# Kea 1.9.8, May 26th 2021, Release Notes Welcome to Kea 1.9.8, the eighth monthly release of the 1.9 development branch. As with any other development release, use this with caution: development releases are not recommended for production use. This release adds new features, improves existing features, clarifies documentation, and fixes a few bugs. The most notable changes introduced in this version are: 1. **Forensic logging enhancements** - The forensic logging hooks library is now able to log custom expressions. The expressions can include any option (such as relay option 82) or sub-option (such as circuit-id, remote-id, or any other sub-option), packet fields, network interface names, local or remote IP address, and more. It uses the same expressions engine as when defining client classification or flexible identifiers. Evaluating expressions is a relatively expensive operation, so more customized logs will have more performance impact than the default log. The more complex the expression is, the more impact it may have. The forensic logging hooks library also supports flexible rotation intervals using 'second', 'day', 'month' or 'year' time units and also 'pre-rotate' and 'post-rotate' actions which can be used to move or compress respective files whenever the rotate action is performed. This feature included several separate tickets: added (+) plus operator [#1824, #1863], custom forensic logging format and time units with pre-rotate and post-rotate actions [#1680], better handling of parameter-less operation [#1866], and custom logging option 82 contents (and any other option) on renewals [#1576]. 2. **HA+MT stability** - The multi-threaded (MT) support for High Availability (HA) is now more stable. In particular, the hooks are now notified when Kea enters or leaves a critical state. This eliminates previously observed race conditions when shutting down or reconfiguring Kea with HA+MT enabled [#1876, #1818]. 3. **Per-device access control** - Kea is now able to drop packets coming from devices that have matching host reservations with class set to DROP (`DROP` class listed in the `client-classes` field in the `reservations`). This effectively allows the operator to selectively drop incoming packets from some devices, such as customers that have overdue payments, and misbehaving or unwanted devices [#1815]. 4. **Better vendor options handling in DHCPv6** - Two improvements related to vendor options are included in this release. First, Kea is now able to process slightly malformed vendor options that have the inner length field set to an incorrect, overly large value. With this improvement, Kea can now be configured (see `lenient-option-parsing` in `compatibility` scope) to process slightly non-conformant options, rather than simply ignore them. This should improve compatibility with devices such as RAD MiNID [#1860]. The second improvement lets Kea extract the enterprise identifier from the vendor class option in DHCPv6 [#1837]. 5. **Security** - Kea now obscures passwords in debug logs when the whole configuration is printed [#1721]. Authentication information is now logged on a dedicated logger, making it easier to implement security policies, such as logging to a dedicated secure storage [#1590]. TLS support is now functional when building with the Botan library instead of OpenSSL. While Botan is much less popular than OpenSSL, it may be a viable alternative in cases where OpenSSL cannot be used [#1665]. 6. **Bugfixes** - We fixed a bug in the DHCPv4 subnet selection logic. The server ignored the Subnet Selection option supplied by a client if its query contained a Relay Agent Information (RAI) option without a Link Selection option. After this change, the server respects the Subnet Selection option when RAI lacks the Link Selection option. If RAI includes the Link Selection option, it takes precedence over the Subnet Selection option [#1816]. Assorted smaller issues reported by Coverity Scan have also been fixed [#1806, #1854, #1855, #1852, #1850, #1853, #1851, #1805]. 7. **Build improvements** - Unit tests on CentOS 7 [#1888] and the Kea-netconf compilation [#1883] are now fixed; forensic logging unit tests no longer fail on FreeBSD [#1879]; we have added support for gcc11, which now makes Kea compilation on Fedora 34 viable [#1834, #1833, #1871, #1839]; and we fixed two problems when generating Sphinx documentation, in particular when using Sphinx 3.3.1 or newer [#1877, #1560]. 