Kea issueshttps://gitlab.isc.org/isc-projects/kea/-/issues2023-07-17T13:58:22Zhttps://gitlab.isc.org/isc-projects/kea/-/issues/2784Document limiting TLS versions2023-07-17T13:58:22ZPeter DaviesDocument limiting TLS versionsIt may be of interest to user to know how to disable insecure TLS version for use in the Kea implementation.
I suggest a small section in the security section of the ARM
[RT #21879](https://support.isc.org/Ticket/Display.html?id=2...It may be of interest to user to know how to disable insecure TLS version for use in the Kea implementation.
I suggest a small section in the security section of the ARM
[RT #21879](https://support.isc.org/Ticket/Display.html?id=21879)kea2.3.6Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/kea/-/issues/2773Update doc for PostgreSQL >= 152023-07-05T10:39:18ZFrancis DupontUpdate doc for PostgreSQL >= 15PostgreSQL >= 15 requires extra commands to grant permissions for things e.g. tables inside databases. The documentation should be updated so admins can use recent versions of PostgreSQL using only Kea docs (vs having to googling...).PostgreSQL >= 15 requires extra commands to grant permissions for things e.g. tables inside databases. The documentation should be updated so admins can use recent versions of PostgreSQL using only Kea docs (vs having to googling...).next-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/2770Config report literal is no longer included in binaries2023-03-21T11:42:30ZFrancis DupontConfig report literal is no longer included in binariesSince #2702 the `strings path/kea-dhcp-ddns | sed -n 's/;;;; //p'` no longer works. This ticket is for not forgetting to update the doc, either by removing this or by updating to the libkea-processs.so (or dylib) which is the only binary...Since #2702 the `strings path/kea-dhcp-ddns | sed -n 's/;;;; //p'` no longer works. This ticket is for not forgetting to update the doc, either by removing this or by updating to the libkea-processs.so (or dylib) which is the only binary where the config report literal can be found in all cases.current-stable-2.4Razvan BecheriuRazvan Becheriuhttps://gitlab.isc.org/isc-projects/kea/-/issues/2750[ISC-support #22101] Class priority is underdocumented in the ARM2023-10-18T12:39:19ZAndrei Pavelandrei@isc.org[ISC-support #22101] Class priority is underdocumented in the ARMThe order in which class information is applied, when defined in multiple classes, is documented only for options (presumed to be both option definitions and option data only by looking at a previous section):
> When determining which o...The order in which class information is applied, when defined in multiple classes, is documented only for options (presumed to be both option definitions and option data only by looking at a previous section):
> When determining which options to include in the response, the server examines the union of options from all of the assigned classes. If two or more classes include the same option, the value from the first class examined is used; classes are examined in the order they were associated, so ALL is always the first class and matching required classes are last.
It would be nice to extend this to lease lifetimes, v4 fields, and whatever else can be specified as class information.
Also, it would be nice to clarify the relationship of class information relative to global values, shared network values, and subnet values, which is also currently only mentioned for options:
> When options are defined as part of the class definition they override any global options that may be defined, and in turn will be overridden by any options defined for an individual subnet.kea2.5.3Andrei Pavelandrei@isc.orgAndrei Pavelandrei@isc.orghttps://gitlab.isc.org/isc-projects/kea/-/issues/2748update release process checklist2023-07-17T13:58:22ZWlodzimierz Wencelupdate release process checklistMostly reflect changes due to new signing procedure.Mostly reflect changes due to new signing procedure.kea2.3.6Wlodzimierz WencelWlodzimierz Wencelhttps://gitlab.isc.org/isc-projects/kea/-/issues/2745two separate reservations for one client leads to one being ignored2023-07-17T13:58:20ZWlodzimierz Wenceltwo separate reservations for one client leads to one being ignored1. Kea reservation identifiers:
```
"host-reservation-identifiers": [
"hw-address",
"duid"
],
```
hr in the subnet:
```
"reservations": [
{
"duid": "...1. Kea reservation identifiers:
```
"host-reservation-identifiers": [
"hw-address",
"duid"
],
```
hr in the subnet:
```
"reservations": [
{
"duid": "00:03:00:01:f6:f5:f4:f3:f2:01",
"prefixes": [
"2001:db8:1:0:4000::/110"
]
},
{
"hw-address": "f6:f5:f4:f3:f2:01",
"ip-addresses": [
"3000::3"
]
}
]
```
both are correct, and both, if you closely, are for the same client. I would be inclined to call it misconfiguration, but kea do not check this.
