ISC DHCP 4.3.2rc1 is now available for download.

Thomas Markwalder tmark at
Thu Feb 19 17:12:22 UTC 2015

ISC DHCP 4.3.2rc1 is now available for download:

This is the first release candidate of ISC DHCP 4.3.2, a maintenance release
which contains a number of bug fixes.

Field testing is an important part of our quality process.  We welcome,
and need our user base to beta test our upcoming releases. Please report
bugs to dhcp-bugs at, and report that you have tried the release,
and any general observations, to dhcp-users at  The final
release, 4.3.2, is anticipated to be released on 02/26/2015.

A list of the changes in this release has been appended to the end
of this message.  For a complete list of changes from any previous
release, please consult the RELNOTES file within the source distribution.
They can also be found at:

Knowledge base articles about various features can be found starting from:

Webinars can be found here:

This release, and its OpenPGP-signatures are available now from:

ISC's Release Signing Key can be obtained at:

The following are some of the more intersting changes in this release.
As always you should consult the notes in RELNOTES or at the bottom
of this announcement for the complete list of fixes in this release.

We have made several changes (20558, 21323 and 36233) to try and
handle client hostnames and DNS more in line with the documentation.
use-host-decl-names and prepending domain-search strings should
now work correctly.

A failover server now supports a split value of 256 allowing the
primary to be configured to be responsible for all clients (36664)
instead of only 255/256 of the range.

We have modified how the server handles a client providing a
non-zero prefix length when soliciting DHCPv6 prefixes.  See
the description for 36780 & 32228 for more details.

We fixed a bug in the way we modfied the lists containing leases.
This should fix some odd bugs where the leases were expired in
clumps rather than when their timers elapsed, see 38002.  While
this is not a security issue it does fix some potential weird
behavior and we encouage people to upgrade if possible.

If the configruation is changed such that a lease was in a range
that had a failover peer but no longer has one then the server
will update the lease to be availabe.  Previously the lease could
be stuck in the backup state, this will cause it to move to the
free state.  See 36960.

We corrected an issue, present under Linux with NIC drivers which
perfrom vlan-tag encapsulation, that was causing inbound packets on
a vlan to also be seen on the vlan's hosting interface. This means
that when interfaces are specified on the command line, you must specify
a vlan interface explicitly, such as "eth0:12" rather than "eth0". 
See 37415. 

The following is the list of all changes for this release.

            Changes since 4.3.2b1

- Specifying the option, --disable-debug, on the configure script
command line
  now disables debug features.  Prior to this, specifying --disable-debug
  incorrectly enabled debug features. Thanks to Gustavo Zacarias for
  the issue.
  [ISC-Bugs #37780]

- Unit test execution now uses a path augmented during configuration
  processing of the --with-atf option to locate ATF runtime tools, atf-run
  and atf-report. For most installations of ATF, this should alleviate the
  need to manually include them in the PATH, as was formerly required.
  If the configure script cannot locate the tools it will emit a warning,
  informing the user that the tools must be in the PATH when running unit
  Secondly, please note that "make check" will now exit with a failure
  code (non-zero) if one or more unit tests fail.  This means that invoking
  "make check" from an upper level directory will cause the make process to
  STOP after the first test subdirectory with failed test(s).  To force all
  tests in all subdirectories to run, regardless of individual test outcome,
  use the command "make -k check".
  [ISC-Bugs #38619]

            Changes since 4.3.1

- Corrected parser's right brace matching when a statement contains an
  [ISC-Bugs #36021]

- TSIG-authenticated dynamic DNS updates now support the use of these
  additional algorithms: hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384,
  and hmac-sha512
  [ISC-Bugs #36947]

- Added check for invalid failover message type. Thanks to Tobias Stoeckmann
  working with the OpendBSD project who spotted the issue and provided the
  [ISC-Bugs #36653]

- Corrected rate limiting checks for bad packet logging.  Thanks to Tobias
  Stoeckmann working with the OpendBSD project who spotted the issue and
  provided the patch.
  [ISC-Bugs #36897]

