ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2022-11-02T15:22:26Zhttps://gitlab.isc.org/isc-projects/kea/-/issues/384Add D2 support to netconf.2022-11-02T15:22:26ZFrancis DupontAdd D2 support to netconf.Finish the model and write translators.Finish the model and write translators.outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/390doubled log message on debug level during HA sync2022-11-02T15:08:44ZWlodzimierz Wenceldoubled log message on debug level during HA syncduring HA sync testing I found little quirk `DHCPSRV_MEMFILE_GET_ADDR6` message is logged twice:
```
2019-01-07 06:44:39.966 DEBUG [kea-dhcp6.dhcpsrv/10887] DHCPSRV_MEMFILE_GET_ADDR6 obtaining IPv6 lease for address 2001:db8:1::b7 and le...during HA sync testing I found little quirk `DHCPSRV_MEMFILE_GET_ADDR6` message is logged twice:
```
2019-01-07 06:44:39.966 DEBUG [kea-dhcp6.dhcpsrv/10887] DHCPSRV_MEMFILE_GET_ADDR6 obtaining IPv6 lease for address 2001:db8:1::b7 and lease type IA_NA
2019-01-07 06:44:39.966 DEBUG [kea-dhcp6.dhcpsrv/10887] DHCPSRV_MEMFILE_ADD_ADDR6 adding IPv6 lease with address 2001:db8:1::b7
2019-01-07 06:44:39.966 DEBUG [kea-dhcp6.dhcpsrv/10887] DHCPSRV_MEMFILE_GET_ADDR6 obtaining IPv6 lease for address 2001:db8:1::b7 and lease type IA_NA
```backloghttps://gitlab.isc.org/isc-projects/kea/-/issues/414Use new lease user contexts in RADIUS accounting2024-03-21T16:21:16ZFrancis DupontUse new lease user contexts in RADIUS accountingMigrated from https://oldkea.isc.org/ticket/5658
Current code has many potential problems and was scheduled to use use contexts from the beginning but it was postponed because user contexts in leases were implemented later:
- save/load...Migrated from https://oldkea.isc.org/ticket/5658
Current code has many potential problems and was scheduled to use use contexts from the beginning but it was postponed because user contexts in leases were implemented later:
- save/load to a CSV file is implemented but never tested.
- eraseCreateTimestamp() is called only when a STOP event is sent so the timestamp stays in memory without more control
+ obviously using an user-context is the right way: extent following the lease one, save in stable storage, etc.
If memory leak on RADIUS accounting experiments are not conclusive this should be tried.next-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/420Decrease CPU workload for low traffic condition in perfdhcp2022-11-02T15:10:19ZTomek MrugalskiDecrease CPU workload for low traffic condition in perfdhcp#283 implemented support for optional threaded support in perfdhcp. The code behaves better when generating high volume traffic on multi-core systems. However, it does not handle well situations where there is only one core and little tr...#283 implemented support for optional threaded support in perfdhcp. The code behaves better when generating high volume traffic on multi-core systems. However, it does not handle well situations where there is only one core and little traffic is needed.
During discussions on !135 and related it became apparent that the approach to slip for 1 us is not the right solution. The code should behave adaptively and calculate time to the next action rather than check it a million times per second.
Related MR: !165backloghttps://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/31Please provide an alternative to autoconf2022-12-27T11:10:22ZVicky Riskvicky@isc.orgPlease provide an alternative to autoconfCan you provide a configure script? I got the following questions from someone trying to run this on ... Solaris.
Sorry Mark, I have no idea what I am asking for here.
-------
It only comes with configure.ac so you need autoconf. I’ve...Can you provide a configure script? I got the following questions from someone trying to run this on ... Solaris.
Sorry Mark, I have no idea what I am asking for here.
-------
It only comes with configure.ac so you need autoconf. I’ve seen the list of digs that you run, but if I eyeball them then the results are subject to my interpretation. And it’s the interpretation of the EDNS RFC that’s at the base of our current difficulties…..
