KEA DHCP missing "Register DHCP leases in DNS Resolver..."

kscrib · Jan 17, 2024, 5:22 PM

I read the release notes and was aware that the change to KEA would no longer register local DHCP leases in DNS.

My question is will KEA ever register DHCP leases in the local DNS in future releases, or is that a functionality that will never be available? In other words, is the functionality being worked on in development? I changed to KEA and also am using the development branch of pfsense. As of 24.03.a.20240117.0600, the functionality does not exist.

SteveITS · Jan 17, 2024, 5:25 PM

@kscrib I would think so; phrasing like "After Kea integration is complete" and "Basic functionality is present, but not all features are supported at this time," indicate future development.

Until then there's not a reason to move off the default server, IMO.

NickyDoes · Jan 29, 2024, 6:26 AM

I was just bitten by this one. I had read the release notes when upgrading, I had forgotten about that later when presented with multiple, reasonably strongly worded warnings that I was using a deprecated package.

Balance the warning message a bit more. "...most-requested features" is a bit strong.

Gertjan · Jan 29, 2024, 8:00 AM

@kscrib said in KEA DHCP missing "Register DHCP leases in DNS Resolver...":

My question is will KEA ever register DHCP leases in the local DNS in future releases, or is that a functionality that will never be available? In other words, is the functionality being worked on in development?

As we all know, ISC phased out the classic DHCP server. They've been making a whole knew DHCP server from the ground up.

KEA already supports what consider to be API's, callbacks etc.
So : yes, and it has been said on the forum already : one of the reasons why KEA is used now :
No choice, "ISC-DHCP" is a dead end. So it's the best choice ;)
And yes : the whole idea behind all this is that KEA will transmit new host names, coming from new DHCP leases, into the revolver's internal cache.
The old mechanism, writing host names and IPs to a file, and then restart unbound to make it aware of the new device in the network, will, finally, be abandoned.

See here : KEA DHCP - lacking features

Slowmotion 0 · Feb 14, 2024, 1:02 PM

As of this moment (Feb-2024), besides the static IP mapping approach, is there any other trick we can do to inject the KEA DHCP leases into DNS Resolver?

Even script based solution is welcomed.

I got a bunch of PC / Mac at home, and it is pretty painful to set every single computer into static IP mapping (not to mention many of them got Ethernet AND Wifi MAC address to resolve).

I am switching back to tried-and-true ISC DHCP for the moment.

SteveITS · Feb 14, 2024, 1:02 PM

@Slowmotion-0 Have not seen any of that in the last 5 months. I would just use ISC until 24.03 or whenever Kea is fully integrated.

NickyDoes · Feb 14, 2024, 4:01 PM

@SteveITS I'm waiting until KEA is supported more fully. What's prompting you to make the move?
You can turn off the reminder message, if that's causing distraction.

SteveITS · Feb 14, 2024, 4:05 PM

@ndemarco You replied to me but I am using ISC. I did use Kea for about 2 weeks because ISC had a bad bug in 23.09, and I didn't wait long enough , but the fix was slipstreamed shortly after, and then 23.09.1 was released.

A lot of people here and on Reddit are changing just because of the warning message, without researching that it's in alpha/beta/preview/whatever.

c91es_3uf-z50_ej0k9qrli72ggtcdbr · Feb 14, 2024, 7:52 PM

Same issue here - i searched nearly 2 days for a solution..... ..... and rolled back to ISC

chrcoluk · Feb 23, 2024, 8:16 AM

I see there is a warning ISC will be removed in a future release, I looked at the features missing and see I will be affected.

Is there a chance ISC gets removed whilst the this KEA is incomplete, or will there be a stable build of pfSense that has ISC alongside a fully featured KEA to allow for transition?

Gertjan · Feb 23, 2024, 8:25 AM

@chrcoluk said in KEA DHCP missing "Register DHCP leases in DNS Resolver...":

Is there a chance ISC gets removed whilst the this KEA is incomplete, or will there be a stable build of pfSense that has ISC alongside a fully featured KEA to allow for transition?

You have the answer in front of you

As a picture says it all :

Way back, pfSense had a DNS solution, like most SOHO routers on planet earth : dnsmasq.
A forwarder.
You had to set it up, by pointing it to your ISP DNS servers - or any other DNS server known that day.
1.1.1.1 8.8.8.8 etc were not a thing in the past, you entered your ISP DNS and done. You were online.

edit : and that's where things went pretty bad :
These days, "people" still 'have to' enter a DNS when they set up your router/firewall.
Because "it has to be done" like that.
Well, wrong. It's just a burned in old habit, as we were trained by our ISP to do so.
Like using port "25" to drop a mail on the ISP mail server : that was gore, plain wrong, and created later on massive security issues, a big mess.

