
ISC DHCP 4.2.8 through 2015 to provide plenty of time for migration. We will
provide back ported patches to affected customers where practical.  In
we will normally also address critical security issues in recently EOLed
versions.  However, we encourage users to start planning their migration
to 4.3.

A list of the changes in this release has been appended to the end
of this message.  For a complete list of changes from any previous
release, please consult the RELNOTES file within the source distribution.
They can also be found at:

Knowledge base articles about various features can be found starting from:

Webinars can be found here:

This release, and its OpenPGP-signatures are available now from:

ISC's Release Signing Key can be obtained at:

The following are some of the more intersting changes in this release.
As always you should consult the notes in RELNOTES or at the bottom
of this announcement for the complete list of fixes in this release.

We have made several changes (20558, 21323 and 36233) to try and
handle client hostnames and DNS more in line with the documentation.
use-host-decl-names and prepending domain-search strings should
now work correctly.

A failover server now supports a split value of 256 allowing the
primary to be configured to be responsible for all clients (36664)
instead of only 255/256 of the range.

We fixed a bug in the way we modfied the lists containing leases.
This should fix some odd bugs where the leases were expired in
clumps rather than when their timers elapsed, see 38002.  While
this is not a security issue it does fix some potential weird
behavior and we encouage people to upgrade if possible.

If the configruation is changed such that a lease was in a range
that had a failover peer but no longer has one then the server
will update the lease to be availabe.  Previously the lease could
be stuck in the backup state, this will cause it to move to the
free state.  See 36960.

We corrected an issue, present under Linux with NIC drivers which
perfrom vlan-tag encapsulation, that was causing inbound packets on
a vlan to also be seen on the vlan's hosting interface. This means
that when interfaces are specified on the command line, you must specify
a vlan interface explicitly, such as "eth0:12" rather than "eth0". 
See 37415.

The following is the list of all changes for this release.

            Changes since 4.2.8rc1

- Corrected a compilation error introduced by the fix for ISC-Bugs #37415.
  The error occurs on Linux variants that do not support VLAN tag
  in packet auxiliary data.  The configure script now only enables inclusion
  of the VLAN tag-based logic if it is supported by the underlying OS.
  [ISC-Bugs #38677]

            Changes since 4.2.8b1

- Specifying the option, --disable-debug, on the configure script
command line
  now disables debug features.  Prior to this, specifying --disable-debug
  incorrectly enabled debug features. Thanks to Gustavo Zacarias for
  the issue.
  [ISC-Bugs #37780]

- Unit test execution now uses a path augmented during configuration
  processing of the --with-atf option to locate ATF runtime tools, atf-run
  and atf-report. For most installations of ATF, this should alleviate the
  need to manually include them in the PATH, as was formerly required.
  If the configure script cannot locate the tools it will emit a warning,
  informing the user that the tools must be in the PATH when running unit
  Secondly, please note that "make check" will now exit with a failure
  code (non-zero) if one or more unit tests fail.  This means that invoking
  "make check" from an upper level directory will cause the make process to
  STOP after the first test subdirectory with failed test(s).  To force all
  tests in all subdirectories to run, regardless of individual test outcome,
  use the command "make -k check".
  [ISC-Bugs #38619]

            Changes since 4.2.7

- Corrected parser's right brace matching when a statement contains an
  [ISC-Bugs #36021]

- TSIG-authenticated dynamic DNS updates now support the use of these
  additional algorithms: hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384,
  and hmac-sha512
  [ISC-Bugs #36947]

- Added check for invalid failover message type. Thanks to Tobias Stoeckmann
  working with the OpendBSD project who spotted the issue and provided the
  [ISC-Bugs #36653]

- Corrected rate limiting checks for bad packet logging.  Thanks to Tobias
  Stoeckmann working with the OpendBSD project who spotted the issue and
  provided the patch.
  [ISC-Bugs #36897]

- Addressed Coverity issues reported as of 07-31-2014:
  [ISC-Bugs #36712] Corrects Coverity reported "high" impact issues.
  [ISC-Bugs #36933] Corrects Coverity reported "medium" impact issues
  [ISC-Bugs #37708] Fixes compilation error in dst_api.c seen in older
  compilers that was introduced by #36712

- Server now supports a failover split value of 256.
  [ISC-Bugs] #36664]

- Remove unneeded error #defines.  These defines were included in case
  external programs required the older versions of the macro.  They
  have been #ifdeffed for now and will be removed at a future date.
  See site.h for the #define to include them again, but you should
  switch to using the DHCP_R_* versions instead of the ISC_R_* versions.
  Also ISC_R_MULTIPLE has been removed as it is also deifned in bind.
  [ISC-Bugs #37128]

