ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2021-10-19T11:13:42Zhttps://gitlab.isc.org/isc-projects/stork/-/issues/582Retrieve rcodes and qtypes per zone2021-10-19T11:13:42ZalbsgaRetrieve rcodes and qtypes per zoneIt will be interesting to retrieve the data from the json, building an struct with [] to gather the data as it is an array of dicts.
It's is important the format of the Prometheus output, it will be also interesting to have something si...It will be interesting to retrieve the data from the json, building an struct with [] to gather the data as it is an array of dicts.
It's is important the format of the Prometheus output, it will be also interesting to have something similar to:
```
bind_zones_queries_total{type="A", zone="example.com,"view="_default"} 91
bind_zones_queries_total{type="CNAME",zone="example.com,"view="_default"} 32
bind_zones_queries_total{type="A", zone="example3.com,"view="_default"} 3
bind_zones_queries_total{type="CNAME",zone="example3.com,"view="_default"} 22
```
Thanks!!backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/2074NAK sent to it's own offer IP2021-09-17T12:04:58ZALOK KUMAR SINGHNAK sent to it's own offer IPUpgraded Kea 1.5 to 1.8.2 version, post upgrade I have observed reserved clients doesn't receive IP address. When did packet capture could see DHCP server sends NAK packet to it's own reserved IP address offered.
Please find the packet...Upgraded Kea 1.5 to 1.8.2 version, post upgrade I have observed reserved clients doesn't receive IP address. When did packet capture could see DHCP server sends NAK packet to it's own reserved IP address offered.
Please find the packet captured attached and let me know if it's a bug in kea1.8.2?
Filter MAC- 10:65:30:FA:76:AC
[hsclab.pcap](/uploads/922e5fae16d79108612088e8348c90d8/hsclab.pcap)outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/2071distcheck is missing db backends, sysrepo and gss-tsig and CXX flags for TSAN...2023-07-17T13:58:25ZRazvan Becheriudistcheck is missing db backends, sysrepo and gss-tsig and CXX flags for TSAN are not propagatedkea2.3.0Razvan BecheriuRazvan Becheriuhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2641BIND Version checker/reporter2021-04-28T16:16:24ZVicky Riskvicky@isc.orgBIND Version checker/reporter**Background**
ISC needs some general idea how many instances of BIND are running which software versions. We frequently have to guesstimate this in order to assess the relative impact of a bug or vulnerability on our user base. We do ...**Background**
ISC needs some general idea how many instances of BIND are running which software versions. We frequently have to guesstimate this in order to assess the relative impact of a bug or vulnerability on our user base. We do not have any useful information from downloads, because our open source is published on so many sites, including many we do not control. Having this information would enable us to make better decisions about how many installations might be impacted and about what sort of fix is appropriate.
At the same time, we also need some mechanism to alert users who are running software that is EOL or subject to a known, published CVE. We should be able to provide unobtrusive but visible feedback to the operator when that is detected.
Users are wary of any feature that reports software information that could be used to identify and target them, or that carries any potential for side-channel data leakage. We must make it very transparent exactly what information is sent and what information we retain. Some users will wish to disable whatever version checker we implement, and we should make it easy to do so. However, if we do not enable this feature by default, it is unlikely that we will get enough data to be useful.
**Requirements**
1. We need a utility that will periodically (define) contact some system at ISC and report what BIND version it is running and check to see if that is a supported version clear of published CVEs.
1. The message or lookup from the version checker should consume a *very modest* amount of bandwidth. UDP should be adequate, retries and failure messages are not indicated if the lookup fails or is blocked. We want to be careful not to create a DDOS on the server.
1. The version checker does not need to check frequently - a period of daily might be ok and might be easiest to implement, weekly is adequate however.
1. The version checker should be enabled by default.
1. We might have one check that happens on startup and an identifiably different check that happens say, weekly after that. This is to address the issue of test systems, ephemeral dockers biasing the statistics.
1. **TBD.** It might be useful to initiate the 'ongoing' checker only when some level of regular query traffic is reached, to eliminate systems that are unused or 'toy' systems, again to reduce those systems biasing the statistics. The problem is that some of these systems we might regard as 'toy' systems could still be important to their users and we would be denying them the benefit of the alerts that their system is compromised. Also, some systems with a lot of query traffic could simply be, e.g. unmanaged open resolvers that are pounded with abuse traffic.
