[kea-announce] Kea 2.1.7, a new development release of Kea, is now available

Wed Jun 29 11:56:27 UTC 2022

Internet Systems Consortium is pleased to announce the release of Kea 2.1.7

Releases in the Kea 2.1.x sequence are part of the Kea 2.1 development branch,
where new features are provided for testing and evaluation before the branch
is designated stable and recommended for production use.

The current stable branch of Kea is Kea 2.0 and its most recent release
is 2.0.2

Starting with this release, the Kea source tarball will be available from cloudsmith.io:

	https://dl.cloudsmith.io/public/isc/kea-2-0/raw/versions/2.0.2/kea-2.0.2.tar.gz

	https://dl.cloudsmith.io/public/isc/kea-2-1/raw/versions/2.1.7/kea-2.1.7.tar.gz

And from the ISC download page:

	https://www.isc.org/download

# Kea 2.1.7, June 29 2022, Release Notes

Welcome to Kea 2.1.7, the eighth monthly release of the 2.1 development
branch. As with any other development release, use this with caution:
development releases are not recommended for production use.

Kea is a DHCP implementation developed by Internet Systems Consortium
(ISC) that features DHCPv4 and DHCPv6 servers with DNS updating and a
REST API; optional database support (MySQL and PostgreSQL); optional
RADIUS, Kerberos, and YANG/NETCONF support; and much more. Kea provides
extensive management capabilities, including but not limited to: TLS
support, run-time configuration monitoring and updates via a REST API,
host reservations, client classification, and more.

The text below references issue numbers. For more details, visit the Kea
GitLab page at https://gitlab.isc.org/isc-projects/kea/issues.

The following bugfixes and features have been implemented since the
previous release versioned 2.1.6:

1. **TLS support for HA**: It is now possible to establish a connection
between HA partners over TLS. This requires TLS certificates to be
deployed properly [#1706].

2. **New subnet commands**: The `subnet_cmds` hook has been expanded
with several new commands: `subnet4-delta-add`, `subnet4-delta-del`,
`subnet6-delta-add`, and `subnet6-delta-del`. They allow incremental
changes to be applied to existing subnets. This may be useful for a
variety of scenarios, such as adding new or tweaking existing pools in
an existing subnet, adding or removing DHCP options, and much more. The
feature is considered experimental for now, as it has only been lightly
tested so far [#2266].

3. **Packages for new systems**: In preparation for the upcoming 2.2
stable branch, Kea now provides native RPM, DEB, and APK packages for
several recently released OSes: RHEL 9 [#2453], Alpine 3.14 and 3.15,
and Ubuntu 22.04 [#2433]. Tarballs, with their associated ISC
signatures, are now available alongside packages in the Cloudsmith
repository.

4. **Limits**: The limits hook will eventually support multiple
features. The first one - response rate limiting - is functional and
lets users specify an upper limit to the number of responses Kea will
send per unit of time. This capability has gotten several small tweaks
[#2422]. The second ability - lease limiting - is under development. It
will limit the number of leases a targeted group (such as one customer)
can get. This feature is not functional yet, but several code changes to
reach this goal have been implemented: the MySQL schema has been updated
to support lease limits [#2438], and the LeaseMgr interface has been
added for limits checking [#2444].

5. **GSS-TSIG improvements**: The server no longer shuts down when the
GSS-TSIG Kerberos principal is non-existent [#2396]. Documentation and
examples for GSS-TSIG were updated. Client keytab and cache credentials
should generally not be used together [#2247].

6. **User contexts in configuration backends**: Kea has a flexible
mechanism called user context, which allows arbitrary use data to be
attached to most configuration and run-time elements. This capability
has now been brought to both the MySQL and PostgreSQL config backends
[#2430]. The PostgreSQL config backend has also been updated with the
ability to expand client classes with user contexts [#2431]. User
context data is not used by Kea in any way, but Kea makes it available
to hooks for processing.

7. **Build improvements**: Support has been added for the latest OpenSSL
3 cryptographic library [#1614], LibreSSL 3.5.2 [#2411], Red Hat
Enterprise Linux (RHEL) 9 support [#2439], and Ubuntu 22.04 [#2433]. The
logger unit tests no longer fail when compiled without logger checks
[#2425]. The Gitlab CI is now enabled for premium code. The additional
checks will positively impact quality of the code in the long term
[#2268].

8. **Bugfixes**: Subnet-id limits are now checked properly; earlier
versions silently wrapped oversize (equal to or greater than maxuint32)
subnet-ids to the allowed limits, which caused some unexpected
behaviors. Now Kea refuses a configuration with oversize subnet-id
values  [#2086]. The `reservation-get-by-hostname` API command now
provides `subnet-id` in its response, making it consistent with the
other API commands in the `reservation-get` group [#2209]. The
`ALLOC_ENGINE_V4_ALLOC_FAIL_SUBNET` message was misleading and suggested
that a subnet was part of a shared network; this is now clarified
[#2395]. A problem with MySQL-cascaded foreign keys not activating
triggers has now been fixed [#2299].

9. **Documentation**: Several example configurations claimed Kea
supported four different backends, which is no longer the case since
Cassandra support was retired; this is now corrected [#2418]. The hooks
list in the ARM has been improved [#2403]. The RBAC documentation has
been corrected slightly [#2435]. Several more user-context examples have
been added to the ARM [#1475].

