ISC_DHCP 4.3.3 is now available for download.
tmark at isc.org
Thu Sep 3 19:25:39 UTC 2015
ISC DHCP 4.3.3 is now available for download.
This is the release of ISC DHCP 4.3.3, a maintenance
release which contains a number of bug fixes.
Field testing is an important part of our quality process.
Please report bugs to dhcp-bugs at isc.org.
A list of the changes in this release has been appended to the end
of this message. For a complete list of changes from any previous
release, please consult the RELNOTES file within the source distribution.
They can also be found at:
Knowledge base articles about various features can be found starting from:
Webinars can be found here:
This release, and its OpenPGP-signatures are available now from:
ISC's Release Signing Key can be obtained at:
If you attempt to build DHCP with clang you may get the following
warning while building the included BIND libraries:
clang: warning: optimization flag '-fno-delete-null-pointer-checks' is
We have addressed this in BIND but the version with the patch was not
yet released when we released DHCP. This is only a warning and should
not affect the running code.
The following are changes that may be more interesting and require
a bit more explanation.
We have removed the dst directory from the 4.3.x distribution.
This library provided some crypto type functions such as hashing
and signing of packets. As of 4.2.0 we include a BIND tarball
and use the dst library from there within the DHCP code. We
continued to ship the previous dst library for those users that
might have included it in their own code, for example in an
OMSHELL like progam. As it has been several years since DHCP
used it we have decided to remove this library from the distribution.
If you do have a program that makes use of the library you should
make a copy from either a previous version of DHCP or from a
current copy of the 4.1-ESV release and include that in your
In 4.3.2 we added a restriction that a prefix pool must be within
the defining subnet. Also when we added the class matching code
we assumed a static prefix in a host declaration would be within
a subnet. After both external and internal discussion we concluded
that these restrictions were inappropraite and we have relaxed them.
In this release we have added a feature that can improve performance
of the DHCPv4 server in some cases. In general there are two areas
that limit performance 1) writing to disk and 2) searching and updating
the lists that track v4 leases. The first item can be somewhat addressed
by features such as delayed-ack or by moving your lease file to
a non-volatile ram disk thus avoiding some of the delay in writing
an entry to the lease file. The second one is addressed by this
new compile time feature "--enable-binary-leases". This switches
the code to do binary instead of linear searches on the lists storing
the leases and for large lease pools it seems to work well. We
have chosen to make this a compile time option and default it to
the old style to avoid disruption due to code changes or bugs.
More information can be found at our knowledge base
For several years we have included LDAP code within the distribution.
While this is included in the main source code due to it being
somewhat scattered within the code it is still considered "contrib"
code. This means that we do not test or verify it and provide minimal
maintenance for it. We do however have several contributors that use
it and have been maintaining it and they have sent us bug fixes and
enhancements. We have collected these and done an update of the LDAP
code, though the code will continue to be considered "contrib" and
users use it at their own risk. We would like to thank the contributors
for their efforts. For more information see the release note below
or visit the knowledge base article at:
We have modified the PARANOIA patch to adjust the file permissions
(owner and group) used for the lease file. In our testing this had
no negative effects. However, given the range of OSes and security
features, we are not able to test all possible combinations.
We have added an option to build the ATF test code from the sources
included in the Bind source tree. To use this feature you would
set the configure option "--with-atf" to "bind", for example
The following is the list of all changes for this release.
Changes since 4.3.3b1
Changes since 4.3.2
- The server now does a better check to see if it can allocate the memory
for large blocks of v4 leases and should provide a slightly better error
message. Note well: the server pre-allocates v4 addresses, if you use
a large range, such as a /8, the server will attempt to use a large
amount of memory and may not start if there either isn't enough memory
or the size exceeds what the code supports.
- The server will now reject unicast Request, Renew, Decline, and Release
messages from a client unless the server would have sent that client the
dhcp6.unicast option. This behavior is in compliance with paragraph 1 in
each of the sections 18.2,1, 18.2.3, 18.2.6, and 18.2.7 of RFC 3315. Prior
to this, the server would simply accept the messages. Now, in order for
the server to accept such a message, the server configuration must include
the dhcp6.unicast option either globally or within the shared network to
which the requested lease belongs. In other words, the server will map
the first IA_XX address found within the client message to a
and look for the presence of the unicast option there and then globally.
