RELNOTES 188 KB
Newer Older
1
                Internet Systems Consortium DHCP Distribution
2
                             Version 4.4.0-pre-alpha
3
                             29 March 2016
Ted Lemon's avatar
Ted Lemon committed
4

5
                             Release Notes
Ted Lemon's avatar
Ted Lemon committed
6

7
                              NEW FEATURES
8

Shawn Routhier's avatar
Shawn Routhier committed
9
The major "theme" for ISC DHCP 4.3.x was to update the support for
10
11
DHCPv6 to include several of the features that have been available
for DHCPv4.  These include:
12

13
14
15
16
- Support the use of classes

- Support for on_commit, on_expiry and on_release statements

17
- Better logging of address assignments
18
19
20

- Support for using DHCPv6 relay options in expressions

21
This release also adds support for the standard DDNS as described in the
22
23
current RFCs as well as enhancing support for dynamically adding and removing
subclasses via OMAPI.
24

Evan Hunt's avatar
Evan Hunt committed
25
26
There are a number of DHCPv6 limitations and features missing in this
release, which will be addressed in the future:
David Hankins's avatar
David Hankins committed
27

Evan Hunt's avatar
Evan Hunt committed
28
- Only Solaris, Linux, FreeBSD, NetBSD, and OpenBSD are supported.
29

30
31
- DHCPv6 includes human-readable text in status code messages, in
  English.  A method to reconfigure or support other languages would
Shawn Routhier's avatar
Shawn Routhier committed
32
  be preferable.
David Hankins's avatar
David Hankins committed
33
34
35
36

- The "host-identifier" option is limited to a simple token.

- The client and server can only operate DHCPv4 or DHCPv6 at a time,
Shane Kerr's avatar
Shane Kerr committed
37
  not both.  To use both protocols simultaneously, two instances of the
David Hankins's avatar
David Hankins committed
38
  relevant daemon are required, one with the '-6' command line option.
39

Evan Hunt's avatar
Evan Hunt committed
40
41
42
For information on how to install, configure and run this software, as
well as how to find documentation and report bugs, please consult the
README file.
43

Evan Hunt's avatar
Evan Hunt committed
44
45
ISC DHCP uses standard GNU configure for installation. Please review the
output of "./configure --help" to see what options are available.
46

Evan Hunt's avatar
Evan Hunt committed
47
48
49
The system has only been tested on Linux, FreeBSD, and Solaris, and may not
work on other platforms. Please report any problems and suggested fixes to
<dhcp-users@isc.org>.
David Hankins's avatar
David Hankins committed
50

51
52
53
54
ISC DHCP is open source software maintained by Internet Systems
Consortium.  This product includes cryptographic software written
by Eric Young (eay@cryptsoft.com).

55
			Changes since 4.3.0 (new features)
56

57
58
59
60
61
- Client now calls the script with reason set to FAIL when run with -1 (ony try)
  and there are no sever responses. Thank you Andrew Pollock for providing
  an initial patch.
  [ISC-bugs #18183]

62
63
64
65
66
67
- Insert the raw data from a fully encapsualted option into the option cache.
  This allows "exists" to check for the option if any sub options exist.  It
  also adds the raw data to the environment variables supplied to the client
  script.
  [ISC-Bugs #39863]

Francis Dupont's avatar
Francis Dupont committed
68
69
70
71
72
- Pass configure arguments which begin with an upper case letter, e.g.
  CFLAGS, to the embedded bind configure, so it is no longer required
  to use environment variables to get the same effect.
  [ISC-Bugs #35143]

Francis Dupont's avatar
Francis Dupont committed
73
74
75
- Added --enable-kqueue, --enable-epoll, --enable-devpoll and a more
  general --with-bind-extra-config to pass extra options to the
  embedded bind configure. Note we had mixed experiences with this
Francis Dupont's avatar
Francis Dupont committed
76
  so it is at the user risk, i.e., they are NOT SUPPORTED yet.
Francis Dupont's avatar
Francis Dupont committed
77
  [ISC-Bugs #20890]
Francis Dupont's avatar
Francis Dupont committed
78

Francis Dupont's avatar
Francis Dupont committed
79
80
81
82
83
- Changed the way the embedded bind Makefile is updated by configure.
  The only user visible side effect is that --with-libbind now requires
  either "no" or an (absolute) path, i.e. "yes" is no longer valid.
  [ISC-Bugs #43227]

84
85
86
- Added the support for git repositories in the util/bind.sh script.
  When you build ISC DHCP from a git repo, i.e., without a "bind"
  directory populated as in the release distribution file, you may now
Francis Dupont's avatar
Francis Dupont committed
87
88
  create the bind directory, change to it and clone the private
  (repo.isc.org/proj/git/prod/bind9.git) or the public
Francis Dupont's avatar
Francis Dupont committed
89
  (https://source.isc.org/git/bind9.git) git repository into
90
  bind/bind9 and then invoke the util/bind.sh script as usual.
Francis Dupont's avatar
Francis Dupont committed
91
92
  Note this option is incompatible with "make dist" (and make "distcheck")
  because no bind/bind.tar.gz nor bind/version.tmp files are available.
Francis Dupont's avatar
Francis Dupont committed
93
94
  [ISC-Bugs #43236]

Francis Dupont's avatar
Francis Dupont committed
95
96
97
98
- Use the embedded bind libraries where they are built (vs where they
  are installed).
  [ISC-Bugs #39319]

99
100
101
102
- Use last version (9.11) of plain embedded bind libraries in place of
  older (9.9) version of export bind libraries.
  [ISC-Bugs #43215]

103
- Using "make distcheck" now works with external bind libraries (aka
Francis Dupont's avatar
Francis Dupont committed
104
105
106
  configure --with-libbind).
  [ISC-Bugs #43285]