1. It must be relatively easy to disable the version checker. It should be possible to disable it without rebuilding the image and without restarting the daemon.
1. Some operating system packagers are going to want to disable the version checker, or possibly to 'redirect' it to check some facility of their own. This should not be unnecessarily difficult for them to do.
1. This feature should be added to the development branch of BIND.
1. **It is TBD** whether we should backport it to the most recent stable branch.
**Local logging**
The version checker should insert a log message in the configured default bind logging facility if the running version is EOL or if it is subject to a known published CVE.
1. The log message should state the CVE status (clear, vulnerable, EOL, unrecognized version)
1. **TBD. **If there is adequate room, this message could provide any of the following
- the date of the planned EOL for this version
- a link to get more information
- a link to download a new version
- a link to the vulnerability report
- a link to the CVE matrix
depending on what is feasible and reasonable given the space available.
1. **TBD** whether the log message should be at the Warning level or the Informational level
1. **TBD** whether the version checker should log that it ran, and checked the version and the response is ok. Some users might want this, but since it is not very useful and adds more chaff to the log, if it is logged it should be at a low level, info or debug.
**Version Status Responder**
1. ISC should stand up a system that the version checker can check
1. The responder should be identified by a FQDN. We will have to maintain this facility for a long time, and using a FQDN will make it easier for packagers to substitute their own responder if they choose.
1. The responder should have information on known BIND versions with support status and CVE status.
1. It should be possible for anyone who can publish a BIND CVE or post a BIND release to add or edit the known versions, CVE status and support status so we can easily keep this up to date, given we are releasing multiple new versions monthly.
1. The responder should log the time and version number the checker looks up, but it should not log the IP address the requests comes from or.... anything else.
1. **TBD.** How can we effectively identify package versions where the BIND version does not map to the ISC releases, such as when a packager backports CVE fixes?
1. **TBD** Should we make the census information public?https://gitlab.isc.org/isc-projects/stork/-/issues/533subnets and host reservation are not removed2021-12-02T13:10:39Zglomazdovsubnets and host reservation are not removedsubnets and host reservation are not removed from stork UI and postgres when I delete them in the kea-dhcp4.conf configuration. What we see and what is actually configured is different.
This seems like a bug. https://gitlab.isc.org/isc...subnets and host reservation are not removed from stork UI and postgres when I delete them in the kea-dhcp4.conf configuration. What we see and what is actually configured is different.
This seems like a bug. https://gitlab.isc.org/isc-projects/stork/-/issues/390!
screen [screen_2021-04-19_130122](/uploads/f65aa49d651e1bdded1c91017e6cf318/screen_2021-04-19_130122.png)1.0Marcin SiodelskiMarcin Siodelskihttps://gitlab.isc.org/isc-projects/bind9/-/issues/2340Enable logging of rpz re-writes to dnstap.2024-03-27T13:54:38ZPeter DaviesEnable logging of rpz re-writes to dnstap.### Description
Enable logging of rpz re-writes to dnstap.
The ability to send rpz rewrite information that is generated by category rpz to the dnstap output stream.
[RT #17273](https://support.isc.org/Ticket/Display.html?id=17273)### Description
Enable logging of rpz re-writes to dnstap.
The ability to send rpz rewrite information that is generated by category rpz to the dnstap output stream.
[RT #17273](https://support.isc.org/Ticket/Display.html?id=17273)Not plannedEvan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/kea/-/issues/1401mysql/upgrade_6.0_to_7.0.sh script failure on ubuntu182020-09-09T19:03:01Zklausfiendmysql/upgrade_6.0_to_7.0.sh script failure on ubuntu18Failed command:
```
root:~# kea-admin db-upgrade mysql -u kea -p kea -n kea -h kea
Database version reported before upgrade: mysql: [Warning] Using a password on the command line interface can be insecure.
6.0
Verifying upgrade permiss...Failed command:
```
root:~# kea-admin db-upgrade mysql -u kea -p kea -n kea -h kea
Database version reported before upgrade: mysql: [Warning] Using a password on the command line interface can be insecure.
6.0
Verifying upgrade permissions for kea
mysql: [Warning] Using a password on the command line interface can be insecure.
