KEA DHCP missing "Register DHCP leases in DNS Resolver..."
-
@Gertjan My question was about the DHCP server not DNS though. The message doesnt say it will be a fallback, it says it will be removed.
-
@chrcoluk I would think it highly unlikely that netgate would remove isc dhcp until such time that kea has parity with isc feature set or greater. Why would they do such a thing?
Here we are removing isc because well they have stop developing it, there is nothing wrong with it, it is mature and stable and works.. There are no known security issues with it.. Or at least none that are of any concern, but hey lets rip it out and force users to use kea, that is missing xyz, boy that will make us look great in the eyes of our users ;)
As @Gertjan pointed out with the forwarder, when they added unbound it was just a package you could install, then they integrated it and made it default, etc.. But that wasn't overnight, and to be honest that was long time ago, I don't recall if they actually stated if forwarder would be removed at future date or not.. But clearly its still here ;)
But it would be insane to think they are going to remove isc dhcp until kea more than ready to take over with all the features that isc currently supports at a min.. Even if they change over kea to be default of of the box, I bet you they leave isc in there for a few versions at least..
-
Yeah, I resumed to ISC DHCP Server, and it is all fine now. Whatever.
I think we all know the pitfall now, so anyone who wish to use local DNS for home devices (instead of just Apple Bonjour) should continue to use ISC DHCP instead. I agree that Netgate won't unplug it anytime soon, but a more meaningful depreciation message is highly desired (I can predict more pfSense fans fall into this email trap as time goes by).
Corporate environment probably won't care as they will have their own DNS administration anyway.
The answer would be 2-step,
- when KEA DHCP has something like ddns-update-on-renew option in future;
- when Netgate developers have time to integrate the future KEA DHCP with DNS Forwarder;
There is nothing we can/need to do for now, and time will cure all bugs...
-
I like KEA I have been testing it on and off. You get a lot of info in the logs with KEA too. I have read somewhere that ISC can have VLAN leaks into other subnets if an advanced attacker goes after this weak point. ISC even has some CVEs on it. KEA is suppose to be a more secure DHCP server. Anyone else get it to run correctly? I had some bad issues with my Layer 2 rules but it seemed to clean up this time around. I am not doing the whole KISS mindset here let's face it.
-
@Slowmotion-0 set some static leases for your Bonjour needs. I have one for my MFP device and it is accessible and has no issues with KEA
-
@JonathanLee
I have 2 issues with KEA DHCP. One as mentioned, it breaks get DNS to work on the local LAN. The second, it broke DHCP as well. It took a while to discover it was not running. Starting it did not help The issue was you can't have a FQDN mentioned in the NTP setting.Both these need to be fixed before telling users they should move the DHCP server
-
@pvk1 Do you have Service Watchdog installed and enabled on it?
-
@Qinn No I don't. I just followed this
It cost me a couple of hours as my wifi network went down. -
@pvk1 have you ran pkg update and updated unbound that might fix the restart issues. My system is fine with kea.
-
@JonathanLee
Thx I have ran pkg update, but it did not change it.If you have an fqdn in the DHCP settings and you switch to KEA, it won't start:
After changing it to an IP address it worked. See https://redmine.pfsense.org/issues/14991
But I found that the DNS Resolver does not get the DHCP devices, so it is of no use to me. I will switch over when this is fixed.
It is explained here. That is fine for me, but that banner telling people to move to it would have better be left out
https://docs.netgate.com/pfsense/en/latest/releases/23-09.html#kea-dhcp-server-feature-preview-now-available
-
Mine works that is weird, again I use authentication for my NTP, but that is IP based not a FQDN, what if you just found the IP of the FQDN and used that?
https://forum.netgate.com/topic/162746/authenicated-ntp
-
@pvk1 said in KEA DHCP missing "Register DHCP leases in DNS Resolver...":
If you have an fqdn in the DHCP settings and you switch to KEA, it won't start:
0d53a61f-2276-47c2-ae68-cf5215ac0a7c-image.png
After changing it to an IP address it worked. See https://redmine.pfsense.org/issues/14991
But I found that the DNS Resolver does not get the DHCP devices, so it is of no use to me. I will switch over when this is fixed.