107
108
109
110
111
112
113
114
115
- The server now allows the client identifier (option 61) to own leases
  in more than one subnet concurrently. Prior to this the server would
  incorrectly release an existing lease in one subnet prior to assigning
  a lease in another subnet. Note that the prior behavior can be still
  be achieved by enabling one-lease-per-client. Thanks to both David Zych at
  the University of Illinois and Norm Proffitt of Infoblox for reporting
  the issue; and Norm for suggesting a solution.
  [ISC-Bugs #41358]

Francis Dupont's avatar
Francis Dupont committed
116
117
118
- Added --enable-bind-install to install embedded bind includes and
  libraries. Default is to not install them (it was the previous
  behavior). If you'd like to change the includedir and/or libdir
Francis Dupont's avatar
Francis Dupont committed
119
120
121
  installation directories to something different than for ISC DHCP
  you must pass them using the --with-bind-extra-config configuration
  arguments.
Francis Dupont's avatar
Francis Dupont committed
122
123
  [ISC-Bugs #39318]

Francis Dupont's avatar
Francis Dupont committed
124
125
126
127
128
129
- Added support of dynamic shared libraries with libtool. A new
  --enable-libtool configuration parameter is available but
  should not be used directly: *please* read the build configuration
  section in the README file for the recommended procedure.
  [ISC-Bugs #29402]

130
131
132
133
134
135
136
- IPv6 operation now supports an EUI-64 based address allocation which will
  calculate addresses for clients with EUI-64 DUIDs based on those DUIDs when
  enabled by setting use-eui-64 true.  The parameter may defined down to the
  pool scope.  Note this feature must be compiled in by defining EUI_64 in
  includes/site.h. This flag is undefined by default.
  [ISC-Bugs #43927]

137
			Changes since 4.3.0 (bug fixes)
138

139
140
141
142
143
144
145
146
147
148
149
- Tidy up several small tickets.
  Correct parsing of DUID from config file, previously the LL type
  was put in the wrong place in the DUID string.
  [ISC-Bugs #20962]
  Add code to parse "do-forward-updates" as well as "do-forward-update"
  Thanks to Jiri Popelka at Red Hat.
  [ISC-Bugs #31328]
  Remove log_priority as it isn't currently used.
  [ISC-Bugs #33397]
  Increase the size of the buffer used for reading interface information.
  [ISC-Bugs #34858]
150

151
152
- Remove an extra set of the msg_controllen variable.
  [ISC-Bugs #21035]
153

154
155
156
157
- Add a more understandable error message if a configuration attempts
  to add multiple keys for a single zone.  Thanks to a patch from Jiri
  Popelka at Red Hat.
  [ISC-Bugs #31892]
158

159
160
- Fix some minor issues in the dst code.
  [ISC-Bugs #34172]
161

162
163
- Properly #ifdef functions so that the code can compile without NSUPDATE.
  [ISC-Bugs #35058]
164

165
166
167
- Update the partner's stos (start time of state, basically when we last
  heard from this partner) field when updating the state in failover.
  [ISC-Bugs #35549]
168

169
170
171
172
173
- Modify the overload processing to allow space for the remote agent ID.
  [ISC-Bugs #35569]
  Handle the ordering of the SUBNET_MASK option even if it is the last
  option in the list.
  [ISC-Bugs #24580]
174

175
176
177
178
- Remove the code that allows a server to follow RFC3315 instead of
  the subsequent errata from August 2010 when determining which IAs
  to include if no addresses will be assigned.
  [ISC-Bugs #28938]
179

180
181
- Remove unused RCSID tags.
  [ISC-Bugs #35846]
182

183
184
185
186
- Correct the v6 client timing code.  When doing the timing backoff
  for MRT limit it to MRD.
  Thanks to Jiri Popelka at Red Hat for the bug report and fix.
  [ISC-Bugs #21238
187

188
189
190
191
- Add a log entry when killing a client and remove the PID files
  when a server, relay or client are killed.
  [ISC-Bugs #16970]
  [ISC-Bugs #17258]
192

193
194
195
196
197
198
199
200
201
202
203
204
205
206
- Some minor cleanups in the client code.
  In addition to checking for dhcpc check for bootpc in the services list.
  [ISC-Bugs #18933]
  Correct the client code to only try to get a lease once when the
  given the "-1" argument.
  Thanks to Jiri Popelka at Red Hat for the bug report and fix.
  [ISC-Bugs #26735]
  When asked for the version don't send the output to syslog.
  [ISC-Bugs #29772]
  Add the next server information to the environment variables for
  use by the client script.  In order to avoid changing the client
  lease file the next server information isn't written to it.
  Thanks to Tomas Hozza at Red Hat for the suggestion and a prototype fix.
  [ISC-Bugs #33098]
207

208
209
210
211
212
213
214
215
216
- Several updates to the dhcp server code.
  When not in quiet mode print out the files being used.
  [ISC-Bugs #17551]
  As accessing some pid files may require privileges move the dropping
  of permission bits due to the paranoia patch to be after the pid code.
  Thanks to Jiri Popelka at Red Hat for the bug report and fix.
  [ISC-Bugs #25806]
  When processing a "--version" request don't output the version information
  to syslog.
217

218
219
220
221
222
- Add the "enable-log-pid" build option to the configure script.  When enabled
  this causes the client, server and relay programs to include the PID
  number in syslog messages.
  Thanks to Marius Tomaschewski for the suggestion and proto-patch.
  [ISC-Bugs #29713]
223

224
225
226
227
228
- Add a #define to specify the prefix length used when a client attempts
  to configure an address.  This can be modified by editing includes/site.h.
  By default it is set to 64.  While 128 might be a better choice it would
  also be a change for currently running systems, so we have left it at 64.
  [ISC-Bugs #DHCP-2]
229

230
231
232
233
234
235
- Add a run time option to the client "-df" to allow the administrator to
  point to a second lease file the client can search for a DUID.  This can
  be used to allow a v4 and a v6 instance of the client to share a DUID.
  The second file will only be searched if there isn't a DUID in the main
  lease file and the DUID will be written out to the main lease file.
  [ISC-Bugs #34886]
236