MySQL Version is:
mysql: [Warning] Using a password on the command line interface can be insecure.
mysql: [Warning] Using a password on the command line interface can be insecure.
mysql: [Warning] Using a password on the command line interface can be insecure.
mysql: [Warning] Using a password on the command line interface can be insecure.
Processing /usr/share/kea/scripts/mysql/upgrade_1.0_to_2.0.sh file...
mysql: [Warning] Using a password on the command line interface can be insecure.
This script upgrades 1.0 to 2.0. Reported version is 6.0. Skipping upgrade.
Processing /usr/share/kea/scripts/mysql/upgrade_2.0_to_3.0.sh file...
mysql: [Warning] Using a password on the command line interface can be insecure.
This script upgrades 2.0 to 3.0. Reported version is 6.0. Skipping upgrade.
Processing /usr/share/kea/scripts/mysql/upgrade_3.0_to_4.0.sh file...
mysql: [Warning] Using a password on the command line interface can be insecure.
This script upgrades 3.0 to 4.0. Reported version is 6.0. Skipping upgrade.
Processing /usr/share/kea/scripts/mysql/upgrade_4.0_to_4.1.sh file...
mysql: [Warning] Using a password on the command line interface can be insecure.
This script upgrades 4.0 to 4.1. Reported version is 6.0. Skipping upgrade.
Processing /usr/share/kea/scripts/mysql/upgrade_4.1_to_5.0.sh file...
mysql: [Warning] Using a password on the command line interface can be insecure.
This script upgrades 4.1 to 5.0. Reported version is 6.0. Skipping upgrade.
Processing /usr/share/kea/scripts/mysql/upgrade_5.0_to_5.1.sh file...
mysql: [Warning] Using a password on the command line interface can be insecure.
This script upgrades 5.0 to 5.1. Reported version is 6.0. Skipping upgrade.
Processing /usr/share/kea/scripts/mysql/upgrade_5.1_to_5.2.sh file...
mysql: [Warning] Using a password on the command line interface can be insecure.
This script upgrades 5.1 to 5.2. Reported version is 6.0. Skipping upgrade.
Processing /usr/share/kea/scripts/mysql/upgrade_5.2_to_6.0.sh file...
mysql: [Warning] Using a password on the command line interface can be insecure.
This script upgrades 5.2 to 6.0. Reported version is 6.0. Skipping upgrade.
Processing /usr/share/kea/scripts/mysql/upgrade_6.0_to_7.0.sh file...
mysql: [Warning] Using a password on the command line interface can be insecure.
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1060 (42S21) at line 3: Duplicate column name 'user_context'
Processing /usr/share/kea/scripts/mysql/upgrade_7.0_to_8.0.sh file...
mysql: [Warning] Using a password on the command line interface can be insecure.
This script upgrades 7.0 to 8.0. Reported version is 6.0. Skipping upgrade.
Processing /usr/share/kea/scripts/mysql/upgrade_8.0_to_8.1.sh file...
mysql: [Warning] Using a password on the command line interface can be insecure.
This script upgrades 8.0 to 8.1. Reported version is 6.0. Skipping upgrade.
Processing /usr/share/kea/scripts/mysql/upgrade_8.1_to_8.2.sh file...
mysql: [Warning] Using a password on the command line interface can be insecure.
This script upgrades 8.1 to 8.2. Reported version is 6.0. Skipping upgrade.
Database version reported after upgrade: mysql: [Warning] Using a password on the command line interface can be insecure.
6.0
```
Versions installed:
```
root:~# /usr/sbin/kea-dhcp4 -V
1.6.3
tarball
linked with:
log4cplus 1.1.2
OpenSSL 1.1.1 11 Sep 2018
database:
MySQL backend 8.2, library 5.7.30
PostgreSQL backend 5.1, library 100012
Memfile backend 2.1
```
SQL server version:
```
Server version: 5.6.38-log MySQL Community Server (GPL)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
```
Operating system:
```
root:~# cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.4 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.4 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
```
The origin of this issue is that I need to upgrade my database schema so I can make the switch from handmade Ubuntu packages (built from 1.3.0 sources using the existing Ubuntu *debhelper* tooling) to the 1.6 packages provided by ISC. I started out with schema 5.0, and the upgrade process did successfully get it from 5.0 -> 6.0, but I can't get past 6.0.