The real thing is : "people" don't know what DNS is, they think they know.

Some financial guys @ Google - an d others - stepped in, an somewhat 'used'/'abused' this situation and is made billions out of this old, burned in habit. And I get it : your DNS request are worth big money.

[ end edit / (actually a rant) ]

But then unbound came along : a real resolver. This was answering the question : why accepting a MITM concept as you can do what real mean do : get your DNS info from the source. This became even more important as DNS was secured with DNSSEC.

The resolver (unbound) became the default DNS solution for pfSense but dnsmasq, the forwarder is still there if needed, as some are obliged to hand over all their DNS request to some company.

So, IMHO, I'm pretty will be able to chose.
KEA will be the default, with ISC to fall back, if old quirks and bugs are essential for your setup.

Btw : the same thing goes for : pfSense was using "lighttpd" as the GUI web server, as it was light weight and good enough for the task and one day, they switched over to "nginx" (and we did not have the choice ^^).

Btw : KEA is written by the guys that build ISC, so, we'll be just fine.

chrcoluk · Feb 26, 2024, 6:40 PM

@Gertjan My question was about the DHCP server not DNS though. The message doesnt say it will be a fallback, it says it will be removed.

johnpoz · Feb 26, 2024, 6:49 PM

@chrcoluk I would think it highly unlikely that netgate would remove isc dhcp until such time that kea has parity with isc feature set or greater. Why would they do such a thing?

Here we are removing isc because well they have stop developing it, there is nothing wrong with it, it is mature and stable and works.. There are no known security issues with it.. Or at least none that are of any concern, but hey lets rip it out and force users to use kea, that is missing xyz, boy that will make us look great in the eyes of our users ;)

As @Gertjan pointed out with the forwarder, when they added unbound it was just a package you could install, then they integrated it and made it default, etc.. But that wasn't overnight, and to be honest that was long time ago, I don't recall if they actually stated if forwarder would be removed at future date or not.. But clearly its still here ;)

But it would be insane to think they are going to remove isc dhcp until kea more than ready to take over with all the features that isc currently supports at a min.. Even if they change over kea to be default of of the box, I bet you they leave isc in there for a few versions at least..

Slowmotion 0 · Feb 26, 2024, 9:31 PM

Yeah, I resumed to ISC DHCP Server, and it is all fine now. Whatever.

I think we all know the pitfall now, so anyone who wish to use local DNS for home devices (instead of just Apple Bonjour) should continue to use ISC DHCP instead. I agree that Netgate won't unplug it anytime soon, but a more meaningful depreciation message is highly desired (I can predict more pfSense fans fall into this email trap as time goes by).

Corporate environment probably won't care as they will have their own DNS administration anyway.

The answer would be 2-step,

when KEA DHCP has something like ddns-update-on-renew option in future;
when Netgate developers have time to integrate the future KEA DHCP with DNS Forwarder;

There is nothing we can/need to do for now, and time will cure all bugs...

JonathanLee · Feb 28, 2024, 5:28 AM

I like KEA I have been testing it on and off. You get a lot of info in the logs with KEA too. I have read somewhere that ISC can have VLAN leaks into other subnets if an advanced attacker goes after this weak point. ISC even has some CVEs on it. KEA is suppose to be a more secure DHCP server. Anyone else get it to run correctly? I had some bad issues with my Layer 2 rules but it seemed to clean up this time around. I am not doing the whole KISS mindset here let's face it.

JonathanLee · Feb 28, 2024, 5:29 AM

@Slowmotion-0 set some static leases for your Bonjour needs. I have one for my MFP device and it is accessible and has no issues with KEA

pvk1 · Mar 30, 2024, 7:43 PM

@JonathanLee
I have 2 issues with KEA DHCP. One as mentioned, it breaks get DNS to work on the local LAN. The second, it broke DHCP as well. It took a while to discover it was not running. Starting it did not help The issue was you can't have a FQDN mentioned in the NTP setting.

Both these need to be fixed before telling users they should move the DHCP server

Qinn · Mar 31, 2024, 9:33 AM

@pvk1 Do you have Service Watchdog installed and enabled on it?

pvk1 · Mar 31, 2024, 3:19 PM

@Qinn No I don't. I just followed this

It cost me a couple of hours as my wifi network went down.

JonathanLee · Mar 31, 2024, 3:19 PM

@pvk1 have you ran pkg update and updated unbound that might fix the restart issues. My system is fine with kea.