# Kea 3.0.0 Release Notes, June 25th 2025 Welcome to Kea 3.0.0, a new stable version. This is the first Long-Term Support (LTS) version, which is expected to be supported for three years. Kea is a DHCP implementation developed by Internet Systems Consortium (ISC) that features DHCPv4 and DHCPv6 servers with DNS update and a REST API; optional database support (MySQL/MariaDB and PostgreSQL); optional RADIUS, Kerberos, YANG/NETCONF, and GSS-TSIG support; and much more. Kea provides extensive management capabilities, including but not limited to: TLS support, Role-Based Access Control, run-time configuration monitoring and updates via a REST API, host reservations, and client classification. The text below references issue numbers. For more details, visit the Kea GitLab page at https://gitlab.isc.org/isc-projects/kea/-/issues. For details about Docker issues, visit the page at https://gitlab.isc.org/isc-projects/kea-docker/-/issues/. For details about packaging, visit the page at https://gitlab.isc.org/isc-projects/kea-packaging/-/issues/. **This release contains many backward-incompatible changes. We encourage users to read these release notes carefully, particularly the "Incompatible Changes" section below before updating.** The following features and bug fixes have been implemented since the previous stable release, version 2.6.0: 1. **Native HTTP/TLS support**: The DHCPv4, DHCPv6, and DHCP-DDNS daemons now have native support for API sockets over HTTP and TLS (HTTP), without the need to use the Control Agent (CA). This greatly simplifies the configuration as CA is no longer necessary [#3477, #1764, #3490]. As a result, the CA is now deprecated. It is still available and functional, but is expected to be removed in a future release [#3916]. All three daemons (DHCPv4, DHCPv6, DHCP-DDNS) can now listen for incoming connections on multiple address families (IPv4/IPv6) and protocols (HTTP/HTTPS), although Kea does not support multiple simultaneous API commands. The connections can be configured in the `control-sockets` list [#3082, #3721]. The subscriber-only Role-Based Access Control (RBAC) hook can now be loaded by the DHCPv4, DHCPv6, and DHCP-DDNS servers [#3483]. We fixed a timing issue in the libHTTP library [#3478]. The UNIX control socket code was updated [#3506]. 2. **Open sourcing hooks**: The following hooks, previously available only under commercial licensing, are now open sourced under the Mozilla MPLv2 license: Class Commands, DDNS Tuning, Flexible Identifier, Forensic Logging, GSS-TSIG, Host Cache, Host Commands, Leasequery, Limits, Ping Check, RADIUS, and Subnet Commands [#3333, #3808]. The developer's guides for each of the now open source hooks are part of the Kea Developer's Guide [#3779]. Kea is now able to load hooks from a specified path. Hooks can now be referenced by library name, rather a than full path, making the use of hooks easier [#2101, #3579]. 3. **MySQL, PostgreSQL hooks**: Support for MySQL and PostgreSQL was moved to separate hooks; administrators who want to use these backends need to load those hooks. It is now easier to keep the Kea installation footprint small, without needing to install SQL dependencies; SQL support can be easily added with hooks. This architectural change also makes it more viable for third parties to develop and maintain their own hooks to support other databases [#3536]. The documentation regarding those new hooks was updated [#3586]. The parser was relaxed to allow it to accept any lease and host database type [#3585]. 4. **Classification: improvements**: The precedence of options specified in a template class and its spawned classes has been reversed. An option specified in a spawned class now takes precedence over the same option if specified in the template class. This change applies to both `kea-dhcp4` and `kea-dhcp6` [#3576]. Regular expressions (regex) are now available in client classification, flex-id, and other purposes that use expressions. The new token is called `match` [#3170]. Classification and several other features that use expressions now use "lazy evaluation" to govern how expressions are evaluated. In plain terms, sometimes only part of the expression is evaluated if its value is already determined. This change makes a long list of `(expression1) or (expression2) or ...` and `(expression1) and (expression2) and ...` on average faster to evaluate [#3502]. The `only-if-required` and `require-client-classes` parameters were renamed to `only-in-additional-list` and `evaluate-additional-classes` [#3587]. We fixed a bug where Kea did not return the value of vendor-encapsulated-options when redefined in a client class [#3582, #3510]. Classes included in `evaluate-client-classes` that do not have test expressions will now be unconditionally added to the client's list of matching classes; previously, they were ignored [#3588]. Additional classes are now evaluated in the same order as option data, i.e. (pd-)pool, subnet, and shared network. In earlier versions, the order was reversed but this feature was not used [#3590]. It is now possible to define multiple client classes when limiting access to networks, subnets, and pools. The parameter `client-class` (a single class name) in shared networks, subnets, and pools has been replaced with `client-classes` (a list of one or more class names). This applies to both `kea-dhcp4` and `kea-dhcp6`. The older syntax still works, but is now deprecated and will be removed in the future [#3592]. 5. **Classificiation: Class tags**: Option class-tagging allows an option value to be conditionally applied to the response based on the client's class membership. The effect is similar to using an if-block in ISC DHCP to conditionally include options at a given scope. Class-tagging is done by specifying a list of one or more class names in the option's `client-classes` entry. Tagged classes can be used in global, network, subnet, pool, class, and host scopes [#3583]. We have added the ability to choose from multiple occurrences of the same option based on class-tagging. Previously, the last occurrence listed was the only option considered [#3747]. 6. **Build system: Meson**: We completed an extensive evaluation of several build systems, including CMake [#3442], Meson [#3443], Bazel [#3464], Ninja [#3444], and autodafe [#3528], and attempted to make autotools simpler [#3441]. We selected Meson. Kea now features a Meson-based build system. Feedback regarding the new build system is more than welcome. Introducing Meson also addressed or made obsolete a number of older Autotools issues [#568, #669, #860, #926, #1001, #1933, #1992, #2695, #2699, #2747, #2999]. The new build system is expected to address most of the problems with the aging autotools system: faster build time, better scalability, cleaner code, greater ease of use, and a generally modern look and feel [#304, #3443, #3729, #3730, #3731]. If you're switching to Meson, this page may prove helpful: https://gitlab.isc.org/isc-projects/kea/-/wikis/Processes/How-To-Meson. The Meson build is now documented properly [#3732]. The Meson build system scripts for installing YANG modules were improved [#3866]. Our CI scripts (on both GitLab and GitHub), as well as fuzzing builds, are now using Meson [#3732]. Hammer is now using Meson [#3812]. We've enabled more strict compilation flags and fixed the many compilation warnings that followed [#3785]. 7. **Build system improvements**: Kea now compiles properly with Boost 1.87 [#3695]. The Hammer tool was updated to support Alpine 3.21 and Fedora 41 [#3664]. Kea now generates and installs .pc files for pkg-config [#3680]. Compilation issues were fixed for MySQL 9.x [#3638]. Hammer, Kea's internal build tool, now supports Alpine 3.22, Fedora 42, RHEL 10, and Rocky Linux 10 [#3957]. Hammer now installs `python3-sphinx` and dependencies when told to set up a Kea environment [#3941]. The meson.sh and hammer scripts now install a specific Meson 1.8.1 version [#3867]. We fixed the handling of uncommon installation paths [#3904]. A compilation failure was fixed for the `pgsql_cb` hook that manifested itself with boost 1.85 running on macOS; other systems may also have been affected [#3436]. Hammer was extended to better work on FreeBSD 14 [#3470]. A nice merge conflict-avoidance mechanism was imported from Stork; it allows developers to seamlessly rebase their code, without worrying about changelog conflicts. [#3522]. A script was added that detects and flags duplicate and unused messages [#1723]. The upgrade scripts for schema version 23 are now included [#3480]. One of the release scripts (`update-code-for-release.py`) was made more robust [#3600]. A problem was fixed where Kea was unable to find `kea-lfc` if it was installed outside of /usr/local/sbin [#3504]. The `keactrl` script now works better in embedded environments. Thanks to Philip Prindeville for submitting a patch [#3533]. The compilation was fixed for the upcoming clang/libc++ 19. Thanks to Dimitry Andric for submitting a patch [#3432]. A PostgreSQL 15-specific command was added to improve portability [#3630]. We dropped support for Botan without TLS support [#3552]. Obsolete code no longer required by new versions of Boost was removed [#3793]. Old code for coroutines needed for an older version of Boost, present in CentOS 7, was removed. Newer Boost versions include the new code [#3325]. The forensic logging hook code was updated to take advantage of the MySQL or PostgreSQL hooks, if present. However, forensic logging can be loaded without them, removing the dependency on MySQL/PostgreSQL [#3710]. The script that regenerates debug-messages.rst skips generation if the premium code is not present [#3678]. We fixed an incorrect conditional compilation in iface_mgr_unittest.cc [#3742]. The code no longer requires a server-side PostgreSQL dependency [#3711]. The code is now make MariaDB compatible with Botan [#3726]. We fixed an ABI error when using hammer on FreeBSD [#3738]. 