PSA: Kea DHCP does not like DNS names ... breaks ISC to Kea migration

aram535

Running Pfsense+ 23.09-RELEASE (arm) on a 3100.

I switched my DHCP server to kea however new machines are not getting an IP address.

Looks like the issue is that I have 0.north-america.pool.ntp.org configured as my NTP Server (#2).

2023-11-20 04:41:11.482442-05:00 	kea-dhcp4 	84352 	ERROR [kea-dhcp4.dhcp4.0x21c10000] DHCP4_INIT_FAIL failed to initialize Kea server: configuration error using file '/usr/local/etc/kea/kea-dhcp4.conf': option data does not match option definition (space: dhcp4, code: 42): Failed to convert string to address '0.north-america.pool.ntp.org': Invalid argument (/usr/local/etc/kea/kea-dhcp4.conf:176:33)
2023-11-20 04:41:11.479226-05:00 	kea-dhcp4 	84352 	ERROR [kea-dhcp4.dhcp4.0x21c10000] DHCP4_CONFIG_LOAD_FAIL configuration error using file: /usr/local/etc/kea/kea-dhcp4.conf, reason: option data does not match option definition (space: dhcp4, code: 42): Failed to convert string to address '0.north-america.pool.ntp.org': Invalid argument (/usr/local/etc/kea/kea-dhcp4.conf:176:33)
2023-11-20 04:41:11.476663-05:00 	kea-dhcp4 	84352 	ERROR [kea-dhcp4.dhcp4.0x21c10000] DHCP4_PARSER_FAIL failed to create or run parser for configuration element subnet4: option data does not match option definition (space: dhcp4, code: 42): Failed to convert string to address '0.north-america.pool.ntp.org': Invalid argument (/usr/local/etc/kea/kea-dhcp4.conf:176:33) 

I removed the pool names and DHCP started to work. Just point the DHCP server back to pfsense, and the configure pfsense with the NTP pools.

Gertjan

@aram535

What about :
Services > NTP > Settings to the pool you want :

Then, on the DHCP server page : tell all clients to use pfSense :

Keep in mind : open 123 UDP on every LAN interface ^^

Btw : I can't query "0.north-america.pool.ntp.org", so understandable that KEA can't neither.
A pool names ins't a host name ( ? )

aram535

@Gertjan I think you misunderstood the post. I wasn't asking about how to setup NTP client.

Although you can setup an NTP on netgate itself, you can also have each of the DHCP servers have their own NTP servers. That's where the issue lies, not in the configuration of Pfsense's NTP client.

As far as the pool name ... you can find them here: https://www.ntppool.org/en/zone/north-america -- this is specifically the pool name for north-america.
An "pool" is not the same thing as a host, but you should still be able to pass it onto the DHCP client as an override. For example, some of my VLANs do not have access to the internet so they have to use an internal NTP server and some don't have access to the LAN and need to use an internet NTP server. That's where you would override those settings. When switching from ISC to KEA -- ISC accepts the pool names, where KEA does not. There is no documentation that says the NTP pools are not allowed, hence the PSA to warm others if they're using such settings to check the logs and adjust the settings ... and possibly for Netgate to either warn or fix the notable change in functionality since KEA is a "supposed to be" a drop in replacement for ISC.

johnpoz

@Gertjan said in PSA: Kea DHCP does not like DNS names ... breaks ISC to Kea migration:

I can't query "0.north-america.pool.ntp.org"

You should be able too

;; QUESTION SECTION:
;0.north-america.pool.ntp.org.  IN      A

;; ANSWER SECTION:
0.north-america.pool.ntp.org. 3600 IN   A       108.61.56.35
0.north-america.pool.ntp.org. 3600 IN   A       198.137.202.32
0.north-america.pool.ntp.org. 3600 IN   A       108.61.73.244
0.north-america.pool.ntp.org. 3600 IN   A       192.99.168.180

But handing a client a "pool" address would be a bad idea, because will the client understand that is a "pool"

Really the point of running ntp on pfsense, is to point your clients to pfsense for their ntp.. Why would you hand all your clients different IPs.. A pool is a round robin fqdn that will return different IPs pretty much every time its queried.

aram535

@johnpoz There are plenty of reasons (see post above for mine) and a client shouldn't care that it's a pool it'll just grab the first IP returned to connect to.

johnpoz

@aram535 said in PSA: Kea DHCP does not like DNS names ... breaks ISC to Kea migration:

client shouldn't care that it's a pool

NTP does - you understand how ntp works right, it syncs to a server.. The servers are all going to be on slightly different time. Not a great setup in to be changing the ntp server all the time to different ones..