I did a bit of investigating, and initially tried to just fake my way through the problem by removing the offending columns (*user_context* from **lease4** and **lease6**), dropping the offending table (**logs**), but that attempt stalled out when I ran into this error:
```
root:/usr/share/kea/scripts/mysql# sh -x /usr/share/kea/scripts/mysql/upgrade_6.0_to_7.0.sh
+ prefix=/usr
+ [ -e /usr/share/kea/scripts/admin-utils.sh ]
+ . /usr/share/kea/scripts/admin-utils.sh
+ db_host=kea
+ db_user=kea
+ db_name=kea
+ db_password=kea
+ mysql_version --host=kea --user=kea --password=kea kea
+ mysql_execute SELECT CONCAT_WS('.', version, minor) FROM schema_version --host=kea --user=kea --password=kea kea
+ QUERY=SELECT CONCAT_WS('.', version, minor) FROM schema_version
+ shift
+ [ 4 -gt 1 ]
+ mysql -N -B --host=kea --user=kea --password=kea kea -e SELECT CONCAT_WS('.', version, minor) FROM schema_version
mysql: [Warning] Using a password on the command line interface can be insecure.
+ retcode=0
+ return 0
+ return 0
+ VERSION=6.0
+ [ 6.0 != 6.0 ]
+ mysql --host=kea --user=kea --password=kea kea
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 1062 (23000) at line 98: Duplicate entry '4' for key 'PRIMARY'
+ RESULT=1
+ exit 0
```
I couldn't find anything in the list of issues that looked similar to the issue I ran into; apologies if this is a repeat but as of right now, it seems I'm stuck. Any guidance would be most appreciated.outstandinghttps://gitlab.isc.org/isc-projects/bind9/-/issues/1897max-transfer-time-* and max-transfer-idle-* broken since 9.15.62023-04-05T18:20:10ZBrian Conrymax-transfer-time-* and max-transfer-idle-* broken since 9.15.6In 53f0b6c34d3f ("convert ns_client and related objects to use netmgr"), the logic for setting a timer to enforce `max-transfer-time-out` and `max-transfer-idle-out` was removed.
In 49d53a4aa95682f9d94da4c6fa68ded66283cce9 ("use netmgr ...In 53f0b6c34d3f ("convert ns_client and related objects to use netmgr"), the logic for setting a timer to enforce `max-transfer-time-out` and `max-transfer-idle-out` was removed.
In 49d53a4aa95682f9d94da4c6fa68ded66283cce9 ("use netmgr for xfrin"), the `max-transfer-time-in` and `max-transfer-idle-in` options have met a similar destiny.March 2022 (9.11.37, 9.11.37-S1, 9.16.27, 9.16.27-S1, 9.18.1)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/kea/-/issues/1149Extend Kea HA to permit a single backup server for multiple primary/active se...2024-01-26T14:35:10ZVicky Riskvicky@isc.orgExtend Kea HA to permit a single backup server for multiple primary/active serversAs an administrator with many offices, each with a local Kea server, I would prefer to have a single backup server, centrally located, that can serve as backup for many remote Kea servers.
I realize that one option is to run multiple Ke...As an administrator with many offices, each with a local Kea server, I would prefer to have a single backup server, centrally located, that can serve as backup for many remote Kea servers.
I realize that one option is to run multiple Kea servers on the single machine at HQ, but monitoring and managing that single Kea server would also present scaling issues. This request is to be able to have a single Kea server that has multiple failover relationships.
* The scale would be dozens of remote active nodes to a single passive node.
* In this scenario, the active Kea servers are not likely to be heavily loaded or extremely active.
* It is ok if the central server is limited in the number of relationships in which it can become the primary simultaneously.kea2.5.5https://gitlab.isc.org/isc-projects/bind9/-/issues/1644i need backup forwarders2021-10-05T11:09:06Zpaul vixiepaul@redbarn.orgi need backup forwarders### Description
i plan to run bind9 w/o a config file on 127.0.0.1, on a lot of hosts. sometimes these hosts will have the ability to reach the wider internet, in which case i want no forwarders, just go do the iterations. however, when...### Description
i plan to run bind9 w/o a config file on 127.0.0.1, on a lot of hosts. sometimes these hosts will have the ability to reach the wider internet, in which case i want no forwarders, just go do the iterations. however, when behind a firewall, my dhcp-assigned recursive name servers may be the only ones i can reach, and i'll want my bind9 instance on 127.0.0.1 to then go into forwarders mode.