8. **Address registration in DHCPv6**: Support for a new mechanism defined in RFC9686, address registration, has been implemented. The idea departs from the usual DHCP concept of the server assigning addresses to clients; instead, devices can generate their own IPv6 addresses, using SLAAC or other methods, and then register them in the DHCPv6 server [#3683, #3725, #3802]. 9. **High Availability (HA) improvements**: When two HA partners cooperate, it is essential that their clocks remain in sync: if the clock skew is too large, the HA relationship will eventually collapse. The current value of clock skew is now reported in the `status-get` command, allowing a user or automated software to measure and possibly give an advance warning if the clock sync is drifting too much [#3513]. The HA hook now supports lease affinity for released leases: when a lease is released but left in the database for a possible re-allocation, this information is propagated to the partner server. Previously, a released lease was always deleted on the partner, causing the lease and the client to lose their association in the partner's lease database. This change introduces a new "released" lease state, which appears for the released leases in the lease database and in the lease updates exchanged between the HA partners. This is a backward incompatible change for HA partners that have not been upgraded to the latest Kea version; they will reject lease updates for the released leases holding the new state value [#3246]. We fixed a potential problem with HA, where the remote `dhcp-disable` state was not cleared after the `config-reload` or `config-set` commands. Also, the `dhcp-state` is now included in the `status-get` command; it indicates whether the DHCP service is enabled or the reason why it is disabled (user command, HA command, or database connection failure) [#3446]. The HA logic was improved to avoid conflicts in DNS cleanup performed by two servers in the terminated state [#3649]. 10. **IPv6-only preferred**: Kea now supports `v6-only-preferred` mode, as described in RFC8925, more precisely. When a dual-stack device visits a v6-only network, it still attempts to obtain an IPv4 configuration using DHCPv4. The RFC8925 mechanism allows the network operator to set up a minimal DHCPv4 server that basically says "there's no IPv4 service here, stop asking." This is what `v6-only-preferred` communicates. Until recently, however, Kea sent back the option and assigned the IPv4 address at the same time; this is now fixed. Kea is now able to send back the option and send 0.0.0.0 to further indicate there's no address being assigned [#3094]. 11. **`kea-admin` now handles non-standard ports**: The `kea-admin` tool was extended to properly handle non-standard database ports [#2331, #2882]. 12. **Rebalanced debug logging**: Several messages have had their log levels adjusted [#1945]. There is a new section in the Administrator Reference Manual (ARM) listing all messages for each debug level [#3341]. 13. **PD-Exclude in host reservations**: The host reservations mechanism now supports the `pd-exclude` mechanism, thus allowing fine tuning of `pd-exclude` on a per-host basis [#1387]. 14. **Custom HTTP headers**: Kea servers can now be configured to send arbitrary HTTP headers. This might be useful to better adhere to certain policies, such as HTTP Strict Transport Security [#3609]. 15. **Binding variables**: A popular feature of ISC DHCP is now available in Kea: the `lease-cmds` hook library now supports storing custom values, referred to as `binding-variables`, within the lease's `user-context`. This is supported in both `kea-dhcp4` and `kea-dhcp6` [#3463]. 16. **Better compatibility**: Earlier Kea versions did not properly handle the receipt of broken options containing an FQDN, and dropped the whole packet. With `lenient-option-parsing` enabled, it now ignores only the broken option and continues parsing the packet [#3492]. 17. **Packaging**: Login information is no longer stored for the `kea` user when installing RPM Kea packages, which previously displayed a `useradd` error when installing Kea packages; this was first observed in Fedora 40 [kea-packaging#26]. Packages no longer attempt to remove the unused directory `/run/lock/kea`, which previously resulted in a warning when removing the Kea packages on Debian-based systems [kea-packaging#27]. 18. **Reproducible builds**: Another step was taken towards reproducible builds: the `kea-admin` tool was updated to no longer leak the build directory path [#3007]. 19. **Per-pool DNS parameters**: Many DNS behavioral parameters can now be specified on the pool level, in addition to the already-possible global, network, and subnet levels [#3049]. 20. **New DNS parameters**: New DNS parameters (`ddns-ttl`, `ddns-ttl-min`, `ddns-ttl-max`) that govern the TTL were implemented and can now be configured using a file [#2819] or the Config Backend (CB) [#3663]. 21. **Subnet commands improvements**: The `subnet4-list` and `subnet6-list` API commands now return the shared network name, if present [#3811]. 22. **Syslog support for the forensic logging hook**: The forensic logging hook is now able to use syslog as a new alternative to the already-supported methods of logging to a file and logging to a database [#3569]. 23. **`lease4-wipe`, `lease6-wipe` commands**: The two commands were previously deprecated and expected to be removed. Due to customer requests, they are no longer deprecated and their deficiencies were fixed. The commands now work for all three backends: memfile, PostgreSQL, and MySQL [#3814]. 24. **CCC options**: The DHCPv4 daemon now supports CableLabs Client Configuration option (122) and all its sub-options (except sub-option 3) as defined in RFC3495, RFC3594, and RFC3634 [#3404]. 25. **NTP servers options**: We added support for the DHCPv6 `ntp-server` (56) option specified by RFC5908 and its associated suboptions in the `v6-ntp-server-suboptions` space [#3390]. 26. **Subnet commands hook**: Three new commands were added: `subnet4-select-test`, `subnet6-select-test`, and `subnet4o6-select-test`. They can be used to check which subnet would be selected for given parameters [#2974]. 27. **Ping check hook**: The ping check hook library now routes pings across routers; previously, it only sent pings to directly connected networks [#3827]. The ping check hook no longer tries to send pings when the lease is active or reserved [#3858, #3932]. 28. **PerfMon hook**. The performance monitoring hook has been expanded with two new commands: `perfmon-control`, which can be used to enable or disable monitoring and reporting at runtime, and `perfmon-get-all-durations`, which fetches a snapshot of raw performance data and presents it to the user [#3328]. 29. **Host commands updates**: The `subnet-id` parameter is now optional when adding a new reservation without an address or when adding a global reservation. Many other cases give more meaningful error messages if the `subnet-id` is omitted [#2878]. 30. **Statistics**: A new global statistic, `queue-mgr-queue-full`, has been added to `kea-dhcp-ddns`. It tracks the number of times the queue for DNS update requests (NCRs) has reached maximum capacity [#2611]. 31. **Run script hook**: New options are available to be used in the run script hook: v6 relay options 18 (interface-id), 37 (remote-id), and 38 (subscriber-id) [#3035]. The scripts that can be run by `run_scripts` are now restricted to the `[kea-install-dir]/share/kea/scripts/` directory. If needed, this can be overwritten by a `KEA_HOOK_SCRIPTS_PATH` environment variable [#3849]. 32. **Security: Default configuration**: Running Kea with access to its API insufficiently secured poses significant risks and is strongly discouraged. The default configuration for the Kea Control Agent (CA) has been updated to enable basic HTTP authentication, and access to the Kea API thus requires a password. It also contains additional examples of stronger authentication, based on TLS certificates that only allow access to clients presenting valid TLS certificates. These changes address CVE-2025-32801, CVE-2025-32802, and CVE-2025-32803 [#3825, #3856]. 