# Kea 3.1.0 Release Notes, July 30th, 2025

Welcome to Kea 3.1.0, a monthly release of the 3.1 development series.
As with any other development release, use this with caution:
development releases are not recommended for production use.

Kea is a DHCP implementation developed by Internet Systems Consortium
(ISC) that features DHCPv4 and DHCPv6 servers with DNS update and a REST
API; optional database support (MySQL and PostgreSQL); optional RADIUS,
Kerberos, YANG/NETCONF, and GSS-TSIG support; and much more. Kea
provides extensive management capabilities, including but not limited
to: TLS support, Role-Based Access Control, run-time configuration
monitoring and updates via a REST API, host reservations, and client
classification.

The text below references issue numbers. For more details, visit the Kea
GitLab page at https://gitlab.isc.org/isc-projects/kea/-/issues. For
details about Docker issues, visit the page at
https://gitlab.isc.org/isc-projects/kea-docker/-/issues/. For details
about packaging, visit the page at
https://gitlab.isc.org/isc-projects/kea-packaging/-/issues/.

The following bug fixes and features have been implemented since the
previous release:

1. **TLS support for Postgres**: Kea now properly supports PostgreSQL
database connections over TLS. This requires setting up the
`trust-anchor`, `cert-file`, and `ssl-mode` parameters [#3927, #4005].

2. **Relaxed security policy**: Fixes for recent security
vulnerabilities introduced several strict checks, such as restrictions
on file paths or on running the API without sufficient protection, among
others. By default Kea prints an error if one of these restrictions is
violated, and refuses to start. However, in some cases, such as running
Kea in a lab, this might be considered unnecessarily strict. The
recently introduced `-X` option enables a relaxed security policy. If
used, Kea still performs its checks, but they produce warning messages
instead of fatal errors. Please use this option with care [#3848]!

3. **Option class tags in host reservations and config backends**: The
DHCPv4 daemon now correctly supports option-class tags
(i.e."client-classes") in host and config backends for both MySQL and
PostgreSQL. The equivalent DHCPv6 support is expected in future releases
[#3770].

4. **Host reservation identifiers in config backend (CB)**: The
`host-reservation-identifiers` parameter, previously supported only in
the configuration file, is now also supported in the CB [#3944].

5. **Security**: Support for Botan 3 is now available. The older 2.x
version that reached its End-Of-Life is no longer supported [#3553].

## Incompatible Changes

None.

## Known Issues

* On Debian-based distributions, services that are running when package
upgrades are applied are not restarted afterward, causing the old
service version to remain active. This can unexpectedly lead to
downtime, particularly if unattended upgrades are enabled and if the
configuration contains hook libraries. If a configuration reload is
issued under these circumstances, Kea servers fail to reconfigure
themselves due to version mismatches between the running process and the
updated hook libraries. As a result, the service stops functioning until
it is manually restarted.

## License

This version of Kea is released under the Mozilla Public License,
version 2.0.

https://www.mozilla.org/en-US/MPL/2.0

Some Kea hook libraries are provided under the MPL 2.0; others are
licensed with the [Kea Hooks Basic Commercial End User
License](https://www.isc.org/kea-premium-license/). The source for each
hook library includes the applicable license.

## Download

Pre-built ISC packages for current versions of the most popular Linux
operating systems are available at:

https://cloudsmith.io/~isc/repos/

Pre-built Docker images, as well as Docker files, are available. For
details, see:

https://gitlab.isc.org/isc-projects/kea-docker

The Kea source and PGP signature for this release may be downloaded from:

https://www.isc.org/download

The signature was generated with the ISC code-signing key, which is
available at:

https://www.isc.org/pgpkey

ISC provides detailed documentation, including installation instructions
and usage tutorials, in the Kea Administrator Reference Manual.
Documentation is included with the installation or at
https://kea.readthedocs.io/en/latest/index.html in HTML, PDF, or EPUB
formats. ISC maintains a public open source code tree, wiki, issue
tracking system, milestone planner, and roadmap at
https://gitlab.isc.org/isc-projects/kea.

Limitations and known issues with this release can be found at
https://gitlab.isc.org/isc-projects/kea/-/wikis/known-issues-list.

We ask users of this software to please let us know how it worked for
you and what operating system you tested on. Feel free to share your
feedback on the Kea Users mailing list
(https://lists.isc.org/mailman/listinfo/kea-users). We would also like
to hear whether the documentation is adequate and accurate. Please open
tickets in the Kea GitLab project for bugs, documentation omissions and
errors, and enhancement requests. We want to hear from you even if
everything worked.

## Support

Professional support for Kea is available from ISC. We encourage all
professional users to consider this option; Kea maintenance is funded
with support subscriptions. For more information on ISC's Kea software
support, see https://www.isc.org/support/.

Free best-effort support is provided by our user community via a mailing
list. Information on all public email lists is available at
https://www.isc.org/community/mailing-list. If you have any comments or
questions about working with Kea, please share them to the Kea Users
list (https://lists.isc.org/mailman/listinfo/kea-users). Bugs and
feature requests may be submitted via GitLab at
https://gitlab.isc.org/isc-projects/kea/-/issues.

## Changes

The following summarizes the changes since the previous release.

Core:

2381.	[build]		razvan
	The library version numbers have been bumped up for the Kea 3.1.0
	development release.
	(Gitlab #4030)

2380.	[build]*	fdupont
	Moved Botan crypto backend support to version 3.
	(Gitlab #3553)

2379.	[bug]		tmark
	kea-dhcp4 now correctly supports option class-tags
	(i.e."client-classes") in host and config backends
	for both MySQL and PosgreSQL.
	(Gitlab #3770)

2378.	[func]		razvan
	Added SSL/TLS support for PostgreSQL database connection in
	the Kea configuration. Available parameters are:
	"trust-anchor", "cert-file", "key-file", and "ssl-mode".
	(Gitlab #3927)

2377.	[sec]*		tmark
	Additional runtime security checks were added
	to kea-dhcp4, kea-dhcp6, kea-dhcp-ddns, and
	kea-ctrl-agent
	(Gitlab #3848)

2376.	[func]		razvan
	Added support for global list parameters (containing only scalar
	elements) in CB. The "host-reservation-identifiers" is now
	supported in CB.
	(Gitlab #3944)

Premium:

213.	[bug]		tmark
	Config backend for DHCPv4 now correctly supports option
	class-tags (i.e."client-classes").
	(Gitlab #3770)

212.	[func]		razvan
	Global list parameters (containing only scalar elements) and
	"host-reservation-identifiers" are now supported in config
	backend.
	(Gitlab #3944)

---

Thank you again to everyone who assisted us in making this release
possible.

We look forward to receiving your feedback.