### Request
in all cases, my resolv.conf (or windows registry, or whatever) will be set to the static value of 127.0.0.1. the only variability is whether the bind9 recursive server running on 127.0.0.1 will know to use forwarders when it has to, but only when it has to. i realize that learning the dhcp-assigned recursive server names is a non-portable task, but i'm willing to say "go ask your own DHCP request" until that problem has been sorted out.
### Links / referenceshttps://gitlab.isc.org/isc-projects/kea/-/issues/973IPv6: create static routes for (sub-) delegated prefixes2021-03-08T11:57:34ZGhost UserIPv6: create static routes for (sub-) delegated prefixes---
name: Feature request - IPv6: create static routes for (sub-) delegated prefixes
about: Suggest an idea for this project
---
**Some initial questions**
- Are you sure your feature is not already implemented in the latest Kea versio...---
name: Feature request - IPv6: create static routes for (sub-) delegated prefixes
about: Suggest an idea for this project
---
**Some initial questions**
- Are you sure your feature is not already implemented in the latest Kea version? yes
- Are you sure what you would like to do is not possible using some other mechanisms? unsure, maybe with custom hooks
- Have you discussed your idea on kea-users or kea-dev mailing lists? no
**Is your feature request related to a problem? Please describe.**
I use Kea to manage my network environment with several subnets, running on a central router/DHCP/DNS machine and connected to a dual-stack IPv4+v6 Internet uplink. As my ISP provides IA_PD with a delegated /56, I would like to sub-delegate e.g. /62's to other routers in my network. Unfortunately, this is impossible right now because although Kea does hand out prefixes (so that works fine), it does not take care of routing information. So I end up with internal routers that get v6 prefixes delegated but they are unreachable because I have no way of setting up proper routes for those prefixes.
(Statically assigning those prefixes and creating fixed routes kind of defeats the purpose...)
**Describe the solution you'd like**
I would love to see Kea setting up a static route for each prefix it hands out. From there, other mechanisms could take over, e.g. a routing daemon (BIRD, FRR, etc.) that distributes those static routes to a dynamic routing protocol.
**Describe alternatives you've considered**
An alternative would be DHCPv6 snooping by an intermediary L3 network device, but that's tackling it backwards. Unfortunately, my environment is not capable to do that either.
RegardsKea1.9-backloghttps://gitlab.isc.org/isc-projects/stork/-/issues/54Req 5.1 View Zones List2021-06-01T08:44:42ZVicky Riskvicky@isc.orgReq 5.1 View Zones ListAs an administrator I would like to be able to browse a list of DNS zones that I am publishing, along with a bunch of information on the zone.
1. This is likely to be a very large table, with pages of data, so I would like to be able t...As an administrator I would like to be able to browse a list of DNS zones that I am publishing, along with a bunch of information on the zone.
1. This is likely to be a very large table, with pages of data, so I would like to be able to apply filters to make it more manageable.
1. I want to be able to accommodate up to 2M small zones, 2M RRs zone, 100 views.
1. I would like to be able to sort this by zone name, zone type, time of last update (this might be the default sort), zone size? signing status (signed/unsigned/expired?), #RRs.
1. This zone list should include 'dynamic', 'traditional', catalog, automatic, mirror, root hints, forward, stub, static stub zones.
1. I would like to know the zone type and permit filtering based on zone type.
1. I would like to search based on ... (?cnames?)
1. I would like to know which slaves are publishing that zone
1. I may know a zone name, or partial zone name and will want to know more about that zone.backlogMatthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/stork/-/issues/44Req 2.1 - Leases list2022-09-12T13:42:40ZVicky Riskvicky@isc.orgReq 2.1 - Leases listAs an administrator I want to browse a list of leases sorted by default from most recent to oldest, with sorting by any fields in the lease. (perhaps we can limit the fields to sort on once we see what fields are available, in order to m...As an administrator I want to browse a list of leases sorted by default from most recent to oldest, with sorting by any fields in the lease. (perhaps we can limit the fields to sort on once we see what fields are available, in order to make the sorting faster with indices)
I am often going to be looking for information on a particular device or lease, so I want to search based on MAC address or IP address (omnibox search).