33. **Security: Hooks files**: To limit the severity of an attack via an insufficiently protected API, `kea-dhcp4`, `kea-dhcp6`, `kea-dhcp-ddns`, and `kea-ctrl-agent` now only load hook libraries from the default installation directory. Kea will not load the hook library if a path other than the default is specified. For ease of use, the path may be omitted. This change addresses CVE-2025-32801 [#3830]. 34. **Security: Config files**: To limit the scope of an attack on an insufficiently protected API, the API command `config-write` now only writes to the same directory as the configuration file used when Kea was started (passed as a `—c` argument). This change addresses CVE-2025-32802 [#3830]. 35. **Security: Lease files**: To mitigate the severity of an attack on an insufficiently protected API, lease files can now only be loaded from a defined data directory. The default data directory is determined during compilation: `[kea-install-dir]/var/lib/kea`. This path may be overridden at startup by setting the environment variable `KEA_DHCP_DATA_DIR` to the desired path. If a path outside the defined data directory is used in `lease-database.name`, Kea returns an error and refuses to start or, if already running, aborts and exits. For ease of use in specifying a custom file name, simply omit the path component from `name`. This change addresses CVE-2025-32802 [#3831]. 36. **Security: Log files**: To mitigate the severity of an attack on an insufficiently protected API, log files can now only be written to a defined output directory. The default directory is determined during compilation: `[kea-install-dir]/var/log/kea`. This path may be overridden at startup by setting the environment variable `KEA_LOG_FILE_DIR` to the desired path. If a path outside the defined output directory is used in `loggers.output_options.output`, Kea returns an error and refuses to start or, if already running, aborts and exits. For ease of use, simply omit the path component from `output` and specify only the file name. This change addresses CVE-2025-32802 [#3831]. 37. **Security: File permissions**: To prevent exposure of potentially confidential data, files created by Kea now have more restrictive file permissions. Write access by group and any access by others is now forbidden. This change addresses CVE-2025-32803 [#3832]. 38. **Security: Sockets**: To prevent unauthorized access and potential denial of service, sockets can no longer be created in a world-writable directory, such as `/tmp`. Sockets must now be created in the more restricted `[kea-install-dir]/var/run/kea`. This change addresses CVE-2025-32802 [#3831]. 39. **Security: Documentation**: Many sample configuration files have been updated to reflect changes introduced in this release. In the ARM, the Kea Security section has been moved to a more prominent location, and a new section concerning securing the Kea Control Agent has been added. These changes address CVE-2025-32801, CVE-2025-32802, and CVE-2025-32803 [#3833]. 40. **Security: Other**: The `kea-shell` tool can now read an API password from a file, using `--auth-password-file` [#3940]. Several lesser issues reported by Coverity Scan were addressed [#3413]. Some of the security restrictions can now be bypassed by using the `-X` command-line switch. Instead of reporting an error, Kea prints a warning but continues [#3902]. We fixed an issue in path validation where the opening slash in a root-file path such as "/myfile.log" is discarded, causing the server to prepend the supported path to the file name rather than reject the entry [#3906]. All permissions for other users are now removed from configuration files created by Kea agents and servers [#3050]. Kea now rejects certain default passwords. If you copied your Kea configuration from the examples in our documentation using a sample password, you need to alter your configuration to use a less-obvious password [#3398]. While the Kea software itself had no default credentials, some of the configuration examples did; those have been removed. Kea now also rejects obvious passwords, such as "keatest", except when built for testing [#3398]. It is now easier to enable TLS and it no longer requires a server restart; it is possible to use `config-reload`. However, a different address or port must be specified when switching from HTTP to HTTPS or vice versa [#3694]. 41. **Usability**: Kea now prints options with binary data in a human-readable form whenever possible [#2844]. 42. **Memory usage**: Kea now uses less memory when reconfiguring: it previously kept up to 10 previous configurations, which needlessly used memory. This inefficiency is now removed [#3652]. 43. **Two malfunctioning options removed**: The `control-socket.socket-name` and `control-socket.socket-type` parameters were removed from the CB; they were broken and never functioned properly [#3479]. 44. **Bug fixes**: Handling of invalid configurations was improved; Kea no longer shuts down when global host reservations are present, with the global reservation lookup disabled and the early global reservation enabled [#3910, #3911]. The `config-get` command no longer returns the full hook path if short paths were specified [#3937]. We corrected an issue in logging configuration when parsing `syslog:` [#3921]. We corrected the order of parameters for one flex options hook log message [#3875]. A problem with `subnet4-del` and `subnet6-del` commands was fixed. The subnets are now completely deleted even if they belong to a shared network [#3455]. A crash in `kea-netconf` was fixed that was caused by an unlikely scenario: overwriting the config from one module with another in the same edit-config [#3435]. We fixed several instances of undefined behavior code [#3323]. The `reservation-update` command now checks whether all the addresses are in the range of the subnet used [#3452]. Kea Lease File Cleanup (LFC) now correctly inherits the environment values [#3450]. The prefix lease is removed when its reservation is deleted [#3375]. Kea no longer tries to update a lease with a generated FQDN if the address is not available to be leased [#3356]. We corrected an issue with overlapping enum values for the option definition data type stored in the Config Backend (CB). This was causing option definitions of type "record", created via CB commands, to not load properly when fetched from the backend. This change updates DB schemas for both PostgreSQL and MySQL [#3476]. We addressed a CB issue when upgrading from 2.4.0 to 2.6.0 [#3472]. We corrected a bug in storing and fetching encapsulated DHCP options from the CB; these options were sometimes not returned when they were specified at the subnet, shared-network, or client-class level [#3481]. The `remote-class6-get` command now returns the lifetime values properly [#3469]. The encoding of long options in DHCPv4 (RFC3396) was fixed [#2917, #3440]. We fixed a file descriptor leak in the High Availability hook library [#3449]. A problem with the HA hook that caused a validation failure when `-T` (test configuration) was used was fixed [#3542]. We fixed an incorrect value in `option_def_data_type` [#3631]. We fixed a problem in the shutdown procedure of the HTTP connection pool [#3602]. We fixed all problems reported by UBSAN (Undefined Behavior Sanitizer) [#3616]. Kea no longer freezes during restart when using host commands and a hosts database [#3619]. We fixed all relevant issues reported by Valgrind [#3351]. We fixed a bug where Kea did not return the value of `vendor-encapsulated-options` when redefined in a client class [#3582, #3510]. We fixed the application of `output_options` when using the `config-set` command. We deprecated `output_options`, which will be removed in future versions. Configurations should be updated by switching to using `output-options` instead [#3594]. The code now prevents clients from declining expired or released leases; only a valid lease assigned to the declining client can now be declined. When a misbehaving client declined a lease it did not own, it could distort statistics for assigned and declined leases [#3565]. We fixed the serialization of the `retry-on-startup` database configuration parameter as a boolean instead of a string [#3578]. A bug was fixed that prevented the server from resuming DHCP traffic handling after receiving the `ha-maintenance-cancel` command [#3655]. Kea now prints a warning if the configured lifetimes in classes are not usable [#2736]. Both Kea DHCPv4 and DHCPv6 servers no longer generate DDNS updates when leases are reused due to lease caching [#3257]. A problem with database reconnection for MySQL and PostgreSQL was fixed. Earlier Kea versions reported that the DB connection was restored, but the DHCP service was never resumed [#3727]. The Control Agent (CA) now closes old HTTP sockets after reconfiguration [#3721]. A bug was fixed in the forensic logging hook; it no longer fails to load if a file with the name "base-name.txt" is present in the configured path [#3708]. A bug was fixed that caused leases stored in the released state to not be read [#3699]. We fixed a crash when compiling Kea with the latest gcc (14.2.1 20250110) on Fedora 41 [#3719]. Inaccurate counters in statistics were fixed. This affected many scenarios, including some where allocated addresses incorrectly reported negative numbers [#1336]. We fixed a bug which caused the allocation engine to send a NAK in deployments where two Kea instances shared a database and one of them lost a race [#3648]. Lease reclamation is now skipped and rescheduled while the DHCP service is disabled. This is true for both DHCPv4 and DHCPv6 servers. While the old behavior was not strictly a bug, the new behavior avoids certain complications [#3693]. A potential bug was fixed in handling truncated packets [#3712]. We fixed a problem in handling user context when `store-extended-info` and lease limits in classes were used together [#3702]. A problem was fixed where leases created by earlier Kea versions could not be updated in some rare circumstances, if the MySQL backend was used [#3763]. We corrected an issue which caused `kea-dhcp4` to NAK requests for an offered lease, when a conflicting host reservation existed and `offer-lifetime` was greater than zero. The server now removes the unusable lease, renews the temporary lease, and sends it back in a DHCPACK [#3555]. 