[Kea-announce] Kea 1.9.7, a new development release of Kea, is now available
mcnally at isc.org
Wed Apr 28 17:09:07 UTC 2021
Internet Systems Consortium is pleased to announce the release of Kea 1.9.7.
Releases in the Kea 1.9.x sequence are part of the Kea 1.9 development branch,
where new features are provided for testing and evaluation before the branch
is designated stable and recommended for production use.
The current stable branch of Kea is Kea 1.8 and its most recent release is 1.8.2
The latest releases from each branch are available via the ISC downloads page:
# Kea 1.9.7, April 28th 2021, Release Notes
Welcome to Kea 1.9.7, the eighth monthly release of the 1.9 development
branch. As with any other development release, use this with caution:
development releases are not recommended for production use.
This release adds new features, improves existing features, clarifies
documentation, and fixes a few bugs. The most notable changes introduced
in this version are:
1. **Experimental Multi-Threaded High Availability (HA+MT)**. Kea 1.8.0
introduced multi-threaded support that significantly increased the
packet processing performance. Sadly, many deployments couldn't take
advantage of it because while the packet processing engine is very
capable, the relatively slow communication between HA partners was a
bottleneck. This problem is being addressed in this release. After
several months of work, the HA component now has experimental
multi-threaded support. This is a substantial architectural change. When
HA+MT is enabled, the DHCPv4 and DHCPv6 daemons are now able to open
HTTP sockets on their own and connect directly to each other, bypassing
the Control Agent (CA). This eliminates the bottlenecks of sequential
UNIX socket connection and the need to translate between HTTP and UNIX
socket connections. The HA+MT itself can create multiple threads with
each thread opening its own connections. Running in multiple threads,
multiple connections improve performance substantially, in some cases by
an order of magnitude. Before using this feature, please read the new
`16.15.15 Mutli-threaded Configuration (HA+MT)` in detail. The feature
is disabled by default. The status of this feature is experimental and
there are known issues. In particular, the shutdown procedure is not
exactly thread-safe, so there may be problems during daemon shutdown.
Use with caution and please report any issues you may discover. Do not
use in production! This work has been conducted in many tickets [#1732,
#1733, #1734, #1735, #1736, #1807].
2. **Comments in API commands**. Kea supports various (#, // and /* */)
comment styles in its configuration files. However, these were not
supported in the API calls. This posed a problem in some deployments,
where users had nicely commented configuration files that couldn't be
used in `config-set` and similar commands. This limitation has been
removed [#1515, #1652].
3. **kea-admin password handling**. Earlier `kea-admin` tool versions
offered only one way to specify the password - using the command line
parameter. This approach was basic and had some security drawbacks. Now
there are three alternative methods available to specify passwords:
explicitly on the command line (`-p secret`), using a prompt that will
not echo the password in the terminal (`-p`), or using environment
variables. This selection should allow administrators to pick the
solution that suits their deployment and their threat models [#1675].
4. **ARM Security Section**. With the recent introduction of TLS
support, we decided to add a section on `23. Kea Security` to the Kea
Administrator Reference Manual. This covers topics such as which daemons
to run, how to run without root access, and how to secure access. Some
additional process-related issues are described as well [#1587].
5. **Build improvements**. An assorted collection of general build
improvements made it into this release. Support for Autoconf 2.70 has
been significantly improved [#1651, #1632]. Hammer, Kea's internal build
tool, has been extended and various problems were addressed. The problem
with pg_hba.conf on RPM-based systems is now fixed [#1814]. Distcheck
failure on CentOS7 was fixed [#1804]. Some improvements have been made
for FreeRadius on Ubuntu 20.10 [#1813] and Fedora 33 [#1808]. Fixes for
unit tests running on Postgres were made [#1811].
## Incompatible Changes
There are no backward-incompatible changes in this release.
## Known Issues
For details on known issues, visit:
And for the list of issues marked as bugs:
## Release Model
The Kea project has a significant production deployment base with users
who are looking for stability, rather than a constant stream of new
"bleeding-edge" features. At the same time, we want to continue
developing the software and add some new powerful, but
difficult-to-implement, features. To meet both of these requirements we
have both Stable and Development branches.
Stable releases are what you would expect: stable, released
infrequently, without new features or significant changes, very
well-tested. These can be identified by an even-numbered minor version
number. The current stable release is 1.8.2. The older stable version of
1.6.3 is also available. If we discover important bugs that require
fixing, we may release additional maintenance versions on the 1.8
branch, but that will be determined on a case-by-case basis. The next
major stable version will be 2.0.0.