1. [ ] I would like to see current leases as well as historical information in the same display, *if possible*. So, for example, if I enter a Mac address, I would want to see the current lease, and prior lease(s).
1. [ ] This will be a long, multi-page list so it would be convenient if I could filter based on some column contents (such as a partial MAC or IP address)
1. [ ] It is not necessary that this be updated in real time. A list of leases that is current as of say, 5 - 15 minutes ago is adequate. It is more important that the lookup is responsive.
1. [ ] It is not necessary that the screen is refreshed automatically while this panel is active on the display, it is ok to require that I push a button to 'refresh' the list. I would prefer that there is some data in the panel when I click on it, rather than having it blank and have to wait for it to populate.
1. [ ] This should not require querying all the dhcp servers - it should come from a central lease db in Stork. I am thinking it is updated by notification from the dhcp servers, after some initialization process where it gets all the current leases.
Details
* If we can also do a reverse DNS lookup on the IP address (this can be a process triggered by the admin, it doesn't have to happen magically) to popular a hostname field, that would be good too.
* The Lease list must also include which *server* owns the lease.
* I may need to save a lot of lease history. It should be possible for me to configure how many hours or days of history I want to preserve, and at some point we should have some kind of log rotation.
* [ ] Total active leases per server
* [ ] Total active leases per service (if there is more than 1 server in the service)
* [ ] # of New leases in the past (configurable period, start with 15 minutes)
* [ ] Leases per second (could be a toggle to display this or the # of new leases in the past period). both metrics could be based on just the most recent period.
* [ ] Historic register of each MAC address seen by the system, with leases assigned, dates, times. This may be exactly the same as the forensic log, so it is fine if we just link to the default location for the forensic log.
* [ ] Ability to browse current lease list. This does not have to be real time, and can/probably should be read-only. This should work for Memfile.
* [ ] Ability to browse current lease list. This does not have to be real time, and can/probably should be read-only. This should work for lease backend.backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/856Enable dynamic prefix support2024-02-07T22:34:55ZTiago GasparEnable dynamic prefix support---
name: Enable dynamic prefix support
about: Allow dynamic prefixes in a interface
---
**Some initial questions**
- Are you sure your feature is not already implemented in the latest Kea version?
From all I've searched all over the ...---
name: Enable dynamic prefix support
about: Allow dynamic prefixes in a interface
---
**Some initial questions**
- Are you sure your feature is not already implemented in the latest Kea version?
From all I've searched all over the internet this is not a standard kea nor ISC-DHCP option
- Are you sure what you would like to do is not possible using some other mechanisms?
I can't see any other way to do this without a wacky faulty scipt
- Have you discussed your idea on kea-users or kea-dev mailing lists?
No, I'm new to this of contributing and have no idea on how to do that
**Is your feature request related to a problem? Please describe.**
So I have a Linux system, in this case OpenWRT as the main router in my home, and I receive a IPv6 prefix from my ISP of size /56 and OpenWRT receives it and assigns it to each interface with the size I describe, but as the prefix is dynamic I can't configure the prefix in kea's config files because it is constantly changing.
**Describe the solution you'd like**
My suggestion is that kea could allow us to set a interface to listen on (as it does) and in the `"subnet":` option it could allow us to set a network like ::/60 (witch is the address for unspecified network)
**Describe alternatives you've considered**
I've considered setting only the listening interface and no subnet option but theãt wouldn't work as Kea also works as a stateless DHCPv6 server, so this is the best way I can think that the server can work as stateless and stateful DHCPv6 with or without a dynamic prefix
**Additional context**
I have a OpenWRT in my house and my ISP gives me a IPv6 Dynamic prefix, although OpenWRT natively handles IPv6 very well with Odhcpd, it doesn't offer many options to give out to clients besides the required ones like DNS and Gateway so I decided to dich odhcpd and I thought of dhcpd but I saw that Kea was a new, better DHCP meant to replace dhcpd at some point so as I'm all for the new and better I installed Kea and got this problem.