45. **Documentation**: The Meson-related documentation was updated [#3919]. We clarified the applicability of the Kea Configuration Backend in the ARM [#3881]. The documentation for instructing Kea to use a subnet for directly connected clients (the `interface` parameter) has been expanded [#3628]. The `kea-shell` command's documentation was updated [#3551]. We updated the list of elements supporting user-context in the ARM [#3855].The bulk leasequery options (option codes 151-157) are now added to the list of supported options that are not directly configurable. Those option values are set by Kea automatically [#3922]. The `shared-network-name` parameter in `subnetX-list` is now documented [#3926]. The Kea ARM and examples now use port 786 for 4o6 configuration [#3851]. We fixed a problem with overlapping ports in HA examples and the Kea ARM [#3541]. There is now a stable version of the ARM on the Read the Docs page [#3821]. The spelling of `hold-reclaimed-time` and `nds-servers` was corrected [#3935, #3854]. The build instructions were updated [#3905]. We added missing documentation for the HA message HA_TERMINATED_RESTART_PARTNER [#3894]. We corrected the value of `operation-target` in the `host_cmds` API calls [#3819]. A section in the Kea ARM was expanded to show how the run script hook can be used to get all IPv6 leases, e.g., to configure routing [#2914]. Obsolete notes about bulk leasequery were removed [#3570]. The Developer's Guide now uses SVG instead of PNG images, dramatically reducing the documentation build size [#3566]. We fixed a typo in the `stash-agent-options` documentation [#3529, #3629]. We provided an explanation for why `calculate-tee-times` has a different value in DHCPv4 and DHCPv6 [#3538]. The lease file format is now documented in the Developer's Guide. Users are not expected to interact with the lease files directly; we recommend using the API instead. Nevertheless, it might be useful in some cases to understand the data stored in the lease files [#3414]. The concept of "class guard", a mechanism to restrict access to certain subnets or pools to clients that belong to a certain class, was explained with more examples [#3348]. A clarification was added that, by default, the DHCPv4 server always prefers to use the contents of the FQDN option over the host name option. However, if some other behavior (such as preferring host name over FQDN) is desired, it can be achieved with the DDNS tuning hook. An example of this is now documented [#1989]. Several tests were conducted for the FLQ allocator used in shared database scenarios, and the conclusion is that usage of FLQ with shared databases is not recommended [#3577]. We clarified that TLS certificates are not updated during reconfiguration; migrating to new certificates requires a full restart [#3255]. The tuple definition has been updated [#3661]. We fixed some grammar issues in the option class-tagging in the ARM [#3679]. Searching in the ARM now works better and it no longer ignores hyphens and quotes [#3766]. We clarified how classes impact option order precedence [#3748]. 46. **Testing**: Unit tests that require root privileges are now run automatically on "meson test" by having privileges elevated via sudo [#3493]. We updated cppcheck calls to use the proper directory and recognize googletest headers [#3930]. We updated pipelines to automatically run a fuzz job on Merge Request (MR) creation [#3917]. Frequent CfgIface unit test failures on Ubuntu 22.04 were fixed [#3366]. The CI now enforces pylint and pycodestyle on all Python scripts in the Kea repository [#3287]. Several tests now behave better when `KEA_LOGGER_DESTINATION` is set to stderr [#3487]. We adapted the database script checking for the CI job to accept minor schema version numbers [#3497]. Much effort was spent on making our fuzzing environment more robust. A crash was investigated in the fuzzing framework and fixed [#3233]. Extra tests for HTTP/HTTPS control sockets were added [#3557]. Unit tests no longer fail when the `kea-admin` tool is installed [#3419]. The hammer tool no longer has occasional problems with starting MariaDB on Alpine [#3559]. The Continuous Integration (CI) pipeline definitions were updated to no longer prevent MRs from being merged if the build-tarball job fails [#3669]. We fixed a failing unit test on macOS 15.0 [#3606]. We fixed the GoogleTest installation on FreeBSD using hammer [#3698]. The GitHub CI workflow was updated to use the latest CodeQL definitions [#3745]. 47. **Fuzzing support**: Kea source code has been fuzz-tested for a while; we moved the fuzzing support into the public open source repository [#3605]. 48. **Database improvements**: The database upgrade script is now more lenient when checking the schema version [#3789]. 49. **No longer experimental**: Netconf, DHCP4overDHCPv6 (4o6), and PerfMon are no longer considered experimental, so their warning labels were removed [#3920]. An obsolete warning about multi-threading being experimental was removed [#3643]. ## Incompatible Changes 1. The Control Agent (CA) is now deprecated; while it is still present and operational, it is expected to be removed from future Kea versions. While updating configurations is a one-time annoyance, there are several long-term gains: fewer daemons to run; simpler configuration; the ability to have separate API channels for each daemon, possibly with different access restrictions; the ability to mix IPv4/IPv6, with and without TLS; and more. Please update your configuration to enable control sockets on your DHCPv4, DHCPv6, and DHCP-DDNS daemons directly [#3916]. 2. The Kea Control Agent (CA) default configuration has API authentication enabled by default. A password must be stored in the `kea-api-password` file before the CA can start. This password should be either generated or provided by the administrator. When upgrading from older versions, it is strongly recommended not to leave the API channel unprotected. In addition, users are encouraged to consider enabling even stronger mechanisms, based on TLS certificates. An appropriately commented-out section has been added to the default configuration. 3. To mitigate the severity of an attack on an insufficiently protected API, Kea is now much more restrictive in where it allows files to be written. Operations that result in writing files (and potentially overwriting important system files) are no longer liberal in accepting random paths; the paths are restricted to expected locations for configuration, lease, DUID, and log files. Many of those can be overwritten by environment variables, but those are fixed for the entire lifetime of a process and are no longer modifiable via the API. The new default configurations have this change applied so new installations are secured, but please alter your configuration if upgrading. While not recommended, some of the restrictions can be turned into warnings by using `-X` on the command line. 4. To address potential denial-of-service and spoofing attacks, Kea no longer creates sockets in `/tmp`, which is a world-writable directory on most systems. Instead, it uses the `[kea-installation-dir]/var/run/kea` directory for sockets. The new default configurations have this change applied so new installations are secured, but please alter your configuration if upgrading. 5. The Autotools build system (automake, autoconf, libtool, make) has been replaced with Meson. If you are compiling from source, please ensure that you have Meson, Ninja, and pkg-config installed. Autotools is no longer supported, and the build infrastructure to support building with autotools has been removed [#3734]. 6. Several changes were introduced to classification. In particular, the order in which scopes were evaluated has changed; it is now more aligned to ISC DHCP behavior. If you defined options on multiple scopes and relied on their precedence, you might need to update your configuration. 