Depending!! so if 4 IPs are handed out via the fqdn using (the pool) does the client add all 4 of them? Pfsense understand that it is a pool and adds all that are returned, and then will use based on the math it does when talking to all of them which one is the best to use to actually sync too. But does the client just end up with 1 IP. If it only adds one, when that one goes down does it have to resolve or does it just fail because the 1 server it added is no longer working?

So if client A picks IP address 1, and then client B gets different IP for the 1st or picks address 2 if got the same.. You still could end up with all your clients syncing to different servers. Now in the big picture a few ms here or their for home use not going to make much difference.. But if your have your clients all syncing to the same source they should in theory all end up being pretty nuts on for time. If you hand them 4 different Ips that are all the same - you would hope all your clients because coming from the same location and talking to the same serves via the algorithm it uses to pick the best one, you would hope they all end up picking the same.

I would think how the dhcp works, it would resolve 1 IP from the fqdn its given, and then hand that 1 IP out to dhcp clients. But again that defeats the purpose of a pool adding multiple IPs, so that if one fails the client can just use one of the others.

But you do you - but I wouldn't hand my clients pool fqdn.. If I wanted to hand them multiple ntp servers to use that are not local, I would put in say the specific 4 ntp servers they can use/choose from. Where I know the IPs are not going to have a chance of ending up different on each client..

If I did want to use a pool fqdn for my clients, I would specifically add them as a pool on the client, so for sure the client understands its a pool address and adds multiple ones.

aram535

@johnpoz Ummm I'm little confused by this whole thread that you replied to. If you want to start a new one to just discuss NTP I'll be happy to but this is a thread about an issue between the ISC and KEA DHCP server options.

We can discuss the merits of NTP servers and pools -- where each can be used and belongs. I don't disagree with most of your statement however I think you're being too general and not thinking of the multiple times and areas where different solutions can provide a valid outcome.

johnpoz

@aram535 My point is you shouldn't use a pool fqdn in dhcp.. And why that could be problematic.

Now if the dhcpd is suppose to resolve whatever fqdn to an address, and then hand the client that IP.. Cuz its not going to hand the client the fqdn anyway..

I would never use fqdn in dhcp in the first place.. But again you do you - if you want to use fqdn in your dhcp settings, and expect/hope your dhcpd resolves it before it hands to the client - then ok do that.. But using a pool fqdn is not a good choice, and I went over the reasons why that is..

aram535

@johnpoz Okay fair enough ... I'll grant you the supposition that a pool address shouldn't be used -- which I believe is a false statement -- but let's assume that's a thing.

The error however is a parsing error not a "not a valid pool or NTP host" or even a "cannot connect, timeout, etc." which means either the pfsense or the KEA dhcpd instance is not properly reading the value or it's ONLY expecting an IP address or somehow the firewall (which does have port 53 block LAN outbound to WAN) is interfering with it's own connection.

Second point would be that the "do not use pool addresses" should be documented. Currently it just says NTP Server address.

noloader

@aram535, time servers have to be provided by ip address, not hostnames. See RFC 2132, Section 3.6, https://datatracker.ietf.org/doc/html/rfc2132#section-3.6.

(In my case, KEA would not start when I used hostnames. I had to switch to ip addresses to get KEA DHCP to start. It is the first time in about 35 years I encountered a problem. KEA is not ready for production).

phil80

@aram535
You should file a bug issue on redmine so that the input for NTP would only handle valid IP addresses and not hostnames

Vollans

@noloader I hit the same roadblock. That and the DHCPv6 implementation had me quickly change back. If you give it a /48 block of IP addresses to use, you shouldn't from a security point of view make the allocated IP addresses sequence guessable. Literally, the first one got ::1, the next got ::2 , then ::3....

aram535

@phil80 There is an open bug already .. https://redmine.pfsense.org/issues/14991