Development releases can be easily identified by an odd minor version
number: for example, 1.9.0 is a development release. Subsequent releases
on the same minor release branch get numbered with 1.9.1, 1.9.2, and so
Our goal is to make the development release available on the last
Wednesday of each month. There may be exceptions (such as during
holidays), but that's the general plan.
We encourage users to test the development releases and report back
For more details on the plan, see ISC's Software Support Policy at:
## Kea Overview
Kea is a DHCP implementation developed by Internet Systems Consortium,
Inc. that features fully functional DHCPv4 and DHCPv6 servers, a dynamic
DNS update daemon, a Control Agent (CA) that provides a REST API to
control the DHCP and DNS update servers, an example shell client to
connect to the CA, a daemon that is able to retrieve YANG configuration
and updates from Sysrepo, and a DHCP performance-measurement tool. Both
DHCP servers support server discovery, address assignment, renewal,
rebinding, release, decline, information request, DNS updates, client
classification, and host reservations. The DHCPv6 server also supports
prefix delegation. Lease information is stored in a CSV file by default;
it can optionally be stored in a MySQL, PostgreSQL, or Cassandra
database instead. Host reservations can be stored in a configuration
file, or in a MySQL, PostgreSQL, or Cassandra database. They can also be
retrieved from a RADIUS server, although this functionality is somewhat
limited. Kea DHCPv4 and DHCPv6 daemons provide support for YANG models,
which are stored in a Sysrepo datastore and can be configured via the
This text references issue numbers. For more details, visit the Kea
GitLab page at:
This version of Kea is released under the Mozilla Public License,
The premium and subscriber-only hooks libraries are provided in source
code form, under the terms of an End User License Agreement (you will
get the source code that you can modify freely, but you are not
permitted to redistribute it).
Pre-built ISC packages for current versions of the most popular Linux
operating systems are available at:
The Kea source and PGP signature for this release may be downloaded from:
The signature was generated with the ISC code-signing key which is
ISC provides detailed documentation, including installation instructions
and usage tutorials, in the Kea Administrator Reference Manual (ARM).
Documentation is included with the installation, at:
* or via https://kb.isc.org/docs/kea-administrator-reference-manual in
HTML, plain text, or PDF formats
ISC maintains a public open source code tree, a wiki, an issue tracking
system, milestone planning, and a roadmap at:
We ask users of this software to please let us know how it worked for
you and what operating system you tested on. Feel free to share your
feedback on the Kea Users mailing list at:
We would also like to hear whether the documentation is adequate and
accurate. Please open tickets in the Kea GitLab project for bugs,
documentation omissions and errors, and enhancement requests. We want to
hear from you even if everything worked.
Professional support for Kea is available from ISC. We encourage all
professional users to consider this option; Kea development and
maintenance are funded with support subscriptions. For more information
on ISC's Kea and DHCP software support see:
Free best-effort support is provided by our user community via a mailing
list. Information on all public email lists is available at:
If you have any comments or questions about working with Kea, please
share them on the Kea Users List:
Bugs and feature requests may be submitted via GitLab at:
The following summarizes changes since the previous release of 1.9.6:
1891. [build] razvan
Library version numbers bumped for Kea 1.9.7 development
1890. [doc] fdupont
Added a new section to the ARM, Kea Security, which describes
various security related topics and how to address them.
1889. [func] fdupont
Accept comments (shell '#', C++ '//' and C '/*...*/') in
JSON commands sent via the control channel or the Control
1888. [func] tmark
Added a new operational mode, HA+MT, to the HA hook library.
HA+MT provides direct, multi-threaded HTTP communication
between peers for the exchange HA protocol commands and
1887. [build] andrei, fdupont
Migrated autoconf macros, which became warningly deprecated
since autoconf 2.70, to supported macros.
(Gitlab #1632, #1651)
1886. [doc] tomek
Added a section in the ARM explaining the relationship between
keactrl and systemd scripts.
1885. [func] andrei
kea-admin is now able to interactively ask for a password if no
parameter follows the -p or the --password parameters. This
requires the user to give it as the last parameter. The entered
password is not echoed back to the terminal in order to prevent
over-the-shoulder snooping or other social engineering
techniques. Alternatively, you can set the password via the
KEA_ADMIN_DB_PASSWORD environment variable.
1884. [doc] fdupont
HTTP_CONNECTION_HANDSHAKE_FAILED log message got a
Thank you again to everyone who assisted us in making this release
We look forward to receiving your feedback.
More information about the Kea-announce