7. The `only-if-required` and `require-client-classes` parameters were renamed to `only-in-additional-list` and `evaluate-additional-classes` [#3587]. 8. Kea now rejects certain default passwords. If you copied your Kea configuration from the examples in our documentation and didn't change the password, Kea will now refuse to start. Please simply change your password to a non-default value [#3398]. 9. Listening on multiple control sockets requires migrating from the `control-socket` map to a `control-sockets` list. 10. Now that many hooks are re-licensed as open source, the package layout has been updated and the Premium package has been eliminated. The packages have been rearranged in the Cloudsmith.io repositories. Users of the open source code can download packages from the `kea-3-0` repository on Cloudsmith. To access subscriber-only content, entitled users need to enable both the open source `kea-3-0` repository and the `kea-3-0-prv` repository. `kea-3-0-prv` contains the subscriber-only hooks; the open source content is no longer included there. Upgrading via the package manager should seamlessly update both the open source and the code in `kea-3-0-prv`. 11. Classes included in `require-client-classes` that do not have test expressions will now be unconditionally added to the client's list of matching classes; previously they were ignored [#3588]. 12. We changed the default value of the HA listener `restrict-commands` configuration flag to `true`, so commands that are not used by the HA hook are rejected. This should not affect anyone except people who were misusing HA ports for sending unrelated commands [#3639]. 13. The lease cache mechanism is now enabled by default. Misbehaving clients that attempt multiple renewals in a short period can cause the server to update and write to the database frequently, resulting in a performance impact on the server. The cache parameters instruct the DHCP server to avoid updating leases too frequently. Instead, the server assigns the same lease (i.e. reuses it) with no modifications except for CLTT (Client Last Transmission Time), which does not require disk operations. This mechanism is now enabled by default (as it was in ISC DHCP), but can be disabled on the global, shared network, or subnet levels. See ARM Section 9.2.33 for details [#3659]. 14. The High Availability hook in Kea 3.0.0 is not compatible with Kea versions prior to 2.7.0. Kea installations running versions 2.6.3 or earlier and using HA must update all peers at the same time. 15. The `control-socket.socket-name` and `control-socket.socket-type` parameters were removed from the Config Backend (CB). ## Packaging 1. **Changes in packaging layout**: Hooks previously available on a commercial licence that were packaged separately are now available in `isc-kea-hooks` package alongside other open source hooks. Separately packaged is only GSS TSIG hook - `isc-kea-gss-tsig`. Support for MySQL and PostgreSQL backends is now available in separate packages `isc-kea-mysql` and `isc-kea-pgsql`. 2. **Native packages**: For convenient installation, Kea is available as native (deb, RPM, and APK) packages for the following systems on Intel/AMD x64 (amd64) and ARM (aarch64) architecture: Alpine 3.19 (amd64, aarch64), 3.20 (amd64, aarch64), 3.21 (amd64, aarch64), 3.22 (amd64, aarch64); RHEL 8 (amd64), 9 (amd64, aarch64), 10 (amd64, aarch64); Debian 11 (amd64, aarch64), 12 (amd64, aarch64); Fedora 41 (amd64), 42 (amd64, aarch64); and Ubuntu 20.04 (amd64), 22.04 (amd64, aarch64), 24.04 (amd64, aarch64). The images are available on Cloudsmith (https://cloudsmith.io/~isc/repos/). 3. **Docker**: Both pre-built Docker images and Docker files are available. Users can install a single container with a specific service, such as `kea-dhcp4`, or use the `kea-compose` script that makes deployment of a cluster of containers (kea-dhcp4, kea-dhcp6, and a PostgreSQL database) much easier. Running a DHCP server in a Docker container is a bit more complicated than a typical service, as a DHCPv4 server needs to be able to receive traffic from clients that do not yet have an IP address assigned; simple port forwarding is not sufficient. Users should read about ipvlans before deploying Docker containers. Please use caution and share your feedback. For details, see the README file in https://gitlab.isc.org/isc-projects/kea-docker/. The images are available on Cloudsmith (at https://cloudsmith.io/~isc/repos/docker/packages/), and the Docker files are on GitLab. 4. **Sources**: The source code is available as a tarball from Cloudsmith, on the ISC downloads site (https://downloads.isc.org/isc/kea/), or directly from the Kea repository on GitLab (https://gitlab.isc.org/isc-projects/kea). ## License This version of Kea is released under the Mozilla Public License, version 2.0. https://www.mozilla.org/en-US/MPL/2.0 Some Kea hook libraries are provided under the MPL 2.0; others are licensed with the [Kea Hooks Basic Commercial End User License](https://www.isc.org/kea-premium-license/). The source for each hook library includes the applicable license. ## Download Pre-built ISC packages for current versions of the most popular Linux operating systems are available at: https://cloudsmith.io/~isc/repos/ Pre-built Docker images as well as Docker files are available. For details, see: https://gitlab.isc.org/isc-projects/kea-docker The Kea source and PGP signature for this release may be downloaded from: https://www.isc.org/download The signature was generated with the ISC code-signing key, which is available at: https://www.isc.org/pgpkey ISC provides detailed documentation, including installation instructions and usage tutorials, in the Kea Administrator Reference Manual. Documentation is included with the installation or at https://kea.readthedocs.io/en/latest/index.html in HTML, PDF, or EPUB formats. ISC maintains a public open source code tree, wiki, issue tracking system, milestone planner, and roadmap at https://gitlab.isc.org/isc-projects/kea. Limitations and known issues with this release can be found at https://gitlab.isc.org/isc-projects/kea/-/wikis/known-issues-list. We ask users of this software to please let us know how it worked for you and what operating system you tested on. Feel free to share your feedback on the Kea Users mailing list (https://lists.isc.org/mailman/listinfo/kea-users). We would also like to hear whether the documentation is adequate and accurate. Please open tickets in the Kea GitLab project for bugs, documentation omissions and errors, and enhancement requests. We want to hear from you even if everything worked. ## Support Professional support for Kea is available from ISC. We encourage all professional users to consider this option; Kea maintenance is funded with support subscriptions. For more information on ISC's Kea software support, see https://www.isc.org/support/. Free best-effort support is provided by our user community via a mailing list. Information on all public email lists is available at https://www.isc.org/community/mailing-list. If you have any comments or questions about working with Kea, please share them to the Kea Users list (https://lists.isc.org/mailman/listinfo/kea-users). Bugs and feature requests may be submitted via GitLab at https://gitlab.isc.org/isc-projects/kea/-/issues. ## Changes The following summarizes changes and important upgrades since the 2.6.0 release. 2375. [build] wlodek The library version numbers have been bumped up for the Kea 3.0.0 stable release. (Gitlab #3968) 2374. [doc] bscott Clarified applicability of Kea Configuration Backend in the ARM. (Gitlab #3881) 2373. [doc] marcin Added example subnet selectors to default DHCP configs. (Gitlab #3628) 2372. [build] andrei Kea now generates and installs a pkg-config .pc file. (Gitlab #3680) 2371. [func] piotrek Added a new argument, '--auth-password-file', which provides a secure method for supplying a password for basic HTTP authentication in kea-shell. (Gitlab #3940) 2370. [build] andrei Unit tests that require root privileges are now run automatically on "meson test" by having privileges elevated via sudo. (Gitlab #3493) 2369. [doc] tmark Updated list of elements supporting user-context in ARM. (Gitlab #3855) 2368. [build] fdupont Added the 'runstatedir' configuration option so by giving '-D runstatedir=run' one can override the 'var/run' default. This variable and its usage are described in GNU Coding Standards or autoconf doc since version 2.70. Note this variable is not in meson built-in options. (Gitlab #3624) 2367. [func]* fdupont Changed the default value of the High Availability listener 'restrict-commands' configuration flag to true so commands which are not used by the High Availability hook are rejected. (Gitlab #3639) 2366. [doc] slawek Described a new shared network name parameter of the subnetX-list commands in ARM. (Gitlab #3926) 2365. [bug] fdupont Removed all references to the build directory from scripts when tests configuration option is not enabled. (Gitlab #3007) 2364. [bug] tmark Ping check hook library was corrected to skip ping checks when the lease is active or reserved. (Gitlab #3858, #3932) 2363. [bug] tmark Corrected an issue which caused config-get to return the full hook library pathname instead of the original configuration value of the `library` parameter. (Gitlab #3937) 2362. [bug] tmark Ping check hook library will now route pings across routers. Prior to this it only sent pings to directly connected networks. (Gitlab #3827) 2361. [bug] tmark Corrected an issue in logging configuration when parsing "syslog:". (Gitlab #3921) 2360. [func]* tmark Lease caching is now enabled by default. The default value for ``cache-threshold`` is 0.25,``cache-max-age`` is left unspecified. It may be disabled at the desired scope either by setting ``cache-threshold`` to 0.0 or setting ``cache-max-age`` to 0. (Gitlab #3659) 2359. [build] andrei The Autootols build system has been removed and superseded by Meson. (Gitlab #3734) 2358. [bug] tmark Fixed an issue in path validation where the opening slash in a root-file path such as "/myfile.log" is discarded causing the server to prepend the supported path to the file name rather than reject the entry. (Gitlab #3906) 2357. [func] tmark Security restrictions may now be disabled by adding command line option -X to Kea server invocations. Supported by kea-dhcp4, kea-dhcp6, kea-dhcp-ddns, and kea-ctrl-agent. (Gitlab #3902) 2356. [func] razvan Updated YANG modules by adding only-in-additional-list, evaluate-additional-classes, client-classes list, ddns-ttl, ddns-ttl-min, ddns-ttl-max, ddns-generated-prefix, ddns-override-client-update, ddns-override-no-update, ddns-qualifying-suffix, ddns-replace-client-name, ddns-send-updates, ddns-update-on-renew, ddns-conflict-resolution-mode, hostname-char-replacement and hostname-char-set at pool and pd-pool level, added excluded-prefixes at pd-pool level. Added trust-anchor, cert-file, key-file, cert-required authentication and http-headers parameters to control sockets. (Gitlab #3907) 2355. [func] razvan Implemented lease4-wipe and lease6-wipe for database backends. The commands are no longer deprecated. (Gitlab #3814) 2354. [doc] razvan The DHCPv4-over-DHCPv6 implementation, perfmon hook library and sysrepo features are no longer considered experimental. (Gitlab #3920) 2353. [func] razvan Restricted location of configured scripts in loaded hook libraries. (Gitlab #3849) 2352. [bug] razvan Fix error handling when detecting a global reservation for the client and global reservatons are explicitly disabled in the configuration. (Gitlab #3911) 2351. [doc] razvan Updated documentation and examples related to 4over6 port. (Gitlab #3851) 2350. [doc] razvan Updated documentation and examples related to HTTP/HTTPS socket ports used by kea-ctrl-agent, kea-dhcp4, kea-dhcp6, kea-dhcp-ddns and High Availability hook library in order to avoid possible conflicts. (Gitlab #3541) 2349. [func] razvan The kea-ctrl-agent has been deprecated and it issues a warning log message on startup. As of Kea 2.7.2 the Kea servers: kea-dhcp4, kea-dhcp6, and kea-dhcp-ddns directly support command API connections over HTTPS/HTTP. (Gitlab #3916) 2348. [bug] razvan, Darwin4053 Fix arguments order in flex option hook library debug messages. (Gitlab #3875) Kea 2.7.9 (development) released on May 28, 2025 2347. [build] andrei The library version numbers have been bumped up for the Kea 2.7.9 development release. (Gitlab #3892) 2346. [sec]* tmark, fdupont, razvan All files and sockets created by Kea servers have been restricted to default paths determined at compile time which may be overridden by environment variables. This includes lease files, log files, forensic log files, control channel sockets, and the output from commands such as cache-write, lease4-write, and lease6-write. The output of config-write is restricted to the directory from which the configuration file was read. Use of unsupported paths will result in servers emitting errors and refusing to start or rejecting commands. The specifics including the supported paths and environment variable names are in the relevant ARM sections. CVE:2025-32801 (Gitlab #3831) 2345. [sec]* fdupont Change the umask to no group write and no other access at the entry of Kea server/agent binaries. CVE:2025-32803 (Gitlab #3832) 2344. [sec]* tmark kea-dhcp4, kea-dhcp6, kea-dhcp-ddns, and kea-ctrl-agent will now only load hook libraries from the default installation directory. If a path other than this is specified Kea will not load the hook library. For ease of use, the path may be omitted. CVE:2025-32801 (Gitlab #3830) Kea 2.7.8 (development) released on April 30, 2025 2343. [build] wlodek The library version numbers have been bumped up for the Kea 2.7.8 development release. (Gitlab #3863) 2342. [bug] andrei A MySQL error that rarely occurs in unknown circumstances that can prevent Kea from renewing leases that have null or invalid JSON values in the user_context column is now handled in the lease triggers. (Gitlab #3763) 2341. [build] andrei Kea built with Meson is now officially tested. Some bugs related to the Meson build system were fixed. Documentation about how to build Kea with Meson was added. (Gitlab #3732, #3812) 2340. [func] tmark The subnet commands hook library was modified such that the subnet's shared network name is now included for each subnet returned by the subnet4-list and subnet6-list commands. (Gitlab #3811) 2339. [bug] tmark Corrected an issue which caused kea-dhcp4 to NAK requests for an offered lease when a conflicting host reservation exists and offer-lifetime is greater than zero. The server will now remove the unusable lease, renew the temporary lease, and send it back in a DHCPACK. (Gitlab #3555) 2338. [doc] tmark Clarified how classes impact option order precedence. (Gitlab #3748) 2337. [bug] tmark When generating FQDNs from IP addresses for DDNS, kea-dhcp6 will now append a zero to the end of prefixes that would otherwise end in a hyphen. (Gitlab #3781) 2336. [func] razvan Added support for syslog backend in forensic log hook library. (Gitlab #3569) Kea 2.7.7 (development) released on March 26, 2025 2335. [func] razvan The following hook libraries are now open source: for the kea-dhcp4 and the kea-dhcp6 servers 'libdhcp_class_cmds', 'libdhcp_ddns_tuning', 'libdhcp_flex_id', 'libdhcp_legal_log', 'libdhcp_host_cache', 'libdhcp_host_cmds', 'libdhcp_lease_query', 'libdhcp_limits', 'libdhcp_ping_check', 'libdhcp_radius', 'libdhcp_subnet_cmds' and for the kea-dhcp-ddns server 'libddns_gss_tsig'. (Gitlab #3333) 2334. [func] fdupont Added experimental support for registering self-generated IPv6 addresses using DHCPv6 (RFC 9686). (Gitlab #3683, #3802) 2333. [build] andrei, fdupont Added meson as a build system. (Gitlab #3443, #3729, #3730, #3731) 2332. [func] tmark Lease reclamation is now skipped and rescheduled while DHCP service is disabled. This applies to both kea-dhcp4 and kea-dhcp6. (Gitlab #3693) 2331. [bug] tmark Added support for choosing from multiple occurrences of the same option based on class-tagging. Prior to this the last occurrence listed was the only option considered. (Gitlab #3747) 2330. [func] tmark The lease-cmds hook library now supports storing custom values, referred to as ``binding-variables``, within the lease's ``user-context``. Supported in both kea-dhcp4 and kea-dhcp6. (Gitlab #3463) 2329. [bug] andrei An "argument list too long" error message no longer appears when the "kea-admin lease-upload" command tries to upload a large set of leases. The command is also significantly faster now. (Gitlab #3666) 2328. [build] andrei Kea no longer depends on a PostgreSQL server development header. (Gitlab #3711) 2327. [build] mgodzina The library version numbers have been bumped up for the Kea 2.7.7 development release. (Gitlab #3817) 2326. [bug] razvan Fixed a bug which was causing the allocation engine to reject the lease if a data race caused by a different server updating the shared database entries was detected. The entire packet is now dropped in this particular case. This applies to both kea-dhcp4 and kea-dhcp6 servers. (Gitlab #3648) 2325. [bug] razvan Fixed a bug which was causing address allocation counters to be negative when client released leases and the server has lease affinity and lease reclamation enabled. (Gitlab #1336) 2324. [func] razvan It is not necessary to restart the server to apply changes in the TLS configuration. Running the "config-reload" command is sufficient. A different address or port must be specified when switching from HTTP to HTTPS or from HTTPS to HTTP. (Gitlab #3694) Kea 2.7.6 (development) released on January 29, 2025 2323. [func]* fdupont Kea now refuses secrets and passwords taken from examples, including when not built with unit tests "keatest". (Gitlab #3398) 2322. [bug] marcin Avoid conflicts in DNS cleanup performed by two servers in the terminated state in HA. (Gitlab #3649) 2321. [func] tmark Modified kea-dhcp4 and kea-dhcp6 to support DDNS behavioral parameters at the pool level. (Gitlab #3049) 2320. [bug] fdupont Fixed a bug where the lease in the released state was not read properly. (Gitlab #3699) 2319. [build] fdupont, q66 Kea can now build with Boost 1.87. The minimum