237
238
239
- Have the client fsync the lease file to avoid lease corruption if the
  client hibernates or otherwise shuts down.
  [ISC-Bugs #35894]
240

241
242
243
- Add a check for L2VLAN in bpf.c to help support VLAN interfaces
  Thanks to Steinar Haug for the suggestion.
  [ISC-Bugs #36033]
244

245
246
247
- Modify the handling of the resolv.conf file to allow the DHCP
  process to start up even if the resolv.conf file has problems.
  [ISC-Bugs #35989]
248

249
250
251
252
253
- Add threshold logging functionality.  Two new options,
  log-threshold-low and log-threshold-high, indicate to the
  server if and when it should log an error message as addresses
  in a pool are used.
  [ISC-Bugs #34487]
254

255
256
257
- Add code to properly dereference a pointer in the dhclient code
  on an error condition.
  [ISC-Bugs #36194]
258

259
260
- Add code to help clean up soft leases.
  [ISC-Bugs #36304]
261

262
263
264
- Disable the gentle shutdown functionality until we can determine
  the best way to present it to remove or reduce the side effects.
  [ISC-Bugs #36066]
265

266
267
268
269
- Modify the message displayed when a process hits a fatal error.
  The new message is much shorter and simply points to the README
  and our website for directions on bug submissions.
  [ISC-Bugs #24789]
270

271
272
- Handle an absent resolv.conf file better.
  [ISC-Bugs #35194]
273

274
275
276
277
- Tidy up receive packet processing.
  Thanks to Brad Plank of GTA for reporting the issue and suggesting
  a possible patch.
  [ISC-Bugs #34447]
278

279
280
- Corrected parser's right brace matching when a statement contains an error.
  [ISC-Bugs #36021]
281

282
283
284
285
- TSIG-authenticated dynamic DNS updates now support the use of these
  additional algorithms: hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384,
  and hmac-sha512
  [ISC-Bugs #36947]
286

287
288
- Added check for invalid failover message type. Thanks to Tobias Stoeckmann
  working with the OpenBSD project who spotted the issue and provided the
289
  patch.
290
  [ISC-Bugs #36653]
291

292
293
294
295
- Corrected rate limiting checks for bad packet logging.  Thanks to Tobias
  Stoeckmann working with the OpenBSD project who spotted the issue and
  provided the patch.
  [ISC-Bugs #36897]
296

297
298
299
- Log statements depicting what files will be used by the server now occur
  after the configuration file has been processed.
  [ISC-Bugs #36671]
300

301
302
303
304
305
- Addressed Coverity issues reported as of 07-31-2014:
  [ISC-Bugs #36712] Corrects Coverity reported "high" impact issues.
  [ISC-Bugs #36933] Corrects Coverity reported "medium" impact issues
  [ISC-Bugs #37708] Fixes compilation error in dst_api.c seen in older
  compilers that was introduced by #36712
306

307
308
- Server now supports a failover split value of 256.
  [ISC-Bugs] #36664]
309

310
311
312
313
314
315
316
- Remove unneeded error #defines.  These defines were included in case
  external programs required the older versions of the macro.  They
  have been #ifdeffed for now and will be removed at a future date.
  See site.h for the #define to include them again, but you should
  switch to using the DHCP_R_* versions instead of the ISC_R_* versions.
  Also ISC_R_MULTIPLE has been removed as it is also defined in bind.
  [ISC-Bugs #37128]
317

318
319
320
321
322
323
324
325
- Added checks in range6 and prefix6 statement parsing to ensure addresses
  are within the declared subnet. Thanks to Jiri Popelka at Red Hat for the
  bug report and patch.
  [ISC-Bugs #32453]
  [ISC-Bugs #17766]
  [ISC-Bugs #18510]
  [ISC-Bugs #23698]
  [ISC-Bugs #28883]
326

327
328
329
330
331
332
333
334
335
336
337
338
339
340
- Addressed checksum issues:
  Added checksum readiness check to Linux packet filtering which eliminates
  invalid packet drops due to checksum errors when checksum offloading is
  in use.  Based on dhcp-4.2.2-xen-checksum.patch made to the Fedora project.
  [ISC-Bugs #22806]
  [ISC-Bugs #15902]
  [ISC-Bugs #17739]
  [ISC-Bugs #18010]
  [ISC-Bugs #22556]
  [ISC-Bugs #29769]
  Inbound packets with UDP checksums of 0xffff now validate correctly rather
  than being dropped.
  [ISC-Bugs #24216]
  [ISC-Bugs #25587]
341

342
343
344
345
346
347
348
349
350
- Added the echo-client-id configuration parameter to the server configuration.
  The server now supports RFC 6842 compliant behavior by setting a new
  configuration parameter, echo-client-id.  When enabled, the server will
  include the client identifier option (Option code 61) if received, in its
  responses.  The server identifier returned in NAKs (if enabled) will now
  be the globally defined value (if one) if the server cannot attribute the
  inbound request to a known subnet.
  [ISC-Bugs #35958]
  [ISC-Bugs #32545]
Francis Dupont's avatar
Francis Dupont committed
351

352
353
354
- Added support of the configuration parameter, use-host-decl-names, to
  BOOTP request handling.
  [ISC-Bugs #36233]
355

356
357
358
359
360
- Added logic to ignore the signal, SIGPIPE, which ensures write failures
  will be delivered as errors rather than as SIGPIPE signals on all OSs.
  Thanks to Marius Tomaschewski from SUSE who reported the issue and provided
  the patch upon which the fix is based.
  [ISC-Bugs #32222]
361

362
363
364
365
366
367
368
369
- In the failover code, handle the case of communications being interrupted
  when the servers are dealing with POTENTIAL-CONFLICT.  This patch allows
  the primary to accept the secondary moving from POTENTIAL-CONFLICT to
  RESOLUTION-INTERRUPTED as well as handling the bind update process better.
  In addition the code to resend update or update all requests has been
  modified to send requests more often.
  [ISC-Bugs #36810]
  [ISC-Bugs #20352]
Shawn Routhier's avatar
Shawn Routhier committed
370

