[Kea-announce] Kea 1.9.8, a new development release of Kea, is now available
mcnally at isc.org
Wed May 26 18:42:59 UTC 2021
Internet Systems Consortium is pleased to announce the release of Kea 1.9.8.
Releases in the Kea 1.9.x sequence are part of the Kea 1.9 development branch,
where new features are provided for testing and evaluation before the branch
is designated stable and recommended for production use.
The current stable branch of Kea is Kea 1.8 and its most recent release is 1.8.2
The latest releases from each branch are available via the ISC downloads page:
# Kea 1.9.8, May 26th 2021, Release Notes
Welcome to Kea 1.9.8, the eighth monthly release of the 1.9 development
branch. As with any other development release, use this with caution:
development releases are not recommended for production use.
This release adds new features, improves existing features, clarifies
documentation, and fixes a few bugs. The most notable changes introduced
in this version are:
1. **Forensic logging enhancements** - The forensic logging hooks
library is now able to log custom expressions. The expressions can
include any option (such as relay option 82) or sub-option (such as
circuit-id, remote-id, or any other sub-option), packet fields, network
interface names, local or remote IP address, and more. It uses the same
expressions engine as when defining client classification or flexible
identifiers. Evaluating expressions is a relatively expensive operation,
so more customized logs will have more performance impact than the
default log. The more complex the expression is, the more impact it may
The forensic logging hooks library also supports flexible rotation
intervals using 'second', 'day', 'month' or 'year' time units and also
'pre-rotate' and 'post-rotate' actions which can be used to move or
compress respective files whenever the rotate action is performed.
This feature included several separate tickets: added (+) plus
operator [#1824, #1863], custom forensic logging format and time units
with pre-rotate and post-rotate actions [#1680], better handling of
parameter-less operation [#1866], and custom logging option 82 contents
(and any other option) on renewals [#1576].
2. **HA+MT stability** - The multi-threaded (MT) support for High
Availability (HA) is now more stable. In particular, the hooks are now
notified when Kea enters or leaves a critical state. This eliminates
previously observed race conditions when shutting down or reconfiguring
Kea with HA+MT enabled [#1876, #1818].
3. **Per-device access control** - Kea is now able to drop packets
coming from devices that have matching host reservations with class set
to DROP (`DROP` class listed in the `client-classes` field in the
`reservations`). This effectively allows the operator to selectively
drop incoming packets from some devices, such as customers that have
overdue payments, and misbehaving or unwanted devices [#1815].
4. **Better vendor options handling in DHCPv6** - Two improvements
related to vendor options are included in this release. First, Kea is
now able to process slightly malformed vendor options that have the
inner length field set to an incorrect, overly large value. With this
improvement, Kea can now be configured (see `lenient-option-parsing` in
`compatibility` scope) to process slightly non-conformant options,
rather than simply ignore them. This should improve compatibility with
devices such as RAD MiNID [#1860]. The second improvement lets Kea
extract the enterprise identifier from the vendor class option in DHCPv6
5. **Security** - Kea now obscures passwords in debug logs when the
whole configuration is printed [#1721]. Authentication information is
now logged on a dedicated logger, making it easier to implement security
policies, such as logging to a dedicated secure storage [#1590]. TLS
support is now functional when building with the Botan library instead
of OpenSSL. While Botan is much less popular than OpenSSL, it may be a
viable alternative in cases where OpenSSL cannot be used [#1665].
6. **Bugfixes** - We fixed a bug in the DHCPv4 subnet selection logic.
