BIND 9 Security Audit
In the aftermath of yesterday’s BIND announcement of seven new CVEs, one of them with a fairly wide impact, BIND users might be wondering why ISC publishes so many security vulnerabilities.Read post
We made a total of 13 Kea DHCP releases in 2023: 10 development releases (2.3.x, 2.5.x), one major stable version (2.4.0), and two maintenance releases (2.2.1 and 2.4.1). Our overall release cycle seems to be working well.
In particular, the team is proud of the Kea 2.4.0 release. Packed with new features (multi-threading on by default, three allocation strategies to choose from, bulk leasequery, multiple vendor options, DoH/DoT/DNS-over-… option, template classes, much faster NETCONF, per-pool stats, and much more), Kea 2.4.0 was our biggest release to date. So far, we have needed only one maintenance release on that branch, 2.4.1 in late November.
Our Kea support customer count continues to grow with very few departures; we now have more than 70 customers who rely on us for Kea support and advance security notifications. We are very happy to have so much interest in Kea! Looking at our support requests, in 2023 we saw a number of questions related to logging and statistics, and a few users pointing out documentation errors or omissions. Our GitLab repo saw user requests for ping-before-offer, Docker images, and ISC DHCP log emulation.
Meanwhile, we continue to develop new features for both open source and paid support users, including bulk leasequery, which is gaining popularity; extensions for it have already been requested. The last Kea release in 2023 included the new ping check hook library. The new in-house RADIUS client implementation was completed in 2023, and now we are making it multi-threaded. We are extending our high-availability feature to support a hub-and-spoke model, which we expect will be very popular.
We finally released Docker files and container images, which have been requested for several years, and we recently added ARM packages. We are aware of a few shortcomings, but they are on track to be ready for the upcoming stable version, Kea 2.6. Adding a new system architecture is not something that happens often, but we were happy to add this in response to user requests.
The DHCP QA team made great progress in 2023: we were able to cut our backlog of missing tests. There’s always more to do, but the tests are coming up faster than the development team is able to create new features. With every passing month, we’re increasing our test coverage. Also, 2023 was the first year when the tests were often ready before a new feature was finished.
Our Stork project is also coming along well. Stork’s release schedule is normally every two months: there were six releases in 2023. The long-term plan for Stork was to do a dashboard first, then turn it into a management tool, and eventually grow it into an IP address manager (IPAM). We’re now past the dashboard phase! Stork is able to monitor Kea and to some degree also BIND, but more importantly, it can now manage the two elements of Kea that change most often: subnets and pools. With Stork 1.14.0, administrators can modify existing subnets and pools, including managing them across multiple servers, and soon Stork will also be able to add new subnets and pools.
In 2023, Stork got two major new components: the infrastructure for hooks and the first hook that takes advantage of it. These optional libraries have contributed to making Kea a successful project, and we very much hope to repeat that success with Stork. The first hook we implemented for Stork allows it to interact with LDAP and use it for access control. This is important for a couple of reasons: first, LDAP was a popular contributed feature of ISC DHCP, and at least one Kea support customer requested it, so there is a demonstrated need; second, by making the authentication extensible, we have shown that it should not be hard to integrate with other access-control environments. Finally, if we ever get a request to do something very specific for a single customer, we will be able to confine the customer-specific code to a hook.
Stork support is not technically available as a commercial offering, but we help our Kea support customers if they have issues with Stork. We have a few open source users contributing Stork issues in GitLab and we very much appreciate the feedback.
Since the ISC DHCP project has reached end-of-life, improving access to the Kea Migration Assistant (keama) was our main focus in 2023. We developed a web interface for the Kea Migration utility and did the first standalone release of the tool for use on customer premises. Users now have multiple ways to use this software: the web interface hosted by ISC, deployment on their own premises using Docker, ISC packages, or with the sources, compiling it the classic way. We have let ISC DHCP users know that it is no longer supported, and we encourage them to migrate to Kea. We advertised the migration utility, and a related lease migration script, in a lightning talk at NANOG in 2023. The hosted version of the migration tool has been getting over 100 visits, and 50 - 100 configuration migrations, each week since the summer.
Our team grew by one person, to a total of 10 for the DHCP, Stork, and QA projects. Piotrek Zadroga hit the ground running and is making valuable contributions to both Kea and Stork.
Overall, 2023 was a great year for ISC’s DHCP team and our Kea, Stork, and ISC DHCP users and we look forward to continuing our work in 2024.
What's New from ISC