371
372
- By default, the server will now choose the value to use in the forward DNS
  name from the following in order of preference:
373

374
375
376
    1. FQDN option if provided by the client
    2. Host name option if provided by the client
    3. Configured option host-name if defined
377

378
379
380
381
382
  As before, this may be overridden by defining ddns-hostname to the desired
  value (or expression).  In addition, the server logic has been extended to
  use the value of the host name declaration if use-host-decl-names is enabled
  and no other value is available.
  [ISC-Bugs #21323]
383

384
385
386
387
388
- DNS updates were being attempted when dhcp-cache-threshold enabled the use of
  the existing lease and the forward DNS name had not changed.  This has been
  corrected.
  [ISC-Bugs #37368]
  [ISC-Bugs #38636]
389

390
391
392
393
394
- Corrected an issue which caused dhclient to incorrectly form the result when
  prepending or appending to the IPv4 domain-search option, received from the
  server, when either of the values being combined contain compressed
  components.
  [ISC-Bugs #20558]
395

396
397
398
399
400
401
402
403
- Added the server-id-check parameter to the server configuration.
  This parameter allows run-time control over whether or not a server,
  participating in failover, verifies the dhcp-server-identifier option in
  DHCP REQUESTs against the server's id before processing the request.
  Formerly, enabling this behavior was done at compilation time through
  the use of the #define, SERVER_ID_CHECK, which has been removed from site.h
  The functionality is now only available through the new runtime parameter.
  [ISC-Bugs #37551]
404

405
406
407
408
409
410
411
412
- During startup, when the server encounters a lease whose binding state is
  FTS_BACKUP but whose pool has no configured failover peer, it will reset the
  lease's binding state to FTS_FREE.  This allows the leases to be reclaimed
  by the server after a pool's configuration has changed from failover to
  standalone. Prior to this such leases would remain stuck in the backup state
  making them unavailable for assignment.  Note this conversion will occur
  whether or not the server is compiled for failover.
  [ISC-Bugs #36960]
413

414
415
416
417
418
419
420
421
- Fixed a small issue in the treatment of hosts in the inform processing
  that could cause the response to an inform to include information from
  the wrong scope.  The two examples we've heard of are getting subnet
  instead of group information associated with a host entry, or getting
  global information instead of subnet if the host entry was built via
  omapi.  Thanks to Julien Soula at University of Lille for finding the
  bug and supplying a patch.
  [ISC-Bugs #35712]
422

423
424
425
426
- Avoid calling pool_timer() recursively from supersede_lease().  This could
  result in leases changing state incorrectly or delaying the running of the
  leae expiration code.
  [ISC-Bugs #38002]
427

428
429
430
431
432
433
434
- Move the check for a PID file and process to be before we rewrite the
  lease file.  This avoids the possibility of starting a second instance
  of a server which changes the current lease file confusing the first
  instance.  This check is only included if the admin hasn't disabled PID
  files.
  [ISC-Bugs #38078]
  [ISC-Bugs #38143]
435

436
437
438
439
- In the client code change the way preferred_life and max_life are printed
  for environment variables to be unsigned rather than signed.
  Thanks to Jiri Popelka at Red Hat for the bug report and patch.
  [ISC-Bugs #37084]
440

441
442
443
444
445
446
447
448
449
- Modified Linux packet handling such that packets received via VLAN are now
  seen only by the VLAN interface. Prior to this, such packets were seen by
  both the VLAN interface and its parent (physical) interface, causing the
  server to respond to both.  Note this remains an issue for non-Linux OSs.
  Thanks to Jiri Popelka at Red Hat for the patch.
  [ISC-Bugs #37415]
  [ISC-Bugs #37133]
  [ISC-Bugs #36668]
  [ISC-Bugs #36652]
450

451
452
453
454
455
456
457
458
459
- Log content has been changed to more directly suggest that admins should
  check for multiple IPv6 clients attempting to use the same DUID when only
  abandoned addresses are available.  Debug level logging will now emit counts
  of the total number of, in-use, and abandoned addresses in a shared subnet
  when the server finds no addresses available for a given DUID.  Lastly,
  threshold logging is now automatically disabled for shared subnets whose
  total number of possible addresses exceeds (2^64)-1.
  [ISC-Bugs #26376]
  [ISC-Bugs #38131]
460

461
462
463
464
465
466
467
468
469
470
- Added a global parameter, prefix-length-mode, which may be used to determine
  how the server uses a non-zero value for prefix-length supplied by clients
  when soliciting DHCPv6 prefixes.  The server supports selection modes of:
  ignore, prefer, exact, minimum and maximum which are described in detail in
  the server man pages.  The prior behavior of the server was to only offer a
  prefix whose length exactly matched the prefix-length value requested. If
  no such prefixes were available, the server returned a status of none
  available.  Note the default mode, "exact", provides this same behavior.
  [ISC-Bugs #36780]
  [ISC-Bugs #32228]
471

472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
- Corrected inconsistencies in dhcrelay's setting the upper interface hop count
  limit such that it now sets it to 32 when the upstream address is a multicast
  address per RFC 3315 Section 20. Prior to this if the -u argument preceded
  the -l argument on the command line or if the same interface was specified
  for both; the logic to set the hop limit count for the upper interface was
  skipped.  This caused the hop count limit to be set to the default value
  (typically 1) in the outbound upstream packets.
  [ISC-Bugs #37426]

- Modify the linux and openwrt dhclient scripts to process information
  from a stateless request.  Thanks to Jiri Popelka at Red Hat for the
  bug report and patch.
  [ISC-Bugs #36102]

- Remove more unused RCSID tags.  These weren't noticed in 4.3 as
  the code isn't used anymore but we remove them here to keep the
  code consistent across versions.
  [ISC-Bugs #36451]