## Incompatible Changes

* The `reservation-get-by-hostname` API command now returns an
additional field, `subnet-id`. This may affect users who wrote their own
scripts to use this command, if the scripts are not able to handle an
additional field. This new field was added to maintain consistency with
other API commands from the `reservation-get` group.

* The MySQL schema has been updated.

* The PostgreSQL schema has been updated.

## License

This version of Kea is released under the Mozilla Public License,
version 2.0.

https://www.mozilla.org/en-US/MPL/2.0

The premium and subscriber-only hook libraries are provided under the
terms of an End User License Agreement.

## Download

Pre-built ISC packages for current versions of the most popular Linux
operating systems are available at:

https://cloudsmith.io/\~isc/repos/

The Kea source and PGP signature for this release may be downloaded from:

https://www.isc.org/download, as well as from the Cloudsmith repository.

The signature was generated with the ISC code signing key, which is
available at:

https://www.isc.org/pgpkey

ISC provides detailed documentation, including installation instructions
and usage tutorials, in the Kea Administrator Reference Manual.
Documentation is included with the installation or at
https://kea.readthedocs.io/en/latest/index.html.

Limitations and known issues with this release can be found at
https://gitlab.isc.org/isc-projects/kea/wikis/known-issues-list.

We ask users of this software to please let us know how it worked for
you and what operating system you tested on. Feel free to share your
feedback on the Kea Users mailing list
(https://lists.isc.org/mailman/listinfo/kea-users. We would also like to
hear whether the documentation is adequate and accurate. Please open
tickets in the Kea GitLab project for bugs, documentation omissions and
errors, and enhancement requests. We want to hear from you even if
everything worked.

## Support

Professional support for Kea is available from ISC. We encourage all
professional users to consider this option; Kea maintenance is funded
with support subscriptions. For more information on ISC's Kea and DHCP
software support see https://www.isc.org/support/.

Free best-effort support is provided by our user community via a mailing
list. Information on all public email lists is available at
https://www.isc.org/community/mailing-list.

## Changes

The following summarizes changes and important upgrade notes since the
2.1.6 release for Kea core:

2032.	[build]         razvan
	The library version numbers have been bumped for the Kea 2.1.7
	development release.
	(Gitlab #2455)

2031.	[func]		fdupont
	Improved compatibility with OpenSSL 3.0.x, in particular
	recover system error messages.
	(Gitlab #1614)

2030.	[doc]		fdupont,tomek
	GSS-TSIG examples updated. The recommendation to not use
	client-keytab and credentials-cache at the same time added.
	(Gitlab #2247)

2029.	[bug]		fdupont
	The check of the subnet id in configuration is stricter:
	values outside the 0..4294967295 are rejected. Note that
	the value 0 means to leave Kea to assign itself the id.
	(Gitlab #2086)

2028.	[build]		orbea, fdupont
	Compatibility with LibreSSL 3.5.2 improved.
	(Github #121, Gitlab #2411)

2027.	[func]		fdupont
	The TLS is now supported with Multi-Threaded HA (HA+MT) scenario.
	Additional parameters (trust-anchor, cert-file, key-file,
	require-client-certs) are now supported in the HA configuration.
	(Gitlab #1706)

2026.	[func]		andrei
	The MySQL schema has been changed to provide initial support for
	the lease limiting feature, part of the limits hook library.
	(Gitlab #2438)

2025.	[bug]		tmark
	Added missing support for client-class user-context to
	both MySQL and PostgreSQL CB hook libraries.
	(Gitlab #2430)

2024.	[func]		djt
	The ALLOC_ENGINE_V4_ALLOC_FAIL_SUBNET log message format has been
	slightly modified, so that when it is emitted for a subnet that
	is not within a shared network, it emits "(none)" for the value
	of the shared network. The ARM documentation for this parameter
	has been updated to reflect that subnets within shared networks
	will in fact display which shared network the subnet belongs to.
	The ALLOC_ENGINE_V6_ALLOC_FAIL_SUBNET log message format has
	changed to be consistent with the format of
	ALLOC_ENGINE_V4_ALLOC_FAIL_SUBNET.
	(Gitlab #2395)

2023.	[bug]		tmark
	Corrected a MySQL CB issue that caused subnets to be
	updated without having audit entries created when the
	affiliated shared-network is deleted.  This can cause
	the subnets to be excluded from subsequent CB refresh
	cycles.
	(Gitlab #2299)

And for Kea premium:

150.	[func]		razvan
	Added lease4-delta-add, lease4-delta-del, lease6-delta-add,
	and lease6-delta-del commands to subnet_cmds hooks library.
	Using these commands, the user is able to only apply the
	difference between the current subnet configuration and the
	user data (either add - if missing - or update when using the
	add commands or remove when using the del commands). Most
	common case is to add or delete pools or pd-pools to a specific
	subnet but it can also be used to update scalars or lists of
	scalars or maps.
	(Gitlab #2266)

149.	[bug]		fdupont
	Handle exceptions thrown by TSIG exchange initialization
	for instance when the server principal does not exist.
	Previously the exception made the DDNS server to exit.
	(Gitlab #2396)

148.	[func]		andrei
	The limits hook library is now notified of limit changes brought
	to client classes and subnets via config backend or subnet
	commands. Previously, new limits were ignored and old limits were
	used until a reconfiguration was triggered.
	(Gitlab #2422)

See https://gitlab.isc.org/isc-projects/kea/-/wikis/Release-Notes for a
complete list of release notes.

Thank you again to everyone who assisted us in making this release
possible.

We look forward to receiving your feedback.