- Log statements depicting what files will be used by the server now occur
  after the configuration file has been processed.
  [ISC-Bugs #36671]

- Addressed Coverity issues reported as of 07-31-2014:
  [ISC-Bugs #36712] Corrects Coverity reported "high" impact issues.
  [ISC-Bugs #36933] Corrects Coverity reported "medium" impact issues
  [ISC-Bugs #37708] Fixes compilation error in dst_api.c seen in older
  compilers that was introduced by #36712

- Server now supports a failover split value of 256.
  [ISC-Bugs] #36664]

- Remove unneeded error #defines.  These defines were included in case
  external programs required the older versions of the macro.  They
  have been #ifdeffed for now and will be removed at a future date.
  See site.h for the #define to include them again, but you should
  switch to using the DHCP_R_* versions instead of the ISC_R_* versions.
  Also ISC_R_MULTIPLE has been removed as it is also deifned in bind.
  [ISC-Bugs #37128]

- Added checks in range6 and prefix6 statement parsing to ensure addresses
  are within the declared subnet. Thanks to Jiri Popelka at Red Hat for the
  bug report and patch.
  [ISC-Bugs #32453]
  [ISC-Bugs #17766]
  [ISC-Bugs #18510]
  [ISC-Bugs #23698]
  [ISC-Bugs #28883]

- Addressed checksum issues:
  Added checksum readiness check to Linux packet filtering which eliminates
  invalid packet drops due to checksum errors when checksum offloading is
  in use.  Based on dhcp-4.2.2-xen-checksum.patch made to the Fedora
  [ISC-Bugs #22806]
  [ISC-Bugs #15902]
  [ISC-Bugs #17739]
  [ISC-Bugs #18010]
  [ISC-Bugs #22556]
  [ISC-Bugs #29769]
  Inbound packets with UPD checksums of 0xffff now validate correctly rather
  than being dropped.
  [ISC-Bugs #24216]
  [ISC-Bugs #25587]

- Added the echo-client-id configuration parameter to the server
  The server now supports RFC 6842 compliant behavior by setting a new
  configuration parameter, echo-client-id.  When enabled, the server will
  include the client identifier option (Option code 61) if received, in its
  responses.  The server identifier returned in NAKs (if enabled) will now
  be the globally defined value (if one) if the server cannot attribute the
  inbound request to a known subnet.
  [ISC-Bugs #35958]
  [ISC-Bugs #32545]

- Added support of the configuration parameter, use-host-decl-names, to
  BOOTP request handling.
  [ISC-Bugs #36233]

- Added logic to ignore the signal, SIGPIPE, which ensures write failures
  will be delivered as errors rather than as SIGPIPE signals on all OSs.
  Thanks to Marius Tomaschewski from SUSE who reported the issue and
  the patch upon which the fix is based.
  [ISC-Bugs #32222]

- In the failover code, handle the case of communications being interrupted
  when the servers are dealing with POTENTIAL-CONFLICT.  This patch allows
  the primary to accept the secondary moving from POTENTIAL-CONFLICT to
  RESOLUTION-INTERRUPTED as well as handling the bind update process better.
  In addition the code to resend update or update all requests has been
  modified to send requests more often.
  [ISC-Bugs #36810]
  [ISC-Bugs #20352]

- By default, the server will now choose the value to use in the forward DNS
  name from the following in order of preference:

    1. FQDN option if provided by the client
    2. Host name option if provided by the client
    3. Configured option host-name if defined

  As before, this may be overridden by defining ddns-hostname to the desired
  value (or expression).  In addition, the server logic has been extended to
  use the value of the host name declaration if use-host-decl-names is
  and no other value is available.
  [ISC-Bugs #21323]

- DNS updates were being attempted when dhcp-cache-threshold enabled the
use of
  the existing lease and the forward DNS name had not changed.  This has
  [ISC-Bugs #37368]
  [ISC-Bugs #38686]

- Corrected an issue which caused dhclient to incorrectly form the
result when
  prepending or appending to the IPv4 domain-search option,received from the
  server, when either of the values being combined contain compressed
  [ISC-Bugs #20558]