- The server now does a better check to see if it can allocate the memory
  for large blocks of v4 leases and should provide a slightly better error
  message.  Note well: the server pre-allocates v4 addresses, if you use
  a large range, such as a /8, the server will attempt to use a large
  amount of memory and may not start if there either isn't enough memory
496
497
498
  or the size exceeds what the code supports.
  [ISC-Bugs #38637]

499
500
501
502
503
504
505
506
507
508
- The server will now reject unicast Request, Renew, Decline, and Release
  messages from a client unless the server would have sent that client the
  dhcp6.unicast option.  This behavior is in compliance with paragraph 1 in
  each of the sections 18.2,1, 18.2.3, 18.2.6, and 18.2.7 of RFC 3315. Prior
  to this, the server would simply accept the messages.  Now, in order for
  the server to accept such a message, the server configuration must include
  the dhcp6.unicast option either globally or within the shared network to
  which the requested lease belongs. In other words, the server will map
  the first IA_XX address found within the client message to a shared-network
  and look for the presence of the unicast option there and then globally.
Thomas Markwalder's avatar
Thomas Markwalder committed
509
510
  Thanks to Jiri Popelka at Red Hat for this issue and his patch which
  inspired the fix.
511
  [ISC-Bugs #21235]
Shawn Routhier's avatar
Shawn Routhier committed
512

513
514
515
516
- The ATF (Automated Testing Framework) tools used for optional unit tests
  can now be built from its embedded sources in bind, solving the
  atf-run / atf-report issue with recent (>= 0.20) versions of ATF.
  The new configuration option is "./configure --with-atf=bind".
517
  [ISC-Bugs #38754, #39300]
518

519
520
521
522
523
524
- Corrected a compilation error introduced by the fix for ISC-Bugs #22806.
  On older linuxes that do not include the tpacket_auxdata structure don't
  bother allocating the cmsgbuf as it isn't necessary and we don't have
  a proper length for it.
  [ISC-Bugs #39209]

525
526
527
528
529
530
- Remove the dst directory.  This was replaced in 4.2.0 with the dst
  code from the Bind libraries but we continued to include it for
  backwards compatibility.  As we have now released 4.3.x it seems
  reasonable to remove it.
  [ISC-Buts #39019]

531
- Write out the DUID server id on startup in all cases, previously if it
532
  was read in from server-duid option in the config or lease files for
533
534
535
  DHCPv4 it would not be written to the new lease file.
  [ISC-Bugs #37791]

536
537
538
539
540
541
- When parsing dates for leases convert dates past 2038 to "never".
  This avoids problems with integer overflows in the date and time
  handling code for people that decide to use very large lease times
  or add a lease entry with a date far in the future.
  [ISC-Bugs #33056]

542
543
544
545
- Leave the siaddr field clear when sending a NACK as per RFC 2131
  table 3.
  [ISC-Bugs #38769]

546
547
548
549
550
- In the client don't send expired addresses to the script as part of
  the binding process.  Thanks to Sven Trenkel at Google for reporting
  the issue and suggesting the patch.
  [ISC-Bugs #38631]

551
552
553
554
- While parsing IPv6 addresses treat "add" as part of the address instead
  of as a token.
  [ISC-Bugs #39529]

555
556
557
558
559
560
561
562
- Add support for accessing the v4 lease queues (active, free etc) in a
  binary fashion instead of needing to walk through a linear list to
  insert, find or remove an entry from the queues.  In addition add a
  compile time option "--enable-binary-leases" to enable the new code
  or to continue using the old code.  The old code is the default.
  Thanks to Fernando Soto from BlueCat Networks for the patch.
  [ISC-Bugs #39078]

563
564
565
566
567
- Delayed-ack now works properly with Failover. Prior to this, bind updates
  post startup were being queued but never delivered. Among other things, this
  was causing leases to not transition from expired or released to free.
  [ISC-Bugs #31474]

568
569
570
571
- Clean up parsing of v6 lease files a bit to avoid infinite loops if the
  lease file is corrupt in certain ways.
  [ISC-Bugs #39760]

572
- Corrected a crash in dhclient that occurs during lease renewal if the
573
574
  client is performing its own DNS updates.  Thanks to Jiri Popelka at Red Hat
  for the bug report.
575
576
  [ISC-Bugs #38639]

577
578
579
580
581
- Corrected an issue in v6 lease file parsing. Prior to this, when encountering
  a lease with an address for which no configured pool exists, the server was
  declaring the lease file corrupt and incorrectly skipping over the subsequent
  entry in the file.  The server will now emit a log message indicating that
  no pool was found for the address (or prefix) and correctly resume parsing
582
  with the next entry in the lease file.  Our thanks to Michal Žejdl for
583
  reporting the issue.
584
585
  [ISC-Bugs #39314]

586
587
588
589
590
591
592
593
594
- Be more liberal in finding a subnet group associated with a static
  prefix.  When we added the class matching code for v6 we also added
  a requirement that the static prefix must be within a subnet the
  client was in, in order to find the proper statements.  We now
  look for a subnet based on the prefix, failing that on the static
  address for the client and failing that on the shared network
  itself.
  [ISC-Bugs #38329]

595
596
597
598
599
- Add a new action expression "parse_vendor_options", which can be used
  to parse a vendor-encapsualted-option received by the server based on
  the encoding specified by the vendor-option-space statement.
  [ISC-Bugs #36449]

600
601
602
603
604
- Enhance the PARANOIA patch to include fchown() the lease file to
  allow it to be manipulated after the server does a chown().
  Thanks to Jiri Popelka at Red Hat for the patch.
  [ISC-Bugs #36978]

605
606
607
608
609
610
- Relax the requirement that prefix pools must be within the subnet.
  This was added in as part of #32453 in order to avoid configuration
  mistakes but is being removed as prefixes aren't required to be
  within the same subnet and many people configure them in that fashion.
  [ISC-Bugs #40077]