supported Boost version has been bumped up from 1.57 to 1.66. Thanks to q66 for the patch. (Gitlab #3696) 2318. [build] razvan The library version numbers have been bumped up for the Kea 2.7.6 development release. (Gitlab #3724) 2317. [bug] razvan Fixed a bug related to database connection recovery which was preventing the server to resume processing packets because the dhcp state was never re-enabled. (Gitlab #3727) 2316. [func] razvan The kea-dhcp4, kea-dhcp6 and kea-dhcp-ddns servers now support multiple http/https connections. The can be configured in the "control-sockets" list. (Gitlab #3082, #3721) 2315. [func] razvan Kea can now load hook libraries specifying only the binary name. It uses the default hook libraries installation path which is provided in the config report as "Hooks directory". (Gitlab #2101, #3579) 2314. [func] tmark Added three new parameters which may be used to influence DNS TTL to kea-dhcp4 and kea-dhcp6: 'ddns-ttl', 'ddns-ttl-min', and 'ddns-ttl-max'. (Gitlab #2819, #3663) Kea 2.7.5 (development) released on December 11, 2024 2313. [doc] marcin Clarified that the FLQ allocator should not be used with shared lease database. (Gitlab #3577) 2312. [doc] fdupont Made clear that when a HTTP control channel is reconfigured with the same address and port the listener socket is reused so any TLS setup change is ignored. (Gitlab #3255) 2311. [doc] piotrek Added a more extensive definition of the tuple DHCP option type in the ARM documentation. (Gitlab #3661) 2310. [bug] andrei Kea servers no longer increase in memory when being reconfigured. (Gitlab #3652) 2309. [build] mgodzina The library version numbers have been bumped up for the Kea 2.7.5 development release. (Gitlab #3695) 2308. [bug] marcin Prevent the servers from returning to HA maintenance states after receiving the ha-maintenance-cancel command while they also respond to the DHCP traffic. (Gitlab #3655) 2307. [func] tmark The parameter "client-class" (a single class name) in shared networks, subnets, and pools has been replaced with "client-classes" (a list of one or more class names). This applies to both kea-dhcp4 and kea-dhcp6. (Gitlab #3592) 2306. [func] fdupont Added a new "http-headers" parameter to the CA and HTTP control socket configuration sections which can be used to specify extra 'name: value' headers to be added to HTTP responses. (Gitlab #3609) 2305. [func] tmark Both kea-dhcp4 and kea-dhcp6 servers will now log a warning message when they detect classes that configure lease life time parameters (e.g. 'valid-lifetime', 'preferred-lifetime') while also setting 'only-in-additional-list' to true. (Gitlab #2736) 2304. [bug] tmark Modified both kea-dhcp4 and kea-dhcp6 to avoid generating DDNS update requests when leases are being reused due to lease caching. (Gitlab #3257) Kea 2.7.4 (development) released on October 30, 2024 2303. [func] tmark The parameters 'require-client-classes' and 'only-if-required' have been replaced with 'evaluate- additional-classes' and 'only-in-additional-list' respectively and deprecated. This applies to both kea-dhcp4 and kea-dhcp6. (Gitlab #3587) 2302. [func] tmark Options may now be configured with a list of client classes for which they apply. This feature is referred to as "option class-tagging" and is supported by both kea-dhcp4 and kea-dhcp6. (GitLab #3583) 2301. [func] fdupont Added support of DHCPv4 "cablelab-client-conf" (122) option and its associated suboptions specified by RFC 3495, 3594 and 3634 in the "cablelabs-client-conf" space at the exception of the suboption 3. (Gitlab #3404) 2300. [build, func] andrei Standalone fuzz target binaries used in fuzz testing were added to the "fuzz" directory. (Gitlab #3605) 2299. [func]* fdupont Required classes are now evaluated in the same order as for option data, i.e. (pd-)pool, subnet and shared network. Before the order was reversed but this feature was not used. (Gitlab #3590) 2298. [bug] fdupont Fixed a bug where Kea did not return the value of vendor-encapsulated-options when redefined in a client class. (Gitlab #3582) 2297. [build]* fdupont Made the Botan boost TLS support mandatory. Changed the configure argument to --with-botan using the Botan pkg-config library name e.g. "botan-2". (Gitlab #3552) 2296. [func]* fdupont Classes included in 'require-client-classes' that do not have test expressions will now be unconditionally added to the client's list of matching classes. Previously they were ignored. (Gitlab #3388) 2295. [func] fdupont Relaxed the lease, host and config database backend types in the configuration syntax. This change is introduced to better handle optional backends provided in hooks, such as currently available MySQL or PostgreSQL hooks. (Gitlab #3585) 2294. [func] fdupont Added support of DHCPv6 "ntp-server" (56) option specified by RFC 5908 and its associated suboptions in the "v6-ntp-server-suboptions" space. (Gitlab #3390) 2293. [build] razvan The library version numbers have been bumped up for the Kea 2.7.4 development release. (Gitlab #3639) 2292. [doc] tmark Updated the ARM to include and an explanation for why the default values for 'calculate-tee-times' are different for kea-dhcp4 and kea-dhcp6. (Gitlab #3538) 2291. [func] fdupont Added three new API commands: subnet4-select-test and subnet4o6-select-test to kea-dhcp4, and subnet6-select-test to kea-dhcp6. These commands can be used to check which subnet the server will select based on given input parameters. (Gitlab #2974) 2290. [bug] razvan Fixed applying 'output_options' when using the 'config-set' command. Deprecated 'output_options' which will be removed in future versions. Configurations should be updated by switching to using 'output-options' instead. (Gitlab #3594) 2289. [func]* razvan Support for lease, host, and config backends for MySQL and PostgreSQL have been consolidated into a single hook library for each data base: 'libdhcp_mysql.so' and 'libdhcp_pgsql.so' respectively. (Gitlab #3536) 2288. [bug] marcin Prevent the clients from declining expired or released leases. Only a valid lease assigned to the declining client can now be declined. When a misbehaving client declined a lease it did not own it often led to inconsistent statistics of assigned and declined leases. (Gitlab #3565) 2287. [bug] razvan Fixed the serialization of 'retry-on-startup' database configuration parameter as boolean instead of string. (Gitlab #3578) Kea 2.7.3 (development) released on August 25, 2024 2286. [func] fdupont Reorganized UNIX control socket code. (Gitlab #3506) 2285. [build] tomek Changed image type in the Developer's guide from PNG to SVG. This drastically reduced the size of the generated docs (from 2.7GB to 560MB). (Gitlab #3566) 2284. [build] razvan The library version numbers have been bumped up for the Kea 2.7.3 development release. (Gitlab #3597) 2283. [func] tmark The order or precedence of options specified in a template class and its spawned classes has been reversed. An option specified in a spawned class now takes precedence over the same option if specified in the template class. This change applies to both kea-dhcp4 and kea-dhcp6. (Gitlab #3576) 2282. [bug] razvan Fixed a bug caused by starting listeners when checking the configuration using the '-T' command line parameter. This was also causing the check to fail if loading the High Availability hook library. (Gitlab #3542) 2281. [bug] andrei An issue was fixed where kea-admin and kea-lfc were not found by the Kea DHCP servers when installed via a custom defined sbindir. (Gitlab #3504) 2280. [func] fdupont IPv6 host reservation syntax now accepts a new entry "excluded-prefixes": a pd-exclude option (RFC6603) can now be added into an iaprefix option carrying a reserved prefix. (Gitlab #1387) 2279. [build] pprindeville Replace the cut and rev utilities with shell variable expansions, improving compatibility with minimal setups on embedded systems. (Gitlab #3533) 2278. [build] dim Replace ``std::basic_string`` with equivalent ``std::vector`` constructs, since the former has been deprecated for a while in libc++, and has been completely removed as of libc++ 19. (Gitlab #3532) Kea 2.7.2 (development) released on August 28, 2024 2277. [build] andrei "libca_rbac.so" is now a symbolic link to "libdhcp_rbac.so". (Gitlab #3550) 2276. [build] razvan The library version numbers have been bumped up for the Kea 2.7.2 development release. (Gitlab #3549) 2275. [func] andrei When running with High-Availability (HA) enabled, the status-get command now includes in its response the system time for each HA node and the clock skew in seconds between active peers. (Gitlab #3513) 2274. [doc, func, build] andrei The events that logged EVAL_RESULT now log a different message for each triggering event. As a result, the message was split into eight messages. The messages that were logged at INFO level are now logged at the same level as their DEBUG counterparts: level 50. Fixed an issue that was causing some messages to not appear under the "Kea Messages Manual" section. A new section called "Kea Debug Messages By Log Level" is added to the ARM. (Gitlab #1945) 2273. [func]* fdupont