The server ignored the Subnet Selection option supplied by a client if
its query contained a Relay Agent Information (RAI) option without a
Link Selection option. After this change, the server respects the Subnet
Selection option when RAI lacks the Link Selection option. If RAI
includes the Link Selection option, it takes precedence over the Subnet
Selection option [#1816]. Assorted smaller issues reported by Coverity
Scan have also been fixed [#1806, #1854, #1855, #1852, #1850, #1853,
7. **Build improvements** - Unit tests on CentOS 7 [#1888] and the
Kea-netconf compilation [#1883] are now fixed; forensic logging unit
tests no longer fail on FreeBSD [#1879]; we have added support for
gcc11, which now makes Kea compilation on Fedora 34 viable [#1834,
#1833, #1871, #1839]; and we fixed two problems when generating Sphinx
documentation, in particular when using Sphinx 3.3.1 or newer [#1877,
8. **Testing** - Perfdhcp is now able to simulate DHCPv6 traffic coming
from multiple subnets. While perfdhcp is not typically used by end-users
(although they certainly can if they want to stress test their
deployment), this tool is used for ISC performance testing. This
extended capability will allow testing of more complex IPv6 scenarios
that more closely replicate actual deployments [#1416].
## Incompatible Changes
1. **Dropping Python 2 support** - Python 2 support was EOLed on 1 Jan
2020. Most current distributions have full native Python 3 support, with
the exception of CentOS 7. On CentOS 7, Python 2 is still the default,
but Python 3 installation is an easy task. Kea version 1.9.8 dropped
support for Python 2 in `kea-shell`.
Kea users on CentOS 7 have several options. The most direct is for
users who want to use `kea-shell` on CentOS 7 to install Python 3
packages. If this is not viable, `kea-shell` still works with Python 2
for now, but TLS is not supported. (This partial backward compatibility
is expected to disappear when Kea 2.0.0 is released.) The third
alternative is to use different tools or environments. `kea-shell`
simply sends JSON commands over HTTPS and prints JSON responses. Such
capabilities are available using various tools (such as `curl`, `socat`,
`postman`) or scripting environments [#1873].
2. **Kea shell in a separate RPM package** - `kea-shell` is now
available in a separate RPM package. The base Kea package no longer
depends on the Python 2 package.
## Known Issues
For details on known issues, visit:
And for the list of issues marked as bugs:
## Release Model
The Kea project has a significant production deployment base with users
who are looking for stability, rather than a constant stream of new
"bleeding-edge" features. At the same time, we want to continue
developing the software and add some new powerful, but
difficult-to-implement, features. To meet both of these requirements we
have both Stable and Development branches.
Stable releases are what you would expect: stable, released
infrequently, without new features or significant changes, very
well-tested. These can be identified by an even-numbered minor version
number. The current stable release is 1.8.2. The older stable version of
1.6.3 is also available. If we discover important bugs that require
fixing, we may release additional maintenance versions on the 1.8
branch, but that will be determined on a case-by-case basis. The next
major stable version will be 2.0.0.
Development releases can be easily identified by an odd minor version
number: for example, 1.9.0 is a development release. Subsequent releases
on the same minor release branch get numbered with 1.9.1, 1.9.2, and so
Our goal is to make the development release available on the last
Wednesday of each month. There may be exceptions (such as during
holidays), but that's the general plan.
We encourage users to test the development releases and report back
For more details on the plan, see ISC's Software Support Policy at:
## Kea Overview
Kea is a DHCP implementation developed by Internet Systems Consortium
that features fully functional DHCPv4 and DHCPv6 servers, a dynamic DNS
update daemon, a Control Agent (CA) that provides a REST API to control
the DHCP and DNS update servers, an example shell client to connect to
the CA, a daemon that is able to retrieve YANG configuration and updates
from Sysrepo, and a DHCP performance-measurement tool. Both DHCP servers
support server discovery, address assignment, renewal, rebinding,
release, decline, information request, DNS updates, client
classification, and host reservations. The DHCPv6 server also supports
prefix delegation. Lease information is stored in a CSV file by default;
it can optionally be stored in a MySQL, PostgreSQL, or Cassandra
database instead. Host reservations can be stored in a configuration
file, or in a MySQL, PostgreSQL, or Cassandra database. They can also be
retrieved from a RADIUS server, although this functionality is somewhat
limited. Kea DHCPv4 and DHCPv6 daemons provide support for YANG models,
which are stored in a Sysrepo datastore and can be configured via the
This text references issue numbers. For more details, visit the Kea
GitLab page at:
This version of Kea is released under the Mozilla Public License,
The premium and subscriber-only hooks libraries are provided in source
code form, under the terms of an End User License Agreement (you will
get the source code that you can modify freely, but you are not
permitted to redistribute it).