611
612
- Fixed a server crash that could occur when the server attempts to remove
  the billing class from the last lease billed to a dynamic class after said
613
614
  class has been deleted.  Our thanks to Lasse Pesonen for reporting the
  issue.
615
616
  [ISC-Bugs #39978]

617
618
- LDAP Patches - Numerous small patches submitted by contributors have
  been applied to the contributed code which supplies LDAP support.
619
620
  In addition, two larger submissions have also been included.  The
  first adds support for IPv6 configuration and the second provides
621
622
623
  GSSAPI authentication. We would like to thank the following for their
  contributions (alphabetically):
    Alex Novak at SUSE
624
    Bill Parker (wp02855 at gmail dot com)
625
626
    Jiri Popelka at Red Hat
    Marius Tomaschewski at SUSE
627
    (william at adelaide.edu.au), The University of Adelaide
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
  [ISC-Bugs #39056]
  [ISC-Bugs #22742]
  [ISC-Bugs #24449]
  [ISC-Bugs #28545]
  [ISC-Bugs #29873]
  [ISC-Bugs #30183]
  [ISC-Bugs #30402]
  [ISC-Bugs #32217]
  [ISC-Bugs #32240]
  [ISC-Bugs #33176]
  [ISC-Bugs #33178]
  [ISC-Bugs #36409]
  [ISC-Bugs #36774]
  [ISC-Bugs #37876]

643
- Handle an out of memory condition in the client a bit better.
644
645
  Thanks to Frédéric Perrin from Brocade for finding the issue
  and suggesting a patch.
646
  [ISC-Bugs #39279]
647

648
649
650
651
652
653
- Corrected a compilation error introduced by the fix for ISC-Bugs #37415.
  The error occurs on Linux variants that do not support VLAN tag information
  in packet auxiliary data.  The configure script now only enables inclusion
  of the VLAN tag-based logic if it is supported by the underlying OS.
  [ISC-Bugs #38677]

654
- Specifying the option, --disable-debug, on the configure script command line
655
  now disables debug features.  Prior to this, specifying --disable-debug
656
657
  incorrectly enabled debug features. Thanks to Gustavo Zacarias for reporting
  the issue.
658
  [ISC-Bugs #37780]
659

660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
- Unit test execution now uses a path augmented during configuration
  processing of the --with-atf option to locate ATF runtime tools, atf-run
  and atf-report. For most installations of ATF, this should alleviate the
  need to manually include them in the PATH, as was formerly required.
  If the configure script cannot locate the tools it will emit a warning,
  informing the user that the tools must be in the PATH when running unit
  tests.
  Secondly, please note that "make check" will now exit with a failure status
  code (non-zero) if one or more unit tests fail.  This means that invoking
  "make check" from an upper level directory will cause the make process to
  STOP after the first test subdirectory with failed test(s).  To force all
  tests in all subdirectories to run, regardless of individual test outcome,
  use the command "make -k check".
  [ISC-Bugs #38619]

675
676
- Corrected a static analyzer warning in common/execute.c
  [ISC-Bugs #40374]
677

678
679
680
681
682
683
- ISC DHCP now follows the common convention to use the base name a
  program is invoked with (aka argv[0], vs. a builtin name) for
  logs. This should help differentiate syslog entries for DHCPv4 and
  DHCPv6 servers. You can define OLD_LOG_NAME in includes/site.h to
  keep the previous behavior.
  [ISC-Bugs #38692]
684

685
686
687
688
689
690
- The Linux packet filter code now correctly treats only the least significant
  12 bits in an inbound packet's TCI value as the VLAN id (per IEEE 802.1Q).
  Prior to this it was using the entire 16 bit value as the VLAN id and
  incorrectly discarding packets.  Thanks to Jiri Popelka at Red Hat for
  reporting this issue and supplying its patch.
  [ISC-Bugs #40591]
691

692
693
694
695
696
697
- Fixed several static analysis issues such as potential null
  references, unchecked strdup returns.  Thanks to Bill Parker (wp02855 at
  gmail dot com) who identified these issues and supplied patches to
  address them.
  [ISC-Bugs #40754]
  [ISC-Bugs #40823]
698

699
700
701
- Corrected compilation errors that prohibited building the server
  and its ATF unit tests when failover is disabled.
  [ISC-Bugs #40372]
702

703
704
705
706
- Added the lease address to the end of the debug level log message
  emitted when an existing lease is renewed within the dhcp-cache-threshold.
  Thanks to Nathan Neulinger at Missouri S&T for suggesting the change.
  [ISC-Bugs #40598]
707

708
709
710
711
712
713
- Added dhcpv6 and delayed-ack to settings listed in the "Features:"
  section of the configure script output.  Additionally, all of the
  features reported on will now always show either a "yes" or "no"
  value.  Prior to this features left to their default setting would
  not show a value.
  [ISC-Bugs #40381]
714

715
716
717
718
719
720
721
722
- Added a parameter, authoring-byte-order, to the lease file. This value
  is automatically added to the top of new lease files by the server and
  indicates the internal byte order (big endian or little endian) of the
  server.  This permits lease files generated on a server with one form of
  byte order to be used on a server with the opposite form. Our thanks to
  Timothe Litt for calling this to our attention and for the suggestions
  he provided.
  [ISC-Bugs #38396]
723

724
725
726
- Fixed a small memory leak in the DHCPv6 version of the client code.
  This is unlikely to cause significant issues in actual use.
  [ISC-Bugs #40990]
727

728
729
730
731
732
- Corrected a few minor memory leaks in omapi's dereferencing of
  host objects. Thanks to Jiri Popelka at Red Hat for reporting
  the issue and supplying the patches.
  [ISC-Bugs #33990]
  [ISC-Bugs #41325]
733

734
735
736
- Cleaned up some of the Make infrastructure to make --with-libbind
  work better.  Though it still only works with an absolute path.
  [ISC-Bugs #39210]
737

738
739
740
741
- Made the embedded bind libraries able to be cross compiled
  (please refer to the bind9 documentation to learn how to cross
   compile DHCP and its bind library dependency).
  [ISC-Bugs #38836]
742