The RBAC (role-based access control) hook library was extended to support the new HTTP/HTTPS control socket of Kea servers. Note its name changed too from "libca_rbac.so" to "libdhcp_rbac.so". (Gitlab #3483) 2272. [perf] fdupont Implementation of "and", "or" and "ifelse" expressions was changed to evaluate sub-expressions only when needed. (Gitlab #3502) 2271. [func] fdupont Extended the control-socket entry taking a map specifying a UNIX/LOCAL control socket for DHCPv4, DHCPv6 and DHCP-DDNS servers to a control-sockets list of maps taking also a HTTP/HTTPS control socket with authentication and TLS parameters from the Control Agent. (Gitlab #3477) 2270. [bug] andrei Fixed flag -P|--port not working in kea-admin on mysql db-init, mysql db-upgrade, pgsql db-upgrade, pgsql lease-dump. pgsql db-upgrade now properly reports an upgrade failure instead of attempting to upgrade to subsequent schema versions. (Gitlab #2882) 2269. [func] tmark Extended kea-dhcp4 and kea-dhcp6 lenient option parsing to drop FQDN options such as v4-lost and v6-access-domain if they contain malformed FQDNs. (Gitlab #3492) Kea 2.7.1 (development) released on July 31, 2024 2268. [build] razvan The library version numbers have been bumped up for the Kea 2.7.1 development release. (Gitlab #3515) 2267. [bug] tmark Corrected an issue in MySQL config back end that causes preferred life time values to be overwritten when updating client classes via remote-set-class6. command. (Gitlab #3469) 2266. [bug] fdupont Improved the code handling multiple instances of the same v4 option according to RFC 3396. (Gitlab #3440) 2265. [bug]* fdupont The 'control-socket' ('control-socket.socket-name' and 'control-socket.socket-type') was removed from the global maps which can be managed by the config backend because in fact if it is possible to change values they are not applied. (Gitlab #3479) 2264. [bug]* tmark Corrected an issue with overlapping enum values for option definition data type. This was causing option definitions of type "record", created via config backend commands, to not load properly when fetched from the back end. (Gitlab #3476) 2263. [func] fdupont RFC 8925 "IPv6-Only Preferred Option for DHCPv4" is now fully implemented: 0.0.0.0 address can be offerred. (Gitlab #3094) 2262. [bug] marcin Corrected a bug in storing and fetching the encapsulated DHCP options from the configuration backend. These options were sometimes not returned when they were specified at the subnet, shared network or client class level. (Gitlab #3481) 2261. [bug] razvan Reset the local and remote disabled state when applying configuration. The dhcp-state is now included in the 'status-get' command. It indicates if the dhcp service is enabled or the reason why it is disabled (user command, HA command or database connection failure). (Gitlab #3446) 2260. [bug] razvan Fixed a file descriptor leak in the High Availability hook library. (Gitlab #3449) 2259. [func] fdupont All permissions for other users are now removed from files created by Kea agents and servers. (Gitlab #3050) Kea 2.7.0 (development) released on June 26, 2024 2258. [build] razvan The library version numbers have been bumped up for the Kea 2.7.0 development release. (Gitlab #3459) 2257. [func] andrei Exceptions thrown from Sysrepo while processing a NETCONF config change or while sending notifications are now caught and logged. The configuration is not applied in that case, but at least kea-netconf recovers instead of crashing. These scenarios are corner cases that are likely not found in production and that trigger bugs in upstream code. (Gitlab #3435) 2256. [func] marcin High Availability hook now supports lease affinity for the released leases. When a lease is released but left in the database for a possible re-allocation this information is propagated to the partner server. Previously, a released lease was always deleted in the partner, causing a loss of the association between the lease and the client in the partner's lease database. This change introduces a new "released" lease state which appears for the released leases in the lease database and in the lease updates exchanged between the HA partners. It is a backward incompatible change for the HA partners that haven't been upgraded to the latest Kea version. They will reject the lease updates for the released leases holding the new state value. (Gitlab #3246) 2255. [bug] razvan The environment is now inherited by kea-lfc when started by the Kea DHCP server. (Gitlab #3450) 2254. [func] tmark Added two API commands to Perfmon hook library: "perfmon-control" which can be used to enable or disable monitoring and reporting at runtime; and "perfmon-get-all-durations" which fetches a snapshot of raw performance data. (Gitlab #3328) 2253. [func] fdupont Added the predicate token "match" which evaluates regular expression matching to classification expression. (Gitlab #3170) 2252. [bug] fdupont Corrected an issue in kea-dhcp6 which caused reserved prefixes to not be removed when their host reservation was deleted by ip address. (Gitlab #3375) 2251. [func] tmark A new global statistic, "queue-mgr-queue-full", has been added to kea-dhcp-ddns. It tracks the number of times then receive queue for DNS update requests (NCRs) has reached maxium capacity. (Gitlab #2611) 2250. [func] razvan Kea now pretty prints options with binary data whenever possible. (Gitlab #2844) 2249. [func] razvan Made v6 relay options 18 (interface-id), 37 (remote-id) and 38 (subscriber-id) available to the run script hook library. (Gitlab #3035) 2248. [bug] tmark Fixed a corner-case issue in kea-dhcp6 that was causing it to attempt to update a lease for an address with a generated FQDN even though the address was not available to be leased. (Gitlab #3356) And for Kea premium: 211. [build] andrei The Autootols build system has been removed and superseded by Meson. (Gitlab #3734) Kea-premium hooks package 2.7.9 (development) released on May 28, 2025 Kea-premium hooks package 2.7.8 (development) released on April 30, 2025 Kea-premium hooks package 2.7.7 (development) released on March 26, 2025 210. [func] razvan The following hook libraries are now open source: for the kea-dhcp4 and the kea-dhcp6 servers 'libdhcp_class_cmds', 'libdhcp_ddns_tuning', 'libdhcp_flex_id', 'libdhcp_legal_log', 'libdhcp_host_cache', 'libdhcp_host_cmds', 'libdhcp_lease_query', 'libdhcp_limits', 'libdhcp_ping_check', 'libdhcp_radius', 'libdhcp_subnet_cmds' and for the kea-dhcp-ddns server 'libddns_gss_tsig'. (Gitlab #3333) 209. [bug] andrei An issue was fixed where limits set at the client class level would not have any effect if store-extended-info was enabled. (Gitlab #3702) Kea-premium hooks package 2.7.6 (development) released on January 29, 2025 208. [func]* fdupont Kea now refuses secrets and passwords taken from examples, including when not built with unit tests "keatest". GSS TSIG and RADIUS are currently excluded from this change. (Gitlab #3398) 207. [bug] razvan Fixed a bug which was causing the Forensic Log Hooks Library to not load if a file with the name 'base-name.txt' was present in the configured path. (Gitlab #3708) Kea-premium hooks package 2.7.5 (development) released on December 11, 2024 Kea-premium hooks package 2.7.4 (development) released on October 30, 2024 Kea-premium hooks package 2.7.3 (development) released on August 25, 2024 206. [bug] razvan Fixed a bug caused by starting listeners when checking the configuration using the '-T' command line parameter. This was also causing the check to fail if loading the High Availability hook library. (Gitlab #3542) Kea-premium hooks package 2.7.2 (development) released on August 28, 2024 205. [build] andrei "libca_rbac.so" is now a symbolic link to "libdhcp_rbac.so". (Gitlab #3550) 204. [func]* fdupont The RBAC (role-based access control) hook library was extended to support the new HTTP/HTTPS control socket of Kea servers. Note its name changed too from "libca_rbac.so" to "libdhcp_rbac.so". (Gitlab #3483) 203. [bug]* tmark Corrected subnet4-del and subnet6-del commands. The commands were deleting subnets but not removing them from their shared networks. (Gitlab #3455) Kea-premium hooks package 2.7.1 (development) released on July 31, 2024 202. [bug]* fdupont The control-socket was removed from the global maps which can be managed by the config backend because in fact if it is possible to change values they are not applied. (Gitlab #3479) Kea-premium hooks package 2.7.0 (development) released on June 26, 2024 201. [bug] fdupont Reserved addresses in "reservation-update" command are now required to be in the range of the subnet prefix. (Gitlab #3452) 200. [func] fdupont Commands of the host_cmds hook library which require a "subnet-id" parameter now add a hint to the error message when called without this parameter. For "reservation-add" of an empty (i.e. no reserved address or prefix) host reservation, the global (subnet-id 0) is assumed if the "subnet-id" parameter is not specified. (Gitlab #2878) Thank you again to everyone who assisted us in making this release possible. We look forward to receiving your feedback.