Kea DHCP Feature Roadmap

mwierowski

I understand that not all features of ISC DHCP have been implemented into the Kea DHCP GUI interface. Do the developers have a roadmap for when additional features will be released? I have reviewed the 24.03 release notes and do not see much in terms of new features being added to Kea DHCP.

Specifically, I need the option to add additional DHCP options beyond what the Kea DHCP GUI allows me to add. In our environments, we use option 43 to advertise a UniFi controller for all our wireless APs.

We are still using ISC DHCP for the time being, but we need to make sure that the ability to add option 43 is available in Kea DHCP before ISC DHCP is completely removed from pfSense.

Gertjan

@mwierowski said in Kea DHCP Feature Roadmap:

before ISC DHCP is completely removed from pfSense.

Why would Netgate remove it ? It will be kept, for those who want to use it, a bit like when unbound, the resolver replaced dnsmasq, the forwarder. The GUI front end will, evolve so more options can be used.
I guess a real security has to be found in ISC DHCP for Netgate to remove ISC DHCP.

All IMHO of course.

SteveITS

@Gertjan “ISC DHCP has reached end-of-life and will be removed in a future version of Netgate pfSense ”

mwierowski

@Gertjan said in Kea DHCP Feature Roadmap:

Why would Netgate remove it ?

According to the following article: Netgate Adds Kea DHCP to pfSense Plus Software Version 23.09

Netgate will transition to Kea DHCP as the default DHCP server in pfSense Plus software once integration is complete, and the deprecated ISC DHCP server will eventually be removed.

What I haven't seen is a planned roadmap or timeline as to when features supported in ISC and Kea DHCP will be made available in the GUI for Kea DHCP. They just stated that when integration is complete. I would like some further detail on this. Does that mean when all features that are currently supported in the ISC DHCP GUI are implemented in the Kea DHCP GUI?

According to ISC, most DHCP options are supported for both ISC and Kea: Standard DHCP Options Defined in ISC DHCP and Kea. I am just interested what the timeline and gameplan is from Netgate to support these options in the GUI for Kea?

imark77

Well I would be partial to ask for a DHCP message dialogue Field but I don't know if that's something Apple non-standard.

Either way one of the many updates I did when I finally got my 3100 back online in a more brutal attempt to switch to the device I bought three years ago... I was greeted upon finishing with a major flashing banner. And the way things are going these days if you don't update your quote "horribly insecure" and they start finding every which way to make the device fully stop functioning until you have to physically buy a new one cough Apple cough Apple. Just upgraded my mom's computer and was working on her old one, bitwarden had an update which then ceased to function because it was no longer compatible but I needed passwords.... And Mac OS X can't be upgraded headache hair pulling but I digress.

Yes this needs a roadmap.
i enable the new DHCP server and a few months later I don't know whether this is related or not I have some devices that are getting IP on the network fine and other devices that are only getting IPV6 and non-routable to the Internet. I first thought it was just windows 11 as my windows 10 system was working and my Mac was working only till later find out my mom's new Mac doesn't but her old one does. What's the common denominator I'm thinking DHCP server?
This upgrade path needs a bit more transparency as whether we should be "looking for bugs" or "expecting bugs" it's a subtle difference.

cmcdonald

Narrowing the gap between dhcpd and kea is on the list for 24.07. In fact, this week I've started writing a plugin for Kea that allows it to talk directly to Unbound over the unbound control socket to insert, update, and remove host entries. It will be fast, require no additional processes to be running and won't require Unbound to be restarted each time an update occurs.

This is coming.

keyser

@cmcdonald said in Kea DHCP Feature Roadmap:

Narrowing the gap between dhcpd and kea is on the list for 24.07. In fact, this week I've started writing a plugin for Kea that allows it to talk directly to Unbound over the unbound control socket to insert, update, and remove host entries. It will be fast, require no additional processes to be running and won't require Unbound to be restarted each time an update occurs.

This is coming.

This is EXCELLENT news! A feature that has been wanted for years and years. Really good news

johnpoz

@cmcdonald that is sweet, and long time in the coming - thanks for the heads up!

hughbiquitous

@cmcdonald I would love to hear that ISC won't go away until something like this ships.

As it stands today (2.7.2-RELEASE), switching to KEA currently represents a significant regression because non-static DHCP clients cannot be resolved through DNS.

If I'm mistaken on that point, being corrected would be welcome good news.

mwierowski

@hughbiquitous said in Kea DHCP Feature Roadmap:

@cmcdonald I would love to hear that ISC won't go away until something like this ships.

As it stands today (2.7.2-RELEASE), switching to KEA currently represents a significant regression because non-static DHCP clients cannot be resolved through DNS.

If I'm mistaken on that point, being corrected would be welcome good news.