**Funding its development**
I'm curently studying so I don't have the money to fund it, but I work in networking every day so I can help you develop this feature asn needed and as I can
**Participating in development**
Yes absolutely! I'm here as needed Just ask, sometimes I can take a bit because of school but I will answer
**Contacting you**
I'd rather you contact me trough github or through here, I will enable e-mail notifications and if you really need to talk I'll privately send my phone numberoutstandinghttps://gitlab.isc.org/isc-projects/bind9/-/issues/1126Implement check if the DS record has been published2021-07-08T08:59:38ZMatthijs Mekkingmatthijs@isc.orgImplement check if the DS record has been publishedImplement a way to configure one or more name servers to query to ensure the DS for a given key is published. This is needed to perform automatic key rollover (for keys with the KSK role).
Will need a `check-ds-interval` too, to configu...Implement a way to configure one or more name servers to query to ensure the DS for a given key is published. This is needed to perform automatic key rollover (for keys with the KSK role).
Will need a `check-ds-interval` too, to configure how often such a check needs to be performed.July 2021 (9.11.34, 9.11.34-S1, 9.16.19, 9.16.19-S1, 9.17.16)Matthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/kea/-/issues/687Add the sender's address to kea-ctrl-agent log messages [ISC-support #14906]2022-04-25T13:00:37ZCathy AlmondAdd the sender's address to kea-ctrl-agent log messages [ISC-support #14906]As requested in [Support RT #14906](https://support.isc.org/Ticket/Display.html?id=14906)
(And also, this sounds like a really useful idea).
The requestor of this feature says:
For us, the source ip address is an important piece of in...As requested in [Support RT #14906](https://support.isc.org/Ticket/Display.html?id=14906)
(And also, this sounds like a really useful idea).
The requestor of this feature says:
For us, the source ip address is an important piece of information.
We would like to see in the kea-ctrl-agent log messages the received command together with the source ip address - something like this:
Jun 20 10:21:52 myserver.example.com kea-ctrl-agent[58456]: 2019-06-20 10:21:52.771 INFO [kea-ctrl-agent.commands/58456] COMMAND_RECEIVED Received command 'config-get’ from 192.0.2.25
From my perspective as an operator, it is a great advantage if the log messages contain all information related to the context.
We would like to see the source address without switching to the debug level.
How do you see this request? Is this an improvement that other users also would appreciate?kea2.1.5Tomek MrugalskiTomek Mrugalskihttps://gitlab.isc.org/isc-projects/bind9/-/issues/1090BIND 9.14: unable to set effective uid to 02021-01-28T12:50:29ZAnand BuddhdevBIND 9.14: unable to set effective uid to 0Hi folks,
I brought this issue up on the bind-users mailing list, but none of the developers said anything there, so I'm opening it as an issue.
I've compiled BIND on CentOS 7. I start it from systemd with the following command line:
...Hi folks,
I brought this issue up on the bind-users mailing list, but none of the developers said anything there, so I'm opening it as an issue.
I've compiled BIND on CentOS 7. I start it from systemd with the following command line:
```
/usr/sbin/named -f -u named
```
In the syslog, I see this error/warning emitted twice `unable to set effective uid to 0`:
```
Jun 14 10:06:21 ns1 named[11687]: starting BIND 9.14.3 (Stable Release) <id:896acdc>
Jun 14 10:06:21 ns1 named[11687]: running on Linux x86_64 3.10.0-957.1.3.el7.x86_64 #1 SMP Thu Nov 29 14:49:43 UTC 2018
Jun 14 10:06:21 ns1 named[11687]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracki
ng' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--lib
dir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfd
ir=/etc/named' '--disable-static' '--with-pic' '--without-python' '--with-libtool' '--without-lmdb' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-red
hat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mt