Pre-built ISC packages for current versions of the most popular Linux
operating systems are available at:
The Kea source and PGP signature for this release may be downloaded from:
The signature was generated with the ISC code-signing key which is
ISC provides detailed documentation, including installation instructions
and usage tutorials, in the Kea Administrator Reference Manual (ARM).
Documentation is included with the installation, at:
* or via https://kb.isc.org/docs/kea-administrator-reference-manual in
HTML, plain text, or PDF formats
ISC maintains a public open source code tree, a wiki, an issue tracking
system, milestone planning, and a roadmap at:
We ask users of this software to please let us know how it worked for
you and what operating system you tested on. Feel free to share your
feedback on the Kea Users mailing list at:
We would also like to hear whether the documentation is adequate and
accurate. Please open tickets in the Kea GitLab project for bugs,
documentation omissions and errors, and enhancement requests. We want to
hear from you even if everything worked.
Professional support for Kea is available from ISC. We encourage all
professional users to consider this option; Kea development and
maintenance are funded with support subscriptions. For more information
on ISC's Kea and DHCP software support see:
Free best-effort support is provided by our user community via a mailing
list. Information on all public email lists is available at:
If you have any comments or questions about working with Kea, please
share them on the Kea Users List:
Bugs and feature requests may be submitted via GitLab at:
The following summarizes changes since the previous release of 1.9.7:
1904. [build] wlodek
Library version numbers bumped for Kea 1.9.8 development
1903. [func] andrei
Kea now recognizes requests sent from vendors that include their
information in DHCPv6 Vendor Class option (code 16) for the
purpose of offering custom options in the response. Previously,
only the Vendor-specific Information option (code 17) was
searched for a vendor ID. For the purpose of classification, both
options are looked into, now, just as before.
1902. [func] andrei, fdupont
All logs that expose configuration, either in full or in snippets
now have the values of "password" and "secret" entries replaced
with asterisks "*****".
1901. [bug] marcin
Corrected a bug in DHCPv4 subnet selection. The server ignored
the Subnet Selection option supplied by a client if its query
contained a Relay Agent Information (RAI) option without a Link
Selection option. After this change, the server respects the
Subnet Selection option when RAI lacks the Link Selection
option. If RAI includes it, it takes precedence over the Subnet
1900. [bug] tmark
Fixed a sporadic failure caused by a wrong assertion in
unit test, testMtHttpClientTest.workPauseResumeShutdown,
introduced by #1818.
1899. [func] tmark,razvan
In HA+Mt mode, the HA hook library now pauses and resumes
its worker threads when Kea core enters and exits critical
sections, respectively. This eliminates race conditions
during core processing such as reconfiguration, shutdown,
and certain RESTful API commands.
1898. [func] fdupont
The DROP class may now depend on the KNOWN or UNKNOWN classes
and may be used after the host reservation lookup.
1897. [func] andrei
Kea has a new configuration section called "compatibility" geared
towards non-compliant clients. The only boolean parameter added
for now called "lenient-option-parsing" changes the way DHCPv6
option 16's vendor-class-data field is parsed. When enabled,
instead of complaining that a length exceeds the rest of the
option's buffer, the value is considered to be the rest of the
buffer. This also applies to custom options defined with the
tuple type for both DHCPv4 and DHCPv6.
1896. [func] wlodek
Perfdhcp extended to send v6 traffic from multiple networks.
1895. [func] razvan
Added additional evaluation tokens to extract and print data:
addrtotext, int8totext, int16totext, int32totext, uint8totext,
1894. [func] fdupont
Implemented 'auth' logger, dedicated to logging access
control information, such as basic HTTP authentication.
1893. [func] fdupont
Botan 2.14 or later can now be used as a crypto library for
the TLS/HTTPS support in Kea.
1892. [func] fdupont
Added + operator as an convenient alias to concat() function
Thank you again to everyone who assisted us in making this release
We look forward to receiving your feedback.
More information about the Kea-announce