KEA DHCP missing "Register DHCP leases in DNS Resolver..."
-
@ndemarco You replied to me but I am using ISC. I did use Kea for about 2 weeks because ISC had a bad bug in 23.09, and I didn't wait long enough , but the fix was slipstreamed shortly after, and then 23.09.1 was released.
A lot of people here and on Reddit are changing just because of the warning message, without researching that it's in alpha/beta/preview/whatever.
-
Same issue here - i searched nearly 2 days for a solution..... ..... and rolled back to ISC
-
I see there is a warning ISC will be removed in a future release, I looked at the features missing and see I will be affected.
Is there a chance ISC gets removed whilst the this KEA is incomplete, or will there be a stable build of pfSense that has ISC alongside a fully featured KEA to allow for transition?
-
@chrcoluk said in KEA DHCP missing "Register DHCP leases in DNS Resolver...":
Is there a chance ISC gets removed whilst the this KEA is incomplete, or will there be a stable build of pfSense that has ISC alongside a fully featured KEA to allow for transition?
You have the answer in front of you
As a picture says it all :
Way back, pfSense had a DNS solution, like most SOHO routers on planet earth : dnsmasq.
A forwarder.
You had to set it up, by pointing it to your ISP DNS servers - or any other DNS server known that day.
1.1.1.1 8.8.8.8 etc were not a thing in the past, you entered your ISP DNS and done. You were online.edit : and that's where things went pretty bad :
These days, "people" still 'have to' enter a DNS when they set up your router/firewall.
Because "it has to be done" like that.
Well, wrong. It's just a burned in old habit, as we were trained by our ISP to do so.
Like using port "25" to drop a mail on the ISP mail server : that was gore, plain wrong, and created later on massive security issues, a big mess.The real thing is : "people" don't know what DNS is, they think they know.
Some financial guys @ Google - an d others - stepped in, an somewhat 'used'/'abused' this situation and is made billions out of this old, burned in habit. And I get it : your DNS request are worth big money.
[ end edit / (actually a rant) ]
But then unbound came along : a real resolver. This was answering the question : why accepting a MITM concept as you can do what real mean do : get your DNS info from the source. This became even more important as DNS was secured with DNSSEC.
The resolver (unbound) became the default DNS solution for pfSense but dnsmasq, the forwarder is still there if needed, as some are obliged to hand over all their DNS request to some company.
So, IMHO, I'm pretty will be able to chose.
KEA will be the default, with ISC to fall back, if old quirks and bugs are essential for your setup.Btw : the same thing goes for : pfSense was using "lighttpd" as the GUI web server, as it was light weight and good enough for the task and one day, they switched over to "nginx" (and we did not have the choice ^^).
Btw : KEA is written by the guys that build ISC, so, we'll be just fine.
-
@Gertjan My question was about the DHCP server not DNS though. The message doesnt say it will be a fallback, it says it will be removed.
-
@chrcoluk I would think it highly unlikely that netgate would remove isc dhcp until such time that kea has parity with isc feature set or greater. Why would they do such a thing?
Here we are removing isc because well they have stop developing it, there is nothing wrong with it, it is mature and stable and works.. There are no known security issues with it.. Or at least none that are of any concern, but hey lets rip it out and force users to use kea, that is missing xyz, boy that will make us look great in the eyes of our users ;)
As @Gertjan pointed out with the forwarder, when they added unbound it was just a package you could install, then they integrated it and made it default, etc.. But that wasn't overnight, and to be honest that was long time ago, I don't recall if they actually stated if forwarder would be removed at future date or not.. But clearly its still here ;)
But it would be insane to think they are going to remove isc dhcp until kea more than ready to take over with all the features that isc currently supports at a min.. Even if they change over kea to be default of of the box, I bet you they leave isc in there for a few versions at least..
-
Yeah, I resumed to ISC DHCP Server, and it is all fine now. Whatever.
I think we all know the pitfall now, so anyone who wish to use local DNS for home devices (instead of just Apple Bonjour) should continue to use ISC DHCP instead. I agree that Netgate won't unplug it anytime soon, but a more meaningful depreciation message is highly desired (I can predict more pfSense fans fall into this email trap as time goes by).
Corporate environment probably won't care as they will have their own DNS administration anyway.
The answer would be 2-step,
- when KEA DHCP has something like ddns-update-on-renew option in future;
- when Netgate developers have time to integrate the future KEA DHCP with DNS Forwarder;
There is nothing we can/need to do for now, and time will cure all bugs...