8. **Testing** - Perfdhcp is now able to simulate DHCPv6 traffic coming from multiple subnets. While perfdhcp is not typically used by end-users (although they certainly can if they want to stress test their deployment), this tool is used for ISC performance testing. This extended capability will allow testing of more complex IPv6 scenarios that more closely replicate actual deployments [#1416]. ## Incompatible Changes 1. **Dropping Python 2 support** - Python 2 support was EOLed on 1 Jan 2020. Most current distributions have full native Python 3 support, with the exception of CentOS 7. On CentOS 7, Python 2 is still the default, but Python 3 installation is an easy task. Kea version 1.9.8 dropped support for Python 2 in `kea-shell`. Kea users on CentOS 7 have several options. The most direct is for users who want to use `kea-shell` on CentOS 7 to install Python 3 packages. If this is not viable, `kea-shell` still works with Python 2 for now, but TLS is not supported. (This partial backward compatibility is expected to disappear when Kea 2.0.0 is released.) The third alternative is to use different tools or environments. `kea-shell` simply sends JSON commands over HTTPS and prints JSON responses. Such capabilities are available using various tools (such as `curl`, `socat`, `postman`) or scripting environments [#1873]. 2. **Kea shell in a separate RPM package** - `kea-shell` is now available in a separate RPM package. The base Kea package no longer depends on the Python 2 package. ## Known Issues For details on known issues, visit: https://gitlab.isc.org/isc-projects/kea/-/wikis/known-issues-list And for the list of issues marked as bugs: https://gitlab.isc.org/isc-projects/kea/issues?label_name%5B%5D=bug ## Release Model The Kea project has a significant production deployment base with users who are looking for stability, rather than a constant stream of new "bleeding-edge" features. At the same time, we want to continue developing the software and add some new powerful, but difficult-to-implement, features. To meet both of these requirements we have both Stable and Development branches. Stable releases are what you would expect: stable, released infrequently, without new features or significant changes, very well-tested. These can be identified by an even-numbered minor version number. The current stable release is 1.8.2. The older stable version of 1.6.3 is also available. If we discover important bugs that require fixing, we may release additional maintenance versions on the 1.8 branch, but that will be determined on a case-by-case basis. The next major stable version will be 2.0.0. Development releases can be easily identified by an odd minor version number: for example, 1.9.0 is a development release. Subsequent releases on the same minor release branch get numbered with 1.9.1, 1.9.2, and so on. Our goal is to make the development release available on the last Wednesday of each month. There may be exceptions (such as during holidays), but that's the general plan. We encourage users to test the development releases and report back their findings. For more details on the plan, see ISC's Software Support Policy at: https://kb.isc.org/docs/aa-00896 ## Kea Overview Kea is a DHCP implementation developed by Internet Systems Consortium that features fully functional DHCPv4 and DHCPv6 servers, a dynamic DNS update daemon, a Control Agent (CA) that provides a REST API to control the DHCP and DNS update servers, an example shell client to connect to the CA, a daemon that is able to retrieve YANG configuration and updates from Sysrepo, and a DHCP performance-measurement tool. Both DHCP servers support server discovery, address assignment, renewal, rebinding, release, decline, information request, DNS updates, client classification, and host reservations. The DHCPv6 server also supports prefix delegation. Lease information is stored in a CSV file by default; it can optionally be stored in a MySQL, PostgreSQL, or Cassandra database instead. Host reservations can be stored in a configuration file, or in a MySQL, PostgreSQL, or Cassandra database. They can also be retrieved from a RADIUS server, although this functionality is somewhat limited. Kea DHCPv4 and DHCPv6 daemons provide support for YANG models, which are stored in a Sysrepo datastore and can be configured via the NETCONF protocol. This text references issue numbers. For more details, visit the Kea GitLab page at: https://gitlab.isc.org/isc-projects/kea/-/issues ## License This version of Kea is released under the Mozilla Public License, version 2.0. https://www.mozilla.org/en-US/MPL/2.0 The premium and subscriber-only hooks libraries are provided in source code form, under the terms of an End User License Agreement (you will get the source code that you can modify freely, but you are not permitted to redistribute it). ## Download Pre-built ISC packages for current versions of the most popular Linux operating systems are available at: https://cloudsmith.io/~isc/repos/ The Kea source and PGP signature for this release may be downloaded from: https://www.isc.org/download The signature was generated with the ISC code-signing key which is available at: https://www.isc.org/pgpkey