In your image, you only show two time servers. You have to use three or more time servers. Or that's how it used to work.
With 2 time servers, the client does not know which is correct. 3 or more allows the client to determine a "bad ticker" from "time keepers."
And keep in mind, that dialog asks for servers and not pools. So be sure to specify individual servers, and not pools.
-
@noloader said in KEA DHCP missing "Register DHCP leases in DNS Resolver...":
You have to use three or more time servers. Or that's how it used to work.
that is never how it worked.. It might of defaulted to having 3 different pool addresses in pfsense general setup, not in dhcpd settings. But there is nothing saying you need more than 1. I only have 1, my local time server.
with isc dhcpd it resolves to place the IP into the dhcpd scope.. You can not hand out anything via dhcp other than IP. But the new kea preview does not resolve that fqdn you place in there..
The pool comment is pretty valid, because a pool address will normally return way more than 1 IP.. And dhcp can only hand out 1 IP per entry.. To be honest with a mistake to ever allow putting fqdn in there.. dhcp requires and IP.. Letting users think they could just put in a fqdn was not a good idea.
-
@johnpoz said in KEA DHCP missing "Register DHCP leases in DNS Resolver...":
You have to use three or more time servers. Or that's how it used to work.that is never how it worked...
As far as I know, that is how NTP clients have always worked. See https://support.ntp.org/Support/SelectingOffsiteNTPServers#Upstream_Time_Server_Quantity.
But there's no telling what some internet entrepreneur is doing nowadays.
-
@noloader that has nothing to do with the ntp settings in the dhcpd settings... By default there is nothing in there.. Shoot most clients don't ever use those even if you hand them out.
Don't confuse ntp inner working with a completely different thing dhcpd..
-
@noloader You are taking this too far. I just pasted an FQDN in to give an example. Try it out yourself with a NTP server FQDN. It will allow you to enter it, but KEA won't start. The workaround is to put a IP address in there.
-
Yep. The KEA documentation - and for that matter, ISC DHCP states :
NTP name server fields in are 'IP' - not a host name.
The DHCP server KEA and ISC DHCP are not going tot resolve that host name. The DHCP RFC says : NTP servers are 'IP', not a host name.
Here you can see what a DHCP server should hand over to a client : rfc2132 => that's IPv4 addresses.
The pfSense GUI help message is :
and is plain wrong. It's just a IP, no a host name, and even less a pool.
I guess ISC DHCP silently ignored it as a NTP host name was given, KEA just bails out with a log-error message.
Going even further :
I've got several Windows based PCs here, a version 7, a 10 and several 11 : none are using the NTP server IP (192.168.1.1) that came with DHCP ...
My iPhone, Pad etc : same thing.
Androids : let me guess ^^I'm not even sure why I've set this NTP field. Maybe it will work some day.
-
@Gertjan said in KEA DHCP missing "Register DHCP leases in DNS Resolver...":
I'm not even sure why I've set this NTP field. Maybe it will work some day.
You’d think after over 20 years we’d just give up on the idea of anyone ever taking it up. ;)
-
@Gertjan That is all correct, but not the point.
The point is that the banner suggests that you should go to System > Advanced > Networking and switch DHCP backend. It should have pointed to a explanation page with the current limitations, because as it is people waste a lot of time.
Also both the ISC and the KEA page let you enter a FDQN without a warning. KEA brakes on a FDQN, ISC does not.
-
I've made a special script that is called via Kea's hooks and live update unbound on each kea's lease update via unbound-control:
https://github.com/nvandamme/kea-lease-unbound-controlAs i'm not an sh guru, feel free to make any pull requests !
Cheers