743
744
745
- Update the client code to better support getting IA_NAs and IA_PDs
  in the same packet, see RFC7550 for some discussion.
  [ISC-Bugs #40190]
746

747
748
749
750
751
! Update the bounds checking when receiving a packet.
  Thanks to Sebastian Poehn from Sophos for the bug report and a suggested
  patch.
  [ISC-Bugs #41267]
  CVE: CVE-2015-8605
752

753
754
755
756
757
- When handling an incorrect command line for dhcpd, dhclient or dhcrelay
  print out a specific error message about the first error in addition
  to the usage string.  This may be disabled by editing includes/site.h.
  [ISC-Bugs #40321]
  [ISC-Bugs #41454]
758

759
760
761
762
763
764
- The configure script will now exit with an error message if it cannot find
  a GNU-style make tool (needed when building BIND libraries) or pkg-config
  (needed to locate ATF used for building unit tests). Prior to this the
  script would exit indicating success causing subsequent attempts to build
  the software to fail.
  [ISC-Bugs #40371]
765

766
767
768
769
- Properly terminate strings before passing them to regex and fix
  a boundary error when creating certain new data strings.
  Thanks to Andrey Jr. Melnikov for the bug report.
  [ISC-Bugs #41217]
770

771
772
773
774
775
- Option expressions, such as prepend and append, are now supported when
  running dhclient for IPv6.  Prior to this such statements in the
  client configuration file would be parsed but have no affect.  Thanks
  to Jiri Popelka at Red Hat for reporting the issue.
  [ISC-Bugs #39952]
776

777
778
779
780
781
782
- A failover primary server will now accept a binding status update from the
  secondary which transitions a lease from ACTIVE to ABANDONED. This accounts
  for instances in which a client declines a lease and only the secondary
  server receives it.  Prior to this the primary server would reject such an
  update as an "invalid state transition".
  [ISC_BUGS #25189]
783

784
785
786
- Properly allocate memory for a bpf filter.
  Thanks to Bill Parker (wp02855 at gmail dot com) who identified this issue.
  [ISC-Bugs #41485]
787

788
789
790
791
- Updated contrib/dhcp-lease-list.pl to handle garbage in the oui file better
  and to print out the hostnames a bit better.
  Thanks to Antoine Beaupré from Debian for the suggested patch.
  [ISC-Bugs #41288]
792

793
794
795
796
- The DHCPv6 server now handles long valid and preferred lease times better.
  Values that would cause the internal end time of the lease to wrap are
  modified to work as infinite.
  [ISC-Bugs #40773]
797

798
799
800
- Updated support for cross compiling by allowing the library archiver
  to be set at configure time via the environment variable 'AR'.
  [ISC-Bugs #41536]
801

802
803
804
805
806
- The server will now match DHCPv6 relayed clients to host declarations
  which include the "hardware" statement, if the relay connected to the
  client supplies the client's hardware address via client-linklayer-address
  option as per RFC 6939.
  [ISC-Bugs #40334]
807

808
809
810
811
- Allow a filename to be specified instead of /dev/random during
  configuration.  This is passed to the BIND configuration to allow
  for cross compilation.
  [ISC-Bugs #33835]
812

813
814
- Add more option definitions.
  [ISC-Bugs #40562]
815

816
817
818
- Correct outputting of long lines in the lease file when writing
  a lease that includes long strings in an execute statement.
  [ISC-Bugs #40994]
819

820
821
822
823
824
825
826
- The server will now correctly treat a lease as reserved when the client
  requests an infinite lease time (i.e. OxFFFFFFFF) and "infinite-is-reserved"
  is enabled.  Prior to this the server would halt.  In addition, corrections
  were made to the server to allow a lease's flags field to be set via omapi.
  Prior to this, the server, depending on the host architecture,  would
  incorrectly parse the new flags value from the omapi message.
  [ISC-Bugs #31179]
827

828
829
830
831
- ISC DHCP can now be configured and built from a directory other than
  the top level source directory. Note that "make distcheck" uses this
  feature.
  [ISC-Bugs #39262]
832

833
834
835
836
837
838
- Add support for RFC 3527 to dhcrelay.  A new, dhcrelay command line argument,
  "-U <interface>" enables the addition of a RFC 3527 compliant link selection
  suboption to the agent option added for clients directly connected to the
  relay.
  [ISC-Bugs #34875]
  [ISC-Bugs #41708]
839

840
841
842
843
- Add a new global DHCPv6 option, dhcpv6-set-tee-times, which when enabled
  instructs the server to calculate T1 and T2 as recommended in RFC 3315,
  Section 22.4.
  [ISC-Bugs #25687]
844

845
846
- Corrected minor Coverity issues.
  [ISC-Bugs #35144]
847

848
849
850
851
852
853
854
855
- Add support for RFC 7341 DHCPv4 over DHCPv6 with a new configuration
  option "--enable-dhcpv4o6". Note this feature requires DHCPv6 support
  and is not compatible with delayed-ack. Both client and server use 2
  processes which communicate over UDP on a pair of sockets. The new
  "-4o6 <port>" command line argument enables DHCPv4 over DHCPv6 support
  and specifies the consecutive ports to use for inter-process communication.
  Please look at doc/DHCPv4-over-DHCPv6 for more details.
  [ISC-Bugs #35711]
856

857
858
859
860
- Correct interface name formation when using DLPI under Solaris 11. As of
  Solaris 11, ethernet device files are located in "/dev/net".  The configure
  script has been modified to detect this situation and adjust the directory
  used accordingly. Thanks to Jarkko Torppa for reporting this issue and
861
  submitting a patch
862
863
  [ISC-Bugs #37954]
  [ISC-Bugs #40752]
864

865
866
867
- Add a dereference call when handling an error condition while
  decoding a packet.
  [ISC-Bugs #41774]
868