ISC provides detailed documentation, including installation instructions and usage tutorials, in the Kea Administrator Reference Manual (ARM). Documentation is included with the installation, at: * https://kea.readthedocs.io/en/latest/ * or via https://kb.isc.org/docs/kea-administrator-reference-manual in HTML, plain text, or PDF formats ISC maintains a public open source code tree, a wiki, an issue tracking system, milestone planning, and a roadmap at: https://gitlab.isc.org/isc-projects/kea We ask users of this software to please let us know how it worked for you and what operating system you tested on. Feel free to share your feedback on the Kea Users mailing list at: https://lists.isc.org/mailman/listinfo/kea-users We would also like to hear whether the documentation is adequate and accurate. Please open tickets in the Kea GitLab project for bugs, documentation omissions and errors, and enhancement requests. We want to hear from you even if everything worked. ## Support Professional support for Kea is available from ISC. We encourage all professional users to consider this option; Kea development and maintenance are funded with support subscriptions. For more information on ISC's Kea and DHCP software support see: https://www.isc.org/support/ Free best-effort support is provided by our user community via a mailing list. Information on all public email lists is available at: https://www.isc.org/community/mailing-List If you have any comments or questions about working with Kea, please share them on the Kea Users List: https://lists.isc.org/mailman/listinfo/kea-users Bugs and feature requests may be submitted via GitLab at: https://gitlab.isc.org/isc-projects/kea/-/issues ## Changes The following summarizes changes since the previous release of 1.9.7: ``` 1904. [build] wlodek Library version numbers bumped for Kea 1.9.8 development version. (Gitlab #1882) 1903. [func] andrei Kea now recognizes requests sent from vendors that include their information in DHCPv6 Vendor Class option (code 16) for the purpose of offering custom options in the response. Previously, only the Vendor-specific Information option (code 17) was searched for a vendor ID. For the purpose of classification, both options are looked into, now, just as before. (Gitlab #1837) 1902. [func] andrei, fdupont All logs that expose configuration, either in full or in snippets now have the values of "password" and "secret" entries replaced with asterisks "*****". (Gitlab #1721) 1901. [bug] marcin Corrected a bug in DHCPv4 subnet selection. The server ignored the Subnet Selection option supplied by a client if its query contained a Relay Agent Information (RAI) option without a Link Selection option. After this change, the server respects the Subnet Selection option when RAI lacks the Link Selection option. If RAI includes it, it takes precedence over the Subnet Selection option. (Gitlab #1816) 1900. [bug] tmark Fixed a sporadic failure caused by a wrong assertion in unit test, testMtHttpClientTest.workPauseResumeShutdown, introduced by #1818. (Gitlab #1876) 1899. [func] tmark,razvan In HA+Mt mode, the HA hook library now pauses and resumes its worker threads when Kea core enters and exits critical sections, respectively. This eliminates race conditions during core processing such as reconfiguration, shutdown, and certain RESTful API commands. (Gitlab #1818) 1898. [func] fdupont The DROP class may now depend on the KNOWN or UNKNOWN classes and may be used after the host reservation lookup. (Gitlab #1815) 1897. [func] andrei Kea has a new configuration section called "compatibility" geared towards non-compliant clients. The only boolean parameter added for now called "lenient-option-parsing" changes the way DHCPv6 option 16's vendor-class-data field is parsed. When enabled, instead of complaining that a length exceeds the rest of the option's buffer, the value is considered to be the rest of the buffer. This also applies to custom options defined with the tuple type for both DHCPv4 and DHCPv6. (Gitlab #1860) 1896. [func] wlodek Perfdhcp extended to send v6 traffic from multiple networks. (Gitlab #1416) 1895. [func] razvan Added additional evaluation tokens to extract and print data: addrtotext, int8totext, int16totext, int32totext, uint8totext, uint16totext, uint32totext. (Gitlab #1680) 1894. [func] fdupont Implemented 'auth' logger, dedicated to logging access control information, such as basic HTTP authentication. (Gitlab #1590) 1893. [func] fdupont Botan 2.14 or later can now be used as a crypto library for the TLS/HTTPS support in Kea. (Gitlab #1665) 1892. [func] fdupont Added + operator as an convenient alias to concat() function in expressions. (Gitlab #1824) ``` Thank you again to everyone who assisted us in making this release possible. We look forward to receiving your feedback.