-
I like KEA I have been testing it on and off. You get a lot of info in the logs with KEA too. I have read somewhere that ISC can have VLAN leaks into other subnets if an advanced attacker goes after this weak point. ISC even has some CVEs on it. KEA is suppose to be a more secure DHCP server. Anyone else get it to run correctly? I had some bad issues with my Layer 2 rules but it seemed to clean up this time around. I am not doing the whole KISS mindset here let's face it.
-
@Slowmotion-0 set some static leases for your Bonjour needs. I have one for my MFP device and it is accessible and has no issues with KEA
-
@JonathanLee
I have 2 issues with KEA DHCP. One as mentioned, it breaks get DNS to work on the local LAN. The second, it broke DHCP as well. It took a while to discover it was not running. Starting it did not help The issue was you can't have a FQDN mentioned in the NTP setting.Both these need to be fixed before telling users they should move the DHCP server
-
@pvk1 Do you have Service Watchdog installed and enabled on it?
-
@Qinn No I don't. I just followed this
It cost me a couple of hours as my wifi network went down. -
@pvk1 have you ran pkg update and updated unbound that might fix the restart issues. My system is fine with kea.
-
@JonathanLee
Thx I have ran pkg update, but it did not change it.If you have an fqdn in the DHCP settings and you switch to KEA, it won't start:
After changing it to an IP address it worked. See https://redmine.pfsense.org/issues/14991
But I found that the DNS Resolver does not get the DHCP devices, so it is of no use to me. I will switch over when this is fixed.
It is explained here. That is fine for me, but that banner telling people to move to it would have better be left out
https://docs.netgate.com/pfsense/en/latest/releases/23-09.html#kea-dhcp-server-feature-preview-now-available
-
Mine works that is weird, again I use authentication for my NTP, but that is IP based not a FQDN, what if you just found the IP of the FQDN and used that?
https://forum.netgate.com/topic/162746/authenicated-ntp
-
@pvk1 said in KEA DHCP missing "Register DHCP leases in DNS Resolver...":
If you have an fqdn in the DHCP settings and you switch to KEA, it won't start:
0d53a61f-2276-47c2-ae68-cf5215ac0a7c-image.png
After changing it to an IP address it worked. See https://redmine.pfsense.org/issues/14991
But I found that the DNS Resolver does not get the DHCP devices, so it is of no use to me. I will switch over when this is fixed.
In your image, you only show two time servers. You have to use three or more time servers. Or that's how it used to work.
With 2 time servers, the client does not know which is correct. 3 or more allows the client to determine a "bad ticker" from "time keepers."
And keep in mind, that dialog asks for servers and not pools. So be sure to specify individual servers, and not pools.
-
@noloader said in KEA DHCP missing "Register DHCP leases in DNS Resolver...":
You have to use three or more time servers. Or that's how it used to work.
that is never how it worked.. It might of defaulted to having 3 different pool addresses in pfsense general setup, not in dhcpd settings. But there is nothing saying you need more than 1. I only have 1, my local time server.
with isc dhcpd it resolves to place the IP into the dhcpd scope.. You can not hand out anything via dhcp other than IP. But the new kea preview does not resolve that fqdn you place in there..
The pool comment is pretty valid, because a pool address will normally return way more than 1 IP.. And dhcp can only hand out 1 IP per entry.. To be honest with a mistake to ever allow putting fqdn in there.. dhcp requires and IP.. Letting users think they could just put in a fqdn was not a good idea.
-
@johnpoz said in KEA DHCP missing "Register DHCP leases in DNS Resolver...":
You have to use three or more time servers. Or that's how it used to work.
that is never how it worked...
As far as I know, that is how NTP clients have always worked. See https://support.ntp.org/Support/SelectingOffsiteNTPServers#Upstream_Time_Server_Quantity.
But there's no telling what some internet entrepreneur is doing nowadays.
-
@noloader that has nothing to do with the ntp settings in the dhcpd settings... By default there is nothing in there.. Shoot most clients don't ever use those even if you hand them out.
Don't confuse ntp inner working with a completely different thing dhcpd..
-
@noloader You are taking this too far. I just pasted an FQDN in to give an example. Try it out yourself with a NTP server FQDN. It will allow you to enter it, but KEA won't start. The workaround is to put a IP address in there.