869
870
871
872
873
874
- Add a new parameter, lease-id-format, to both dhcpd and dhclient. The
  parameter controls the format in which certain values are written to lease
  files.  Formats supported are octal - quoted string containing octal
  escapes, and hex - unquoted, colon separated hex digits.  Thanks to
  Jay Ford, University of Iowa for bringing the issue to our attention.
  [ISC-Bugs #26378]
875

876
877
878
879
! Add an option in site.h to limit the number of failover and control
  connections the server will accept.  By default this is 200.
  [ISC-Bugs #41845]
  CVE: CVE-2016-2774
880

881
882
- Fixed util/bindvar.sh error handling.
  [ISC-Bugs #41973]
883

884
885
886
- Correct error message in relay to use remote id length instead
  of circuit id length.
  [ISC-Bugs #42556]
887

888
889
890
891
- Add support for including an encapsulated option in a response
  from the DHCPv6 server.  This allows the v6 FQDN option to be
  returned in responses.
  [ISC-Bugs #29246]
892

893
894
895
896
- Add logic to test directory Makefiles to avoid copying Attfile(s)
  when building within the source tree.  This eliminates a noisy but
  otherwise harmless error message when running "make check".
  [ISC-Bugs #41883]
897

898
899
- Leases are now scrubbed of certain prior use information when pool
  re-balancing reassigns them from one FO peer to the other.  This
900
901
902
903
  corrects an issue where leases that were offered but not used
  by the client retained the client hostname from the original
  client. Thanks to Pavel Polacek, Jan Evangelista Purkyne University
  for reporting the issue.
904
  [ISC-Bugs #42008]
905

906
907
908
909
- In the LDAP code and schema add some missing '6' characters to use
  the v6 instead of the v4 versions.  Thanks to Denis Taranushin for
  reporting this issue and supplying its patch.
  [ISC-Bugs #42666]
910

911
912
913
914
- Correct how the pick-first-value expression is written to a lease
  file.  Previously it was written as a concat expression due to
  a cut and paste error.
  [ISC-Bugs #42253]
915

916
917
918
- Modify the DDNS code to clean up the PTR record even if there
  are issues while cleaning up the A or AAAA records.
  [ISC-Bugs #23954]
919

920
921
922
- Added global configuration parameter, abandon-lease-time, which determines
  the amount of time a lease remains abandoned.  The default is 84600 seconds.
  Additionaly, the server now conducts a ping check (if ping checks are
923
924
925
  enabled) prior to offering an abandoned lease to client. Our thanks to
  David Zych at University of Illinois for reporting the issue and working
  with us to produce a viable solution.
926
  [ISC-Bugs #41815]
927

928
929
- Correct handling of interface names during interface discovery. This
  addresses an issue where interface names of 15 characters in length
930
  could lead to crashes or interface recognition errors during startup
931
932
  of dhcpd, dhclient, and dhcrelay.
  [ISC-Bugs #42226]
933

934
- Updates to contrib/dhcp-lease-list.pl to make it more friendly.
935
  The updates are: looking for the lease file in more places and skipping
936
  the "processing complete" output when creating machine readable
937
938
  output.  Thanks to Cameron Paine (cbp at null dot net) for the
  patch.
939
  [ISC-Bugs #42113]
940

941
942
943
944
945
946
- When reusing a lease for dhcp-cache-threshold return the hostname
  to the original lease.  Also if the host pointer, UID or hardware address
  change don't allow reuse of the lease.
  Thanks to Michael Vincent for reporting this and helping us
  verify the problem and fix.
  [ISC-Bugs #42849]
947

948
949
950
- Change dmalloc to use a size_t as the length argument to bring it
  in line with the call it will make to malloc().
  [ISC-Bugs #40843]
951

952
- If the failover socket can't be bound, close it.  Otherwise if the
953
954
955
956
  user configures an incorrect address in the failover stanza the
  server will continue to open new sockets every 90 seconds until
  it runs out.
  [ISC-Bugs #42452]
957

958
959
960
961
- Add DHCPv4-mode, dhcrelay command line options, "-iu" and "-id", that
  allow interfaces to be upstream or downstream respectively.  Upstream
  interfaces will accept and forward only BOOTP replies, while downstream
  interfaces will accept and forward only BOOTP requests.
962
963
  [ISC-Bugs #41547]

964
965
966
- Clean up some memory references in the vendor-class construct.
  [ISC-Bugs #42984]

967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
- Removed an extraneous expression in omapi socket callback function. Prior
  to this change, the logic was techinically incorrect but other factors
  ensured the outcome itself was correct.  This change was made primarily
  for code clarity. Thanks to Ganesh Pinjala for bringing the issue to our
  attention.
  [ISC-Bugs #42834]

- Corrected a bug which could cause the server to sporadically crash while
  loading lease files with the lease-id-format is set to "hex".  Our thanks
  to Jay Ford, University of Iowa for reporting the issue.
  [ISC-Bugs #43185]

- Eliminated a noisy, but otherwise harmless debug log statment that may
  appear during server startup when building with --enable-binary-leases
  and configuring multiple pools in a shared network.  Thanks to Fernando
  Soto from BlueCat Networks for reporting the issue and supplying a patch.
  [ISC-Bugs #43262]

985
- The configure script for use with libtool now catches a failure to
986
987
988
989
  execute autoreconf. Prior to this, autoreconf failures would go undetected
  causing the legacy configure script to loop when run with --enable-libtool.
  [ISC-Bugs #43546]

990
991
992
993
994
995
996
- When replying to a DHCPINFORM, the server will now include options specified
  at the pool scope, provided the ciaddr field of the DHCPINFORM is populated.
  Prior to this the server only evaluated options down to the subnet scope.
  Thanks to Fernando Soto at BlueCat Networks for reporting the issue.
  [ISC-Bugs #43219]
  [ISC-Bugs #45051]

Francis Dupont's avatar
Francis Dupont committed
997
998
999
1000
- When memory allocation fails in a repeated way the process writes
  "Run out of memory." on the standard error and exists with status 1.
  [ISC-Bugs #32744]