-------
Do you have a version of ednscomp that I can run on a lab server that isn’t accessible from the internet? I tried downloading the source for genreport but I seem to need autoconf to generate a configure script….https://gitlab.isc.org/isc-projects/bind9/-/issues/826EDNS tag for triggering forwarding2024-03-13T13:33:46ZVicky Riskvicky@isc.orgEDNS tag for triggering forwarding### Description
Some BIND users, specifically enterprise users, want to forward a subset of their queries to a specialized resolver. The primary purpose is to enable some additional proprietary filtering policy that is enforced on the s...### Description
Some BIND users, specifically enterprise users, want to forward a subset of their queries to a specialized resolver. The primary purpose is to enable some additional proprietary filtering policy that is enforced on the specialized resolver. This policy may be updated frequently, and therefore it is preferable that the BIND server not cache these responses, but always forward queries that have this tag.
Requests that we have seen include forwarding queries from users in specific departments that may have different security requirements.
Currently, you can configure BIND to either forward globally or you create "forward zones" (which aren't really zones at all but only look that way in the configuration) to forward specific domains - and all subdomains that don't have local configuration overriding the forwarding. What we would like is to add a DNS extension (EDNS additional information) on individual queries to direct the BIND resolver to forward those queries. This would have to work along side the existing more general forward zones.
### Request
* Design some additional EDNS option (does not need to be standardized)
* Add a configuration option to BIND to set up a list of EDNS options with associated forwarding instructions. (tags A, B & C -> forward to server 23, tags D & E, forward to server 24)
* When BIND receives a query with this EDNS option, check for the presence of a forwarding rule associated with that option. If there isn't one, ignore the option.
* Ideally, we would like the BIND resolver that gets the query with the EDNS option to forward the query and *not* cache the response.
* Of course, the EDNS option should be backwards compatible, so a BIND server that isn't configured for or doesn't support this option should be unaffected.
### Questions
* As Brian has added below, DNSMASQ already is adding some EDNS options to identify CPE, subnets, or MAC addresses. In an enterprise use case, can't rely on DNSMASQ to be present, so .... we need to also add the corresponding feature to BIND to ADD this EDNS option on some queries. **We need more user feedback about how to do this markup** - does an individual BIND server just put the same tag on every query it is resolving?
* Assuming it would be a big project to forward without also caching the responses, we need to consider the issues and effort in creating and maintaining such a 'simple forwarder' feature.
### Links / references
Related feature request for using EDNS option for selecting a filtering policy: https://gitlab.isc.org/isc-projects/bind9/issues/825https://gitlab.isc.org/isc-projects/DNS-Compliance-Testing/-/issues/32Extend the DNS compliance tester do that it would be useful TLD operators to ...2022-12-27T11:37:16ZMark AndrewsExtend the DNS compliance tester do that it would be useful TLD operators to do staged warnings.Extend the EDNS compliance tester so that it emits a staged warning stream at 120 days, 90 days, 60 days, 30 days, 15 days, 10 days, 5 days then daily for zones with broken servers.
This also needs to detect firewalls that are systemati...Extend the EDNS compliance tester so that it emits a staged warning stream at 120 days, 90 days, 60 days, 30 days, 15 days, 10 days, 5 days then daily for zones with broken servers.
This also needs to detect firewalls that are systematically blocking specific requests from packet loss. There needs to be a multi-day history of firewall detection before emitting the first warning.
It also needs to detect STD 13 (RFC 1034, RFC 1035) servers and not emit warnings if that is the only reason a server is otherwise flagged for EDNS protocol violations.https://gitlab.isc.org/isc-projects/bind9/-/issues/844dnssec-checkds KSK rollover enhancements2023-11-02T16:32:29ZTony Finchdnssec-checkds KSK rollover enhancementsThis issue is a list of enhancements to `dnssec-checkds` intended to support automatic KSK rollovers.
The context for this is that `dnssec-keymgr` needs to have an interlock in the KSK rollover process to make sure the parent zone is u...This issue is a list of enhancements to `dnssec-checkds` intended to support automatic KSK rollovers.
The context for this is that `dnssec-keymgr` needs to have an interlock in the KSK rollover process to make sure the parent zone is up-to-date before `dnssec-keymgr` proceeds to make any potentially breaking changes. The current manual page sensibly suggests using `dnssec-checkds` for this purpose.
I intend to work on these features; this issue is for sketching out what I plan to work on and for refining the plan.
## CDS / CDNSKEY support
At the moment, `dnssec-checkds` is unaware of CDS and CDNSKEY records.