Kea do not assign prefix to client that is using duid `00:03:00:01:f6:f5:f4:f3:f2:01` but if address reservation is removed, reserved prefix is assigned correctly. Changing the order of reservations in config file do not have any effect.kea2.4.0Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/kea/-/issues/2743Document update (hooks for CA)2024-01-22T07:56:32ZPeter DaviesDocument update (hooks for CA)From: https://kea.readthedocs.io/en/kea-2.3.4/arm/hooks.html#available-hook-libraries
Warning
While the Kea Control Agent includes the "hooks" functionality, (i.e. hook libraries can be loaded by this process), none of ISC's curre...From: https://kea.readthedocs.io/en/kea-2.3.4/arm/hooks.html#available-hook-libraries
Warning
While the Kea Control Agent includes the "hooks" functionality, (i.e. hook libraries can be loaded by this process), none of ISC's current hook libraries should be loaded by the Control Agent.
This is no longer correct - the RBAC hooks libraries are loaded on the CAkea2.3.6Tomek MrugalskiTomek Mrugalskihttps://gitlab.isc.org/isc-projects/kea/-/issues/2711perfdhcp documentation mismatch regarding -Y/-y2023-02-27T17:56:41ZDarren Ankneyperfdhcp documentation mismatch regarding -Y/-yIn the man page for perfdhcp `man 8 perfdhcp` it gives the following documentation:
```
-y seconds
Time in seconds after which perfdhcp starts simulating the client waiting longer for server responses. This increase...In the man page for perfdhcp `man 8 perfdhcp` it gives the following documentation:
```
-y seconds
Time in seconds after which perfdhcp starts simulating the client waiting longer for server responses. This increases
the secs field in DHCPv4 and sends increased values in the Elapsed Time option in DHCPv6. Must be used with -Y.
-Y seconds
Time in seconds during which perfdhcp simulates the client waiting longer for server responses. This increases the
secs field in DHCPv4 and sends increased values in the Elapsed Time option in DHCPv6. Must be used with -y.
```
While `perfdhcp --help` outputs:
```
-Y<time>: time in seconds after which perfdhcp will start sending
messages with increased elapsed time option.
-y<time>: period of time in seconds in which perfdhcp will be sending
messages with increased elapsed time option.
```
Notice how the case of the Y/y is reversed. The content from `perfdhcp --help` is the correct content. I found this issue while doing some testing that required the `SECS` field to increase and I was having trouble getting it to do so. This issue is present in 2.2.0 and 2.3.3. I did not investigate any other versions.kea2.3.6Darren AnkneyDarren Ankneyhttps://gitlab.isc.org/isc-projects/kea/-/issues/2710Kea ARM database tweaks and recomendations2023-07-17T13:58:23ZMarcin GodzinaKea ARM database tweaks and recomendationsKea requires changes in documentation about recomended database and tweaks to improve performance.
Related issue: isc-projects/kea#2706Kea requires changes in documentation about recomended database and tweaks to improve performance.
Related issue: isc-projects/kea#2706kea2.3.5Marcin GodzinaMarcin Godzinahttps://gitlab.isc.org/isc-projects/kea/-/issues/2664Additional use of test statement2023-07-17T13:58:22ZPeter DaviesAdditional use of test statementA suggestion to improve documentation.
Regarding the "test": statement which may be employed in the definition of client
classes. There are no examples in the ARM that document usage where two separate
values retrieved from a pack...A suggestion to improve documentation.
Regarding the "test": statement which may be employed in the definition of client
classes. There are no examples in the ARM that document usage where two separate
values retrieved from a packet are compared with each other. All examples compare
a value retrieved from a packet with a constant value or test for membership of
other classes. The following is also possible:
```
"client-classes": [
{ "name": "Infrastructure",
"test": "option[82].option[2].hex == pkt4.mac" },
...