une=generic' 'LDFLAGS=-Wl,-z,relro ' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
Jun 14 10:06:21 ns1 named[11687]: running as: named -f -u named
Jun 14 10:06:22 ns1 named[11687]: compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-36)
Jun 14 10:06:22 ns1 named[11687]: compiled with OpenSSL version: OpenSSL 1.0.2k 26 Jan 2017
Jun 14 10:06:22 ns1 named[11687]: linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
Jun 14 10:06:22 ns1 named[11687]: compiled with libxml2 version: 2.9.1
Jun 14 10:06:22 ns1 named[11687]: linked to libxml2 version: 20901
Jun 14 10:06:22 ns1 named[11687]: compiled with libjson-c version: 0.11
Jun 14 10:06:22 ns1 named[11687]: linked to libjson-c version: 0.11
Jun 14 10:06:22 ns1 named[11687]: compiled with zlib version: 1.2.7
Jun 14 10:06:22 ns1 named[11687]: linked to zlib version: 1.2.7
Jun 14 10:06:22 ns1 named[11687]: ----------------------------------------------------
Jun 14 10:06:22 ns1 named[11687]: BIND 9 is maintained by Internet Systems Consortium,
Jun 14 10:06:22 ns1 named[11687]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Jun 14 10:06:22 ns1 named[11687]: corporation. Support and training for BIND 9 are
Jun 14 10:06:22 ns1 named[11687]: available at https://www.isc.org/support
Jun 14 10:06:22 ns1 named[11687]: ----------------------------------------------------
Jun 14 10:06:22 ns1 named[11687]: adjusted limit on open files from 4096 to 1048576
Jun 14 10:06:22 ns1 named[11687]: found 32 CPUs, using 32 worker threads
Jun 14 10:06:22 ns1 named[11687]: using 32 UDP listeners per interface
Jun 14 10:06:22 ns1 named[11687]: using up to 4096 sockets
Jun 14 10:06:22 ns1 named[11687]: loading configuration from '/etc/named/named.conf'
Jun 14 10:06:22 ns1 named[11687]: unable to open '/etc/named/bind.keys'; using built-in keys instead
Jun 14 10:06:22 ns1 named[11687]: using default UDP/IPv4 port range: [32768, 60999]
Jun 14 10:06:22 ns1 named[11687]: using default UDP/IPv6 port range: [32768, 60999]
Jun 14 10:06:22 ns1 named[11687]: listening on IPv6 interfaces, port 53
Jun 14 10:06:22 ns1 named[11687]: listening on IPv4 interface lo, 127.0.0.1#53
Jun 14 10:06:22 ns1 named[11687]: listening on IPv4 interface em1, 193.0.19.191#53
Jun 14 10:06:22 ns1 named[11687]: unable to set effective uid to 0: Operation not permitted
Jun 14 10:06:22 ns1 named[11687]: generating session key for dynamic DNS
Jun 14 10:06:22 ns1 named[11687]: unable to set effective uid to 0: Operation not permitted
Jun 14 10:06:22 ns1 named[11687]: sizing zone task pool based on 1 zones
Jun 14 10:06:22 ns1 named[11687]: none:99: 'max-cache-size 90%' - setting to 57795MB (out of 64217MB)
Jun 14 10:06:22 ns1 named[11687]: using built-in root key for view _default
Jun 14 10:06:22 ns1 named[11687]: set up managed keys zone for view _default, file 'managed-keys.bind'
...
```
It seems named is attempting to regain root privileges, but failing. Is this intentional? And if so, what am I missing to make this work correctly?May 2020 (9.11.19, 9.11.19-S1, 9.14.12, 9.16.3)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/987Update Catalog Zones2023-11-03T09:09:10ZVicky Riskvicky@isc.orgUpdate Catalog ZonesUpdate Catalog zones to align with the latest (04?) draft. (As discussed at All-Hands 2019)
At the same time, implement the filter controls in Gitlab issue #751Update Catalog zones to align with the latest (04?) draft. (As discussed at All-Hands 2019)
At the same time, implement the filter controls in Gitlab issue #751BIND 9.19.xArаm SаrgsyаnArаm Sаrgsyаnhttps://gitlab.isc.org/isc-projects/bind9/-/issues/970Add support for XPF2019-11-01T10:54:35ZOndřej SurýAdd support for XPFhttps://tools.ietf.org/html/draft-bellis-dnsop-xpf-04
Needs ACL and processing on the server side?
Do we also want to add client-side support (for forwarders, etc.)?https://tools.ietf.org/html/draft-bellis-dnsop-xpf-04
Needs ACL and processing on the server side?
Do we also want to add client-side support (for forwarders, etc.)?BIND 9.15.xhttps://gitlab.isc.org/isc-projects/bind9/-/issues/960Add EDNS Client Tag and EDNS Server Tag2019-05-17T12:56:24ZMark AndrewsAdd EDNS Client Tag and EDNS Server Tag