It should be improved so that (in its normal mode of operation) `dnssec-checkds` will verify that the parent DS records match the child's CDS records. Unlike the current behaviour (which checks the delegation works, rather than being consistent) no differences will be permitted.
The idea is that CDS records are used to communicate the rollover state from `dnssec-keymgr` to `dnssec-checkds`, so `dnssec-checkds` only needs to look at the DNS, not at the keys on disk.
## DS digest algorithm control
At the moment, `dnssec-checkds` expects both SHA-1 and SHA-256 DS digests. This should be amended to SHA-256 only by default.
When `dnssec-checkds` is comparing DS records against CDNSKEY or DNSKEY RRsets, it should be possible for the invoker to specify algorithms that must be present, or must not be present, or no preference.
## Recursive vs authoritative lookups
At the moment, `dnssec-checkds` queries via the default recursive server. There is a risk that it will get a falsely positive answer if there is a large propagation delay between parental authoritative servers, but the local resolver happens to be talking to a parental server with a low delay.
In authoritative mode, `dnssec-checkds` should get the list of parent servers from the local resolver, then query each of them, and ensure they all give the OK.Not plannedhttps://gitlab.isc.org/isc-projects/kea/-/issues/435A design for "backends in hooks"2022-04-21T10:39:03ZTomek MrugalskiA design for "backends in hooks"We had a discussion about Kea packaging in 1.6 (see meeting notes 2019-01-24). The conclusion was that we want to prepare for Kea packaging better. In particular, the database backends should be moved to hooks that are loaded dynamically...We had a discussion about Kea packaging in 1.6 (see meeting notes 2019-01-24). The conclusion was that we want to prepare for Kea packaging better. In particular, the database backends should be moved to hooks that are loaded dynamically, rather than included during compilation time.
The overall intention is to have a directory where hooks could be loaded from. This is similar to Apache modules. They have 2 directories: mods-available and mods-enabled. The first one contains a list of modules (hooks). The second one has symlinks to those modules (hooks) that will be loaded. This approach is super easy to understand and use. Also, very extensible, because you can package backends and other hooks in independent RPM or DEB packages.
It's different than what we do now and several things have to be changed before we get there:
1. When Kea parses configuration, it has to know what lease-database and hosts-database backends are supported. Right now it's hardcoded* (but see below). We'd need to load the hooks first and they would register available backends, then we'd process rest of the configuration.
1. RADIUS is implemented as a hook and it does provide hosts backend. Before doing anything, please investigate how it registers "radius" hosts-backend type. This is not exactly a ready to use solution (because you can't configure "radius" backend in the config yet), but they underlying implementation of backend type registration is good.
1. we need to develop a code that would load all the hooks from a directory
Things to consider:
1. name the directory properly (people complained that the hooks have incorrect name libdhcp- and also are placed in incorrect directory)
2. perhaps we could have hooks that are loaded always (call them permanent hooks maybe?). Those would be put in the hooks-enabled directory and would be loaded at kea startup and not unloaded during reconfiguration? This would be most useful for parameter-less hooks (such a config backends)
3. apache allows having a separate config file for each module. IMHO this is a bit too much, but maybe it's something to look at after all?
The goal of this ticket is to write a design. It should conclude with w written design and a list of tickets needed to implement it.outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/445add support for mongo db2019-02-07T17:00:17ZGhost Useradd support for mongo db---
name: mongodb
about: add mongodb support to kea dhcp server
---
**Some initial questions**
- could not find this request anywhere in issues or on the web
- sure, there are other databases support; but that's not the point
**Is you...---
name: mongodb
about: add mongodb support to kea dhcp server
---
**Some initial questions**
- could not find this request anywhere in issues or on the web
- sure, there are other databases support; but that's not the point
**Is your feature request related to a problem? Please describe.**
- Reduction of the numbers of databases on the client's systems
**Describe the solution you'd like**
- allow kea administrators to configure mongodb in kea
**Describe alternatives you've considered**
- Not really.
**Additional context**
- No.
**Funding its development**
- Sure to some very small degree.