This is correct as documented by Netgate here: Netgate Adds Kea DHCP to pfSense Plus Software Version 23.09

Basic functionality is present in version 23.09, but the Kea implementation lacks the following DHCP server features:

• Local DNS Resolver/Forwarder Registration for static and dynamic DHCP clients
• Remote DNS server registration
• DHCPv6 Prefix Delegation
• High Availability Failover
• Lease statistics/graphs
• Custom DHCP options

Antibiotic

@keyser What kind of benefits from this?

johnpoz

@Antibiotic said in Kea DHCP Feature Roadmap:

What kind of benefits from this?

Of what KEA over ISC - well for starters, they have pretty much stated that they will no longer be developing on the isc dhcpd.. So kind of have to move. Do you have to move today, or even tmrw or shoot next year? No prob not - but at some point yeah going to have to move away from a product that is no longer developed or supported.

Do you still run windows 95?

Currently this is no point to switching to be honest, unless you want to be an early adopter with lots of features not yet implemented in pfsense.. I would wait... I turned it on to see - yup hands out IPs.. Ok back to isc for now, because it does not have same features as of yet that isc does.

But if all you do is hand out IPs, you could prob switch now.

Antibiotic

@johnpoz I mean what benefits from this for home users?
Narrowing the gap between dhcpd and kea is on the list for 24.07. In fact, this week I've started writing a plugin for Kea that allows it to talk directly to Unbound over the unbound control socket to insert, update, and remove host entries. It will be fast, require no additional processes to be running and won't require Unbound to be restarted each time an update occurs.

This is coming.

Antibiotic

@johnpoz said in Kea DHCP Feature Roadmap:

Currently this is no point to switching to be honest

I'm already here)))

johnpoz

@Antibiotic I have no idea what your asking to be honest? Doesn't matter if home user or enterprise user - there are benefits to moving to kea.. But there is little point to do so currently unless your not using any of the features currently not implemented.

If you are just handing out ips with no options and no need for any of the other integrations.. Have at it - I wouldn't spend any time writing anything.. Unless your going to submit to pfsense to be included because whatever you work up now, may or may not be viable as the integration into pfsense changes.

Antibiotic

@johnpoz Foggy, but OK))) will wait

imark77

@johnpoz wait what's wrong with windows 95 that's what I'm replying to from! Partially kidding but I do have a windows 98 virtual machine and a few of them.

Yes going to have to update at some point and looks like we're gonna get some new features too.
Although the flashing banner with no information Link really is a freak out like sky falling nuclear disaster global financial reset Global civil war conspiracy freak out.

--
In case anybody's wondering I disabled it, went back and now ALL systems are getting DHCP. So I don't know if I have a weird edge case. But I'm also noticing domain name resolution ( AP1.MyNet ) isn't working either now. But I can't necessarily confirm that with the new hardware as it was working with the old hardware and I can only think? that it was working with the new hardware but can't confirm my memory on that.

aligator638

@mwierowski I agree with you that netgate should tell us what is to be expected. For example I have AD dsn servers and non windows clients, since ISC DHCP was not GSS-TSIG, I had to implement some scripts to manually register these clients in DNS.

Now with kea this is possible as the plugin exists out of the box:
https://kea.readthedocs.io/en/latest/arm/integrations.html#gss-tsig

The use case is simple, you have pfsense giving out addresses, to windows and linux clients and a separate dns server running on your AD , with ISC you are left off to have clients register themselves, which is not ideal.

With Kea and the plugin DHCP will register the IPs in AD DNS, and life will be better ;-)

Now when will this implemented ?

Eric

thermo

@aligator638 GSS-TSIG is part of ISC's premium "enterprise" subscription, and not something Netgate can implement and hand out to everyone.

cmcdonald

Progress update:

Unbound registration can be enabled/disabled for DHCP and DHCPv6 independently (yes this new integration supports v6). Updates occur asynchronously and never restart Unbound. In fact, enabling/disabling registration doesn't even restart Unbound. Instead, we work out what records need to be added/removed, make those changes via unbound-control and then write out a snippet of Unbound configuration that is used to "seed" Unbound with a set of lease records if Unbound is restarted for whatever reason.

We try several options for determining the domain name. In order of precedence:

1. domain-name option set in the response packet? (only applicable to v4)
2. first search domain set in the response packet? (the first option for v6)
3. finally, the system domain as a last resort

The record ttl is one-third the lifetime of the lease. So if the lease has a lifetime of 7200 seconds, the record ttl is 2400 seconds.

So if you have multiple address pools with different options, those leases could potentially have different domains used in the registration.

Note: These final UI details are subject to change

Here is the DHCPv4 global setting:

Per-subnet overrides:

• Use server default tracks the server policy
• Enable unconditionally enables registration, regardless of default policy
• Disable ... does the obvious thing.