- Added checks in range6 and prefix6 statement parsing to ensure addresses
  are within the declared subnet. Thanks to Jiri Popelka at Red Hat for the
  bug report and patch.
  [ISC-Bugs #32453]
  [ISC-Bugs #17766]
  [ISC-Bugs #18510]
  [ISC-Bugs #23698]
  [ISC-Bugs #28883]

- Addressed checksum issues:
  Added checksum readiness check to Linux packet filtering which eliminates
  invalid packet drops due to checksum errors when checksum offloading is
  in use.  Based on dhcp-4.2.2-xen-checksum.patch made to the Fedora
  [ISC-Bugs #22806]
  [ISC-Bugs #15902]
  [ISC-Bugs #17739]
  [ISC-Bugs #18010]
  [ISC-Bugs #22556]
  [ISC-Bugs #29769]
  Inbound packets with UPD checksums of 0xffff now validate correctly rather
  than being dropped.
  [ISC-Bus #24216]
  [ISC-Bus #25587]

- Added support of the configuration parameter, use-host-decl-names, to
  BOOTP request handling.
  [ISC-Bugs #36233]

- When the server cannot attribute an inbound request to a known subnet
  and returning the server identifier in NAKS is enabled; the server
  will use value of the configuration parameter server-identifier if it
  is defined globally.
  [ISC-Bugs #32545]

- By default, the server will now choose the value to use in the forward DNS
  name from the following in order of preference:

    1. FQDN option if provided by the client
    2. Host name option if provided by the client
    3. Configured option host-name if defined

  As before, this may be overridden by defining ddns-hostname to the desired
  value (or expression).  In addition, the server logic has been extended to
  use the value of the host name declaration if use-host-decl-names is
  and no other value is available.
  [ISC-Bugs #21323]

- Added logic to ignore the signal, SIGPIPE, which ensures write failures
  will be delivered as errors rather than as SIGPIPE signals on all OSs.
  Thanks to Marius Tomaschewski from SUSE who reported the issue and
  the patch upon which the fix is based.
  [ISC-Bugs #32222]

- In the failover code, handle the case of communications being interrupted
  when the servers are dealing with POTENTIAL-CONFLICT.  This patch allows
  the primary to accept the secondary moving from POTENTIAL-CONFLICT to
  RESOLUTION-INTERRUPTED as well as handling the bind update process better.
  In addition the code to resend update or update all requests has been
  modified to send requests more often.
  [ISC-Bugs #36810]
  [ISC-Bugs #20352]

- Corrected an issue which caused dhclient to incorrectly form the
result when
  prepending or appending to the IPv4 domain-search option,received from the
  server, when either of the values being combined contain compressed
  [ISC-Bugs #20558]

- During startup, when the server encounters a lease whose binding state is
  FTS_BACKUP but whose pool has no configured failover peer, it will
reset the
  lease's binding state to FTS_FREE.  This allows the leases to be reclaimed
  by the server after a pool's configuration has changed from failover to
  standalone. Prior to this such leases would remain stuck in the backup
  making them unavailable for assignment.  This behavior is off by default.
  It is enabled by defining CONVERT_BACKUP_TO_FREE in includes/site.h and
  will occur whether or not the server is compiled for failover.
  [ISC-Bugs #36960]

- Avoid calling pool_timer() recursively from supersede_lease().  This could
  result in leases changing state incorrectly or delaying the running of the
  lease expiration code.
  [ISC-Bugs #38002]

- Move the check for a PID file and process to be before we rewrite the
  lease file.  This avoids the possibility of starting a second instance
  of a server which changes the current lease file confusing the first
  instance.  This check is only included if the admin hasn't disabled PID
  [ISC-Bugs #38078]
  [ISC-Bugs #38143]

- In the client code change the way preferred_life and max_life are printed
  for environment variables to be unsigned rather than signed.
  Thanks to Jiri Popelka at Red Hat for the bug report and patch.
  [ISC-Bugs #37084]

- Modified linux packet handling such that packets received via VLAN are now
  seen only by the VLAN interface. Prior to this, such packets were seen by
  both the VLAN interface and its parent (physical) interface, causing the
  server to respond to both.  Note this remains an issue for non-Linux OSs.
  Thanks to Jiri Popelka at Red Hat for the patch.
  [ISC-Bugs #37415]
  [ISC-Bugs #37133]
  [ISC-Bugs #36668]
  [ISC-Bugs #36652]

- Corrected inconsistencies in dhcrelay's setting the upper interface
hop count
  limit such that it now sets it to 32 when the upstream address is a
  address per RFC 3315 Section 20. Prior to this if the -u argument preceded
  the -l argument on the command line or if the same interface was specified
  for both; the logic to set the hop limit count for the upper interface was
  skipped.  This caused the hop count limit to be set to the default value
  (typically 1) in the outbound upstream packets.
  [ISC-Bugs #37426]

More information about the dhcp-users mailing list