],
```
This is a result of discussions done in [RT#21407](https://support.isc.org/Ticket/Display.html?id=21407)kea2.3.5Tomek MrugalskiTomek Mrugalskihttps://gitlab.isc.org/isc-projects/kea/-/issues/2659Update UML diagrams in the Kea ARM2023-07-31T13:34:54ZVicky Riskvicky@isc.orgUpdate UML diagrams in the Kea ARMThe flow diagrams in the appendix to the Kea ARM are very helpful in understanding how addresses are allocated and in identifying more performant configurations. The existing diagrams reflect Kea 1.8.0. It would be good to update these i...The flow diagrams in the appendix to the Kea ARM are very helpful in understanding how addresses are allocated and in identifying more performant configurations. The existing diagrams reflect Kea 1.8.0. It would be good to update these in more recent ARM versions.next-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/2627Dynamic DNS in options are not in example DHCPv4 configuration file2023-07-31T13:34:54ZMichael CasadevallDynamic DNS in options are not in example DHCPv4 configuration file**Describe the bug**
Options relating to DDNS in DHCPv4 are not present in the included examples. To get DDNS working with Kea, I had to manually look up and add options like this
```
"dhcp-ddns": {
"enable-updates": true,
...**Describe the bug**
Options relating to DDNS in DHCPv4 are not present in the included examples. To get DDNS working with Kea, I had to manually look up and add options like this
```
"dhcp-ddns": {
"enable-updates": true,
},
"ddns-qualifying-suffix": "ddns.restless.systems",
```
DDNS is methoded in other places, but none of the actual config stanzas appear to be in the file, nor is there a conscience guide showing which flags need to be set, as well as having clients. Furthermore, default behavior is not well documented. For instance, without ddns-qualifying-suffix, my client sent a hostname of "kali", and Kea DHCP attempted to do a UPDATE with that hostname as is.
That could easily leave to unexpected behavior, and security concerns and should be clearly documented.
**Expected behavior**
- Clearer documentation on what must be set in DHCP4 (and 6) for DDNS
- Better documentation on default behaviors
**Environment:**
- Kea version: which release? if it's compiled from git, which revision. Use kea-dhcp4 -V to find out.
- OS: [e.g. Ubuntu 16.04 x64]
- Which features were compiled in (in particular which backends)
- If/which hooks where loaded in
**Environment:**
- Kea version: 2.2.0, compiled from tarball on site
- Ubuntu 22.04.1
**Additional Information**
This was done as part of a livestream learning how to use Kea, documenting this behavior.
**Contacting you**
GitLab is fine, can provide more ways if needed.next-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/2606create documentation for template-classes2023-07-17T13:58:24ZRazvan Becheriucreate documentation for template-classeskea2.3.3Razvan BecheriuRazvan Becheriuhttps://gitlab.isc.org/isc-projects/kea/-/issues/2569A couple of minor typo's in the ARM2023-07-17T13:58:24ZPeter DaviesA couple of minor typo's in the ARMThere are a couple of typo's in examples in the ARM
doc/sphinx/arm/dhcp4-srv.rst: "Dhcp4:" {
doc/sphinx/arm/dhcp6-srv.rst: "Dhcp6:" {
doc/sphinx/arm/hooks-ddns-tuning.rst: "ddns-tuning:" {
doc/sphinx/arm/hooks.rst: ...There are a couple of typo's in examples in the ARM
doc/sphinx/arm/dhcp4-srv.rst: "Dhcp4:" {
doc/sphinx/arm/dhcp6-srv.rst: "Dhcp6:" {
doc/sphinx/arm/hooks-ddns-tuning.rst: "ddns-tuning:" {
doc/sphinx/arm/hooks.rst: "ddns-tuning:" {kea2.3.1Peter DaviesPeter Davieshttps://gitlab.isc.org/isc-projects/kea/-/issues/2554ARM: Make parameter names clickable2023-07-17T13:58:21ZTomek MrugalskiARM: Make parameter names clickableSomeone (@vicky?) suggested on the Kea call:
> If we want to link the statements in the ARM the way we did for the BIND ARM, I have the MRs that Petr used. The linking was built on top of a couple of other things - including the categor...Someone (@vicky?) suggested on the Kea call:
> If we want to link the statements in the ARM the way we did for the BIND ARM, I have the MRs that Petr used. The linking was built on top of a couple of other things - including the category tagging we also did in the ARM. I think these are the Sphinx text roles that we changed style for recently. Nice idea. Not trivial, requires some Sphinx python programming.