**Participating in development**
- design discussions and testing
**Contacting you**
- Private messages to my gitlab.isc.org registered email address are fine.outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/449Create AuditRevision object to carry supplementary information for audit entries2020-09-10T15:49:35ZMarcin SiodelskiCreate AuditRevision object to carry supplementary information for audit entriesThe CB database includes `dhcp4_audit_revision` table which holds general information about the changes applied in the database. Currently it holds a timestamp and the log message. The timestamp is and will remain being generated automat...The CB database includes `dhcp4_audit_revision` table which holds general information about the changes applied in the database. Currently it holds a timestamp and the log message. The timestamp is and will remain being generated automatically. The log message is also generated automatically at the moment but the idea is to be able to specify the log message in the command. Some examples can be found here:
https://gitlab.isc.org/isc-projects/kea/wikis/designs/configuration-in-db-design#configuration-management
In the future we may store more information in the revision table. For example: name of the user who applied a change, IP address from which the command has been sent etc. This information must be encapsulated in a new object, e.g. AuditRevision and passed via the CB API to the commands that modify the information in the database, i.e. set and del commands.
Even though we could postpone this change to later Kea release, it may be actually better to add it now to keep the API stable in next releases.outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/450Populate log messages from the cb_cmds to the database2020-09-10T15:50:03ZMarcin SiodelskiPopulate log messages from the cb_cmds to the databaseAssuming that we do #449, we then have to extend the cb_cmds hooks library to actually use the log messages conveyed in the control commands to the database through the AuditRevision objects.Assuming that we do #449, we then have to extend the cb_cmds hooks library to actually use the log messages conveyed in the control commands to the database through the AuditRevision objects.outstandinghttps://gitlab.isc.org/isc-projects/bind9/-/issues/862simplify and speed up clean.sh in system tests2019-02-06T05:33:56ZEvan Huntsimplify and speed up clean.sh in system testsMoved here from a discussion in !1454. @ondrej has suggested we use files in system tests, similar to .gitignore files, to indicate which other files need to be removed during test cleanup.Moved here from a discussion in !1454. @ondrej has suggested we use files in system tests, similar to .gitignore files, to indicate which other files need to be removed during test cleanup.Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/kea/-/issues/455Provide a way to disable the creation of DHCID records by D22023-02-23T12:00:08ZJason GuyProvide a way to disable the creation of DHCID records by D2---
name: Feature request
about: Suggest an idea for this project
---
**Some initial questions**
- Are you sure your feature is not already implemented in the latest Kea version? Nope
- Are you sure what you would like to do is not pos...---
name: Feature request
about: Suggest an idea for this project
---
**Some initial questions**
- Are you sure your feature is not already implemented in the latest Kea version? Nope
- Are you sure what you would like to do is not possible using some other mechanisms? Yeah
- Have you discussed your idea on kea-users or kea-dev mailing lists? Yep
**Is your feature request related to a problem? Please describe.**
In an environment with multiple subnets, you may have static host reservations and the common dynamic 'user' reservations. For the static reservations, perhaps in a lab environment, the creation of the DHCID causes problems if something changes and the DNS record is not purged.
For the dynamic 'user' reservation subnets, it is desired to keep the conflict resolution strategy prescribed by RFC 4703 enabled.
**Describe the solution you'd like**
It would be helpful to **disable** the DHCP DDNS creation of DHCID records:
1) for reservations created from the static host table
2) for a specific subnet
**Describe alternatives you've considered**
I suppose purging the DNS database of all DHCID records is the only easy workaround.
**Additional context**
We use the static hosts for our lab equipment. In some cases, like where we make a change to the host database entry, moving the address to a different host, the new host cannot update the DNS record with new information, because the old DHCID locks the A and PTR records from being updated.
**Funding its development**
Kea is run by ISC, which is a small non-profit organization without any government funding or any permanent sponsorship organizations. Are you able and willing to participate financially in the development costs? Not at this time
**Participating in development**
Are you willing to participate in the feature development? ISC team always tries to make a feature as generic as possible, so it can be used in wide variety of situations. That means the proposed solution may be a bit different that you initially thought. Are you willing to take part in the design discussions? Are you willing to test an unreleased engineering code? Yes
**Contacting you**
How can ISC reach you to discuss this matter further? If you do not specify any means such as e-mail, jabber id or a telephone, we may send you a message on github with questions when we have them. My email is in the kea-users list.outstandinghttps://gitlab.isc.org/isc-projects/bind9/-/issues/875Support for a global digrc file (proposed patch included)2023-11-02T16:32:30ZGhost UserSupport for a global digrc file (proposed patch included)### Description
Support for a global configuration file for dig.