Thanks to Jiri Popelka at Red Hat for this issue and his patch which
inspired the fix.
- The ATF (Automated Testing Framework) tools used for optional unit tests
can now be built from its embedded sources in bind, solving the
atf-run / atf-report issue with recent (>= 0.20) versions of ATF.
The new configuration option is "./configure --with-atf=bind".
[ISC-Bugs #38754, #39300]
- Corrected a compilation error introduced by the fix for ISC-Bugs #22806.
On older linuxes that do not include the tpacket_auxdata structure don't
bother allocating the cmsgbuf as it isn't necessary and we don't have
a proper length for it.
- Remove the dst directory. This was replaced in 4.2.0 with the dst
code from the Bind libraries but we continued to include it for
backwards compatibility. As we have now released 4.3.x it seems
reasonable to remove it.
- Write out the DUID server id on startup in all cases, previously if it
was read in from server-duid option in the config or lease files for
DHCPv4 it would not be written to the new lease file.
- When parsing dates for leases convert dates past 2038 to "never".
This avoids problems with integer overflows in the date and time
handling code for people that decide to use very large lease times
or add a lease entry with a date far in the future.
- Leave the siaddr field clear when sending a NACK as per RFC 2131
- In the client don't send expired addresses to the script as part of
the binding process. Thanks to Sven Trenkel at Google for reporting
the issue and suggesting the patch.
- While parsing IPv6 addresses treat "add" as part of the address instead
of as a token.
- Add support for accessing the v4 lease queues (active, free etc) in a
binary fashion instead of needing to walk through a linear list to
insert, find or remove an entry from the queues. In addition add a
compile time option "--enable-binary-leases" to enable the new code
or to continue using the old code. The old code is the default.
Thanks to Fernando Soto from BlueCat Networks for the patch.
- Delayed-ack now works properly with Failover. Prior to this, bind updates
post startup were being queued but never delivered. Among other
was causing leases to not transition from expired or released to free.
- Clean up parsing of v6 lease files a bit to avoid infinite loops if the
lease file is corrupt in certain ways.
- Corrected a crash in dhclient that occurs during lease renewal if the
client is performing its own DNS updates. Thanks to Jiri Popelka at
for the bug report.
- Corrected an issue in v6 lease file parsing. Prior to this, when
a lease with an address for which no configured pool exists, the
declaring the lease file corrupt and incorrectly skipping over the
entry in the file. The server will now emit a log message indicating that
no pool was found for the address (or prefix) and correctly resume parsing
with the next entry in the lease file. Our thanks to Michal Žejdl for
reporting the issue.
- Be more liberal in finding a subnet group associated with a static
prefix. When we added the class matching code for v6 we also added
a requirement that the static prefix must be within a subnet the
client was in, in order to find the proper statements. We now
look for a subnet based on the prefix, failing that on the static
address for the client and failing that on the shared network
- Add a new action expression "parse_vendor_options", which can be used
to parse a vendor-encapsualted-option received by the server based on
the encoding specified by the vendor-option-space statement.
- Enhance the PARANOIA patch to include fchown() the lease file to
allow it to be manipulated after the server does a chown().
Thanks to Jiri Popelka at Red Hat for the patch.
- Relax the requirement that prefix pools must be within the subnet.
This was added in as part of #32453 in order to avoid configuration
mistakes but is being removed as prefixes aren't required to be
within the same subnet and many people configure them in that fashion.
- Fixed a server crash that could occur when the server attempts to remove
the billing class from the last lease billed to a dynamic class after said
class has been deleted.
- LDAP Patches - Numerous small patches submitted by contributors have
been applied to the contributed code which supplies LDAP support.
In addition, two larger submissions have also been included. The
first adds support for IPv6 configuration and the second provides
GSSAPI authentication. We would like to thank the following for their
Alex Novak at SUSE
Bill Parker (wp02855 at gmail dot com)
Jiri Popelka at Red Hat
Marius Tomaschewski at SUSE
(william at adelaide.edu.au), The University of Adelaide
- Handle an out of memory condition in the client a bit better.
Thanks to Frédéric Perrin from Brocade for finding the issue
and suggesting a patch.
More information about the dhcp-workers