Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Kea DHCP6 registers static hosts in DNS incorrectly (pfSense+ 2025.7.1)

    Scheduled Pinned Locked Moved DHCP and DNS
    7 Posts 3 Posters 320 Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      axellarsson
      last edited by axellarsson

      Hi folks,

      I recently upgraded to pfSense+ to 2025.7.1 from 2024.11 and switched from ISC to Kea DHCP. The migration went smooth except for a couple of issues:

      1. ISC DHCP appears to tolerate trailing spaces in DUID values for reservations, wheras KEA does not (presumbably because it's quoted in the json config file). When migrating I discovered I had a few of these from copy/paste that caused the dhcp6 server to refuse to start. This was easy enough to troubleshoot from the logs, but posting here in case anyone else runs into this.

      2. With DNS registration on, my static entries are being registered multiple times (both in /etc/hosts on the firewall and in /var/unbound/hosts_entries.conf). I use Track Interface with a dynamic ISP-assigned /56 prefix so my static reservations are coded with the suffix only. Kea appears to be registering both the correct IPv6 address as well as the bare-suffix. Both the correct and incorrect entries are returned with dig, but interestingly, I'm finding that clients are not using the bad address although I'd expect them to round-robin.

      Note that I do have "Early DNS registration" turned on because I am finding that with long lease times, I can't wait for a client to renew after the DHCP server is started for the entry to be available in DNS. I want my static reservations to always resolve.

      Here's an example of host entries for one of my internal hosts. Note that it is only defined once as a DHCP reservation for both v4 and v6, and there is no additional overrides for this host in the unbound configuration, but yet the entry is repeated several times for both v4 and v6, with v6 entries for both the bare suffix and the proper IPv6 address (domain and IPv6 prefix redacted):

      local-data-ptr: "10.70.12.30 frigate.redacted.com"
local-data: "frigate.redacted.com. A 10.70.12.30"
local-data-ptr: "2600:bbbb:aaaa:cccc::a:30 frigate.redacted.com"
local-data: "frigate.redacted.com. AAAA 2600:bbbb:aaaa:cccc::a:30"
local-data: "frigate.redacted.com. A 10.70.12.30"
local-data-ptr: "::a:30 frigate.redacted.com"
local-data: "frigate.redacted.com. AAAA ::a:30"
      1. In spite of seeing active dynamic DHCP6 leases from the pool the DHCP6 status page always shows "No leases are in use". The v4 status page shows correct address consumption from each pool.
      M GertjanG 2 Replies Last reply Reply Quote 0
      • M Offline
        manicmoose @axellarsson
        last edited by

        @axellarsson
        Kea seems quite buggy.
        Don't know if this is related to your issues but I found that Kea (unfortunately) does not respect reserved addresses at all.
        Reverting back to ISC solved all problems immediately.

        1 Reply Last reply Reply Quote 0
        • GertjanG Offline
          Gertjan @axellarsson
          last edited by Gertjan

          @axellarsson said in Kea DHCP6 registers static hosts in DNS incorrectly (pfSense+ 2025.7.1):

          frigate.redacted.com

          Do you use DHCPv6 on your LAN(s) using dynmaic tracking ?

          Like :

          99331436-b455-4de8-a760-cc2e42f34c5d-image.png

          When you add "DHCPv6 Static Mappings", you have to add the prefix yourself, like :

          7f70f1a3-4090-4155-8556-81441d2b6c24-image.png

          which is an issue of course, because the day your ISP decides to change your prefix, all your "DHCPv6 Static Mappings" entries are now wrong as the prefix was hard-coded (by yourself).

          If you leave "::cc" as is, then this invalid IPv6 will get added without prepending the current prefix, like the ":🅰30" in your case. And that's not good.

          edit @manicmoose :
          For me (C) kea works just fine, using dozens DHCP4 and HDCP6 static leases.
          I even added 'new' DHCP options myself, works also very well.
          What I want to say : "it is possible" but all depends what you are doing .... what your needs are.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          M A 2 Replies Last reply Reply Quote 0
          • M Offline
            manicmoose @Gertjan
            last edited by

            @Gertjan
            My needs are pretty simple/basic.
            Use reserved IP addresses for specific MAC addresses, and (preferably) allow DNS registration using the DHCP server.
            Kea is reliably unreliable at doing those basic things as already described in the other post.
            ISC works perfectly (albeit unfortunately restarting unbound during the latter).

            GertjanG 1 Reply Last reply Reply Quote 0
            • A Offline
              axellarsson @Gertjan
              last edited by

              @Gertjan

              Yes, this is exactly what I do. Entering the suffix alone into the DHCP static reservation is supposed to be supported and works perfectly with ISC. Track Interface would be relatively useless without it.

              With Kea, this configuration still correctly assigns addresses as the complete IPv6 is expanded when pfsense generates the DHCP configuration. The problem is DNS, which now creates both an entry for the bare suffix as well as the expanded address.

              1 Reply Last reply Reply Quote 0
              • GertjanG Offline
                Gertjan @manicmoose
                last edited by Gertjan

                @manicmoose said in Kea DHCP6 registers static hosts in DNS incorrectly (pfSense+ 2025.7.1):

                Use reserved IP addresses for specific MAC addresses, and (preferably) allow DNS registration using the DHCP server.

                In the case where you only want your static DHCP MAC DHCPv4 lease to be entered in the DNS, likewise before with ISC, it's this :

                2905ecab-808b-4ee6-ab5b-fc6d508c8ae6-image.png

                and for every LAN type interface you select :

                59fe5ef9-e035-4a65-8519-2867064899c5-image.png

                and done.
                On system start, everything will be written also to to the DNS sub system.
                This "early" method will set everything up before 'DHCP' and DNS are running.

                You an see the result in the /etc/hosts file, or dump the unbound (resolver) cache.

                Btw : DHCPv6 lease are done with DUID's, not MAC addresses (right ?!).

                I was test driving kea with the new kea2unbound script where 'dynamic' IPv4 and IPv6 leases where send to unbound so I has the host names available for DNS resolution.
                My networks never have more then 75 devices, and most are known - always there.
                I stopped doing so as I don't care what the host name of my iPhone or iPad are, as these devices don't propose services that need to be accessible for other devices.
                Server type devices like printer, NAS's etc always have a static DHCP setup, IPv6 and IPv4.

                You've seen the trick how to log kea attributes leases ? It's here on this, DHCP forum.

                Afaik, kea is rock solid. And it must be, as ISC wrote it. They couldn't just stop proposing a new DHCP server if it wasn't fully tested : their users (the entire Internet !!) would crucify them. Netgate (pfSense) wouldn't have included it into pfSense.

                So : good news : kea works.
                Just one thing left to do now : why isn't it working for you ?

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                M 1 Reply Last reply Reply Quote 0
                • M Offline
                  manicmoose @Gertjan
                  last edited by

                  @Gertjan
                  I did/do what you've described - and I only use IPv4 so don't even have to worry about DUIDs - and it doesn't work.

                  It's rock solid at being buggy/broken, yes. If it were only me....sure, that could be my issue, but I'm not alone here with seeing the same problem.

                  See my linked post - I showed you that the Kea DHCP process is doing the wrong thing via packet capture. There's no discernable reason why it's doing the wrong thing, it just does.
                  Switch back to ISC and instantly all problems resolved.

                  If you can tell me how I can figure out how/why it's broken, I'm listening.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.