### Request
As many tools in linux, it would be nice to have a global configuration file for dig in, for example, `/etc/digrc` while users could still overwrite system o...### Description
Support for a global configuration file for dig.
### Request
As many tools in linux, it would be nice to have a global configuration file for dig in, for example, `/etc/digrc` while users could still overwrite system options by using the already supported `$HOME/.digrc`
### Links / references
See proposed patch attached (I couldn't figure how to send a merge request due to lack of experience with Gitlab).
Thanks to Paul Zirnik from SUSE.
[support-for-global-digrc.patch](/uploads/a06eb8731aadeddc07735ace80cb41db/support-for-global-digrc.patch)Not plannedhttps://gitlab.isc.org/isc-projects/kea/-/issues/472Documentation about congestion recovery2020-09-10T15:52:00ZFrancis DupontDocumentation about congestion recoveryTwo points:
- make clearer that the congestion recovery is not congestion avoidance (or any variant in terms which can suggest it) in the documentation
- findings about the impact on performance of the congestion recovery.Two points:
- make clearer that the congestion recovery is not congestion avoidance (or any variant in terms which can suggest it) in the documentation
- findings about the impact on performance of the congestion recovery.outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/475extend kea-admin with option to install/update yang models2021-06-18T09:35:04ZWlodzimierz Wencelextend kea-admin with option to install/update yang modelskea-admin is capable to handle mysql/pgsql/cql when it comes to leases and HR. And right now work on config backend will extend it for configuration storage. We should also extend it to handle yang models.kea-admin is capable to handle mysql/pgsql/cql when it comes to leases and HR. And right now work on config backend will extend it for configuration storage. We should also extend it to handle yang models.outstandinghttps://gitlab.isc.org/isc-projects/kea/-/issues/479HA peer should drop leases not present on the partner during sync2022-11-02T15:10:19ZMarcin SiodelskiHA peer should drop leases not present on the partner during syncLet's suppose there are two HA peers A and B. The peer B dies. While the peer B is offline, the admin sends `lease4-del` command to the A. The peer B starts up and synchronizes its lease database with A. It correctly adds new leases and ...Let's suppose there are two HA peers A and B. The peer B dies. While the peer B is offline, the admin sends `lease4-del` command to the A. The peer B starts up and synchronizes its lease database with A. It correctly adds new leases and updates existing leases based on the list received from A. However, it doesn't remove the lease deleted on A while it was offline. The server admin would need to send `lease4-del` command to B to remove the lease.
In order to address this problem we have to fetch all leases from the B's backend and iterate over them to see if they are also present on A. In order to do so, we will have to keep the local copy of leases received from A. For Memfile, MySQL and Postgres we could do it more efficiently by comparing ranges of leases as they are ordered by IP addresses. After comparing a range of leases we could simply drop the local copy of the lease ranges. However, this won't work for Cassandra which returns leases out of order. In the Cassandra case we will have to collect all leases returned by the peer.backlogMarcin SiodelskiMarcin Siodelskihttps://gitlab.isc.org/isc-projects/kea/-/issues/482perfdhcp avalanche: more research needed for selecting proper periods for che...2022-11-02T15:10:19ZMichal Nowikowskiperfdhcp avalanche: more research needed for selecting proper periods for checking resending packetsCurrently this is 200ms. It was choosen based on experiments.
The whole scenario times were more less the lowest between 50ms and 200ms.
This issue reflects review comment: https://gitlab.isc.org/isc-projects/kea/merge_requests/237#note...Currently this is 200ms. It was choosen based on experiments.
The whole scenario times were more less the lowest between 50ms and 200ms.
This issue reflects review comment: https://gitlab.isc.org/isc-projects/kea/merge_requests/237#note_45247
This time is located in avalanche_scen.cc file, in run() method.backloghttps://gitlab.isc.org/isc-projects/bind9/-/issues/896Create KB article on QNAME minimization2019-02-21T14:07:25ZStephen MorrisCreate KB article on QNAME minimization(Action from internal BIND Outreach meeting.)(Action from internal BIND Outreach meeting.)