The overall goal is to reuse a script that BIND developed. It turned statements (e.g. `hosts-database`) into clickable links.kea2.4.0Andrei Pavelandrei@isc.orgAndrei Pavelandrei@isc.orghttps://gitlab.isc.org/isc-projects/kea/-/issues/2547How is TLS configured for the Control Agent when not in HA?2023-07-31T13:34:54Zvps-ericHow is TLS configured for the Control Agent when not in HA?In section [23.1.2 TLS/HTTPS Configuration](https://kea.readthedocs.io/en/latest/arm/security.html#tls-https-configuration) of the Kea ARM version 2.2.0, it is stated that the `trust-anchor` option specifies a path to the certificate aut...In section [23.1.2 TLS/HTTPS Configuration](https://kea.readthedocs.io/en/latest/arm/security.html#tls-https-configuration) of the Kea ARM version 2.2.0, it is stated that the `trust-anchor` option specifies a path to the certificate authority certificate of the [HA] peer, and that this setting must be specified along with `cert-file` and `key-file` to enable TLS.
Confusingly, the "Security considerations" of the [Kea documentation of 2.1.7-git](https://reports.kea.isc.org/dev_guide/d7/dc0/controlAgent.html#CtrlAgentSecurity) states that you will
> ...not implement the secure layer [TLS] within Kea...
and that
> ...a reverse HTTP proxy can be setup[sic] using one of the third party HTTP server implementations...
These things seem to conflict. Back to the original point, though, is my confusion about how to enable TLS for the control agent when not in HA (and also when in HA with one or more backup servers, when there would be more than one peer). Why is it necessary to configure the peer's certificate authority certificate in the control agent configuration when the system has its own certificate authority certificate store?next-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/2522Using special characters in expressions is not documented.2023-07-05T10:39:18ZMarcin GodzinaUsing special characters in expressions is not documented.Using special characters in expressions is not documented.
For example to use `'` (single quote) as delimiter for `split` expression you need to use it's ASCI value:
`split(option[39].text, 0x27, 1)`Using special characters in expressions is not documented.
For example to use `'` (single quote) as delimiter for `split` expression you need to use it's ASCI value:
`split(option[39].text, 0x27, 1)`next-stable-2.6https://gitlab.isc.org/isc-projects/kea/-/issues/2513Sphinx converts apostrophes to smart quotes2023-07-31T11:34:31ZAndrei Pavelandrei@isc.orgSphinx converts apostrophes to smart quotesAostrophes (U+0027) `'` in RST files are converted into left quotes and right quotes in the HTML and PDF created by sphinx.
| Unicode Codepoint | Visual Representation | Hexadecimal Byte Representation | Name |
| ...Aostrophes (U+0027) `'` in RST files are converted into left quotes and right quotes in the HTML and PDF created by sphinx.
| Unicode Codepoint | Visual Representation | Hexadecimal Byte Representation | Name |
| ----------------- | --------------------- | ------------------------------- | --------------------------- |
| U+2018 | ‘ | E2 80 98 | LEFT SINGLE QUOTATION MARK |
| U+2019 | ’ | E2 80 99 | RIGHT SINGLE QUOTATION MARK |
This prevents a user from copying and using any chunks of configuration or pieces of code that use apostrophes.
This issue does not affect preformatted code blocks or spans of code marked by backtick quotes.kea2.3.0https://gitlab.isc.org/isc-projects/kea/-/issues/2501update EULA license2022-07-22T16:02:05ZTomek Mrugalskiupdate EULA licenseWe need to update the license of the premium hooks.We need to update the license of the premium hooks.kea2.2.0 - a new stable branchTomek MrugalskiTomek Mrugalskihttps://gitlab.isc.org/isc-projects/kea/-/issues/2495Kea uses predictable filenames for sockets in /tmp2023-07-05T10:39:19ZParide LegoviniKea uses predictable filenames for sockets in /tmpDebian maintainer of the Kea package here; this is a forward of Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014929 and Ubuntu bug https://bugs.launchpad.net/ubuntu/+source/isc-kea/+bug/1863100.
---
The default Kea con...Debian maintainer of the Kea package here; this is a forward of Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014929 and Ubuntu bug https://bugs.launchpad.net/ubuntu/+source/isc-kea/+bug/1863100.
---
The default Kea configuration files place control sockets under `/tmp`, e.g.:
```
+---
| "control-socket": {
| "socket-type": "unix",
| "socket-name": "/tmp/kea4-ctrl-socket"
| },
+---[ /etc/kea/kea-dhcp4.conf ]
```
This can be a security issue, especially given that the socket have fixed names, as any use can create a file/socket with that name under `/tmp`. Please move the control sockets to `/run/kea`. Thanks!next-stable-2.6