DDNS cleanup conflicts in the HA terminated state
A HA-enabled server can transition to the terminated state when the number of conflicting lease updates exceeds the max-rejected-lease-updates setting. In this case, the servers no longer communicate the lease updates to each other. It is possible that the primary server keeps renewing leases but it doesn't inform the standby/secondary. From the standby perspective, the lease is not renewed and may expire. In this case, the standby server would reclaim the lease and trigger DNS cleanup. It produces a conflict in the DNS whereby the standby removes the entry that the primary has inserted.
The servers in the HA terminated state should be careful doing DDNS cleanup. Perhaps, it would be best if the standby could simply not do DDNS cleanup in that case. In the case of the load-balancing mode, the servers could perform the DDNS cleanup of only those records that they created. This means that they should apply a load-balancing algorithm on the reclaimed leases and pick only those that belong to them.
Kea has a hook point triggered before the actual lease reclamation for which we could provide the callouts in the HA hook library. Setting the SKIP flag for certain leases would cease DDNS cleanup.
There is also a question what to do with the lease itself. Removing an expired lease from the database could cause conflicts when another client picks up the lease, but this lease is still in use by a client receiving it from the primary. Running the servers in the terminated state for a longer period of time can be really harmful. Perhaps, in this state, we should suspend DHCP service on the secondary server completely.