- Added the server-id-check parameter to the server configuration.
  This parameter allows run-time control over whether or not a server,
  participating in failover, verifies the dhcp-server-identifier option in
  DHCP REQUESTs against the server’s id before processing the request.
  Formerly, enabling this behavior was done at compilation time through
  the use of the #define, SERVER_ID_CHECK, which has been removed from
  The functionality is now only available through the new runtime paramater.
  [ISC-Bugs #37551]

- During startup, when the server encounters a lease whose binding state is
  FTS_BACKUP but whose pool has no configured failover peer, it will
reset the
  lease's binding state to FTS_FREE.  This allows the leases to be reclaimed
  by the server after a pool's configuration has changed from failover to
  standalone. Prior to this such leases would remain stuck in the backup
  making them unavailable for assignment.  Note this conversion will occur
  whether or not the server is compiled for failover.
  [ISC-Bugs #36960]

- Fixed a small issue in the treatment of hosts in the inform processing
  that could cause the response to an inform to include information from
  the wrong scope.  The two examples we've heard of are getting subnet
  instead of group information associated with a host entry, or getting
  global information instead of subnet if the host entry was built via
  omapi.  Thanks to Julien Soula at University of Lille for finding the
  bug and supplying a patch.
  [ISC-Bugs #35712]

- Avoid calling pool_timer() recursively from supersede_lease().  This could
  result in leases changing state incorrectly or delaying the running of the
  leae expiration code.
  [ISC-Bugs #38002]

- Move the check for a PID file and process to be before we rewrite the
  lease file.  This avoids the possibility of starting a second instance
  of a server which changes the current lease file confusing the first
  instance.  This check is only included if the admin hasn't disabled PID
  [ISC-Bugs #38078]
  [ISC-Bugs #38143]

- In the client code change the way preferred_life and max_life are printed
  for environment variables to be unsigned rather than signed.
  Thanks to Jiri Popelka at Red Hat for the bug report and patch.
  [ISC-Bugs #37084]

- Modified linux packet handling such that packets received via VLAN are now
  seen only by the VLAN interface. Prior to this, such packets were seen by
  both the VLAN interface and its parent (physical) interface, causing the
  server to respond to both.  Note this remains an issue for non-Linux OSs.
  Thanks to Jiri Popelka at Red Hat for the patch.
  [ISC-Bugs #37415]
  [ISC-Bugs #37133]
  [ISC-Bugs #36668]
  [ISC-Bugs #36652]

- Log content has been changed to more directly suggest that admins should
  check for multiple IPv6 clients attempting to use the same DUID when only
  abandoned addresses are available.  Debug level logging will now emit
  of the total number of, in-use, and abandoned addresses in a shared subnet
  when the server finds no addresses available for a given DUID.  Lastly,
  threshold logging is now automatically disabled for shared subnets whose
  total number of possible addresses exceeds (2^64)-1.
  [ISC-Bugs #26376]
  [ISC-Bugs #38131]

- Added a global parameter, prefix-length-mode, which may be used to
  how the server uses a non-zero value for prefix-length supplied by clients
  when soliciting DHCPv6 prefixes.  The server supports selection modes of:
  ignore, prefer, exact, minimum and maximum which are described in
detail in
  the server man pages.  The prior behavior of the server was to only
offer a
  prefix whose length exactly matched the prefix-length value requested. If
  no such prefixes were available, the server returned a status of none
  available.  Note the default mode, "exact", provides this same behavior.
  [ISC-Bugs #36780]
  [ISC-Bugs #32228]

- Corrected inconsistencies in dhcrelay's setting the upper interface
hop count
  limit such that it now sets it to 32 when the upstream address is a
  address per RFC 3315 Section 20. Prior to this if the -u argument preceded
  the -l argument on the command line or if the same interface was specified
  for both; the logic to set the hop limit count for the upper interface was
  skipped.  This caused the hop count limit to be set to the default value
  (typically 1) in the outbound upstream packets.
  [ISC-Bugs #37426]

More information about the dhcp-workers mailing list