# Kea 3.1.5 Release Notes, January 28, 2026 Welcome to Kea 3.1.5, a release of the 3.1 development series. As with any other development release, use this with caution: development releases are not recommended for production use. Kea is a DHCP implementation developed by Internet Systems Consortium (ISC) that features DHCPv4 and DHCPv6 servers with DNS update and a REST API; optional database support (MySQL and PostgreSQL); optional RADIUS, YANG/NETCONF, and Kerberos GSS-TSIG support; and much more. Kea provides extensive management capabilities, including but not limited to: TLS support, Role-Based Access Control, run-time configuration monitoring and updates via a REST API, host reservations, and client classification. The text below references issue numbers. For more details, visit the Kea GitLab page at https://gitlab.isc.org/isc-projects/kea/-/issues. For details about Docker issues, visit the page at https://gitlab.isc.org/isc-projects/kea-docker/-/issues/. For details about packaging, visit the page at https://gitlab.isc.org/isc-projects/kea-packaging/-/issues/. The following bug fixes and features have been implemented since the previous release: 1. **Interfaces and sockets**: We've improved the handling of external sockets [#4258]. The interface manager, a part of the code that handles interfaces and sockets, is now able to log certain errors. This might be useful for debugging socket and interface problems [#4248, #4259]. 2. **Configurable lease-file error handling**: The memfile lease backend now supports the ``on-fail`` parameter, although the retry part of it is ignored. When set to either ``stop-retry-exit`` or ``serve-retry-exit``, the server will exit on unrecoverable write errors. If set to ``serve-retry-continue``, the server will continue to run but write errors will continue until corrective action is taken. These changes apply to both `kea-dhcp4` and `kea-dhcp6` [#4220]. 3. **Statistics**: The API commands provided by the Lease Commands hook library now update in-memory statistics [#4176]. We added `pkt4-duplicate` and `pkt6-duplicate` statistics to count incoming packets that are dropped because they are duplicates of packets currently being processed. Previously, such packets were counted as "queue full" [#4187]. High Availability (HA) now increments drop statistics such as `pkt4-not-for-us` and `pkt6-not-for-us` when inbound packets are deemed to be out-of-scope [#4184]. 4. **New API commands**: The Lease Commands hook now supports `lease{4,6}-get-by-state` commands that allow leases to be returned in a specified state [#4230]. 5. **Security**: The control sockets created on disk are now group-writable by default. This allows other processes that belong to the same group, such as Stork, to communicate over the Kea API [#4260]. We implemented a recursion limit in procedures [#4288]. 6. **RADIUS**: We implemented a status-server mechanism for RADIUS, as defined in RFC5997. This mechanism allows periodic checks ("keep alive") on the server. While it is somewhat useful on the current RADIUS over UDP, its biggest advantage will be its use with the upcoming RADIUS over TLS [#4282]. We removed obsolete support for the `realm` parameter [#3103]. Several packet-drop statistics were implemented in the RADIUS hook: `pkt4-processing-failed`, `pkt4-receive-drop`, `pkt6-processing-failed`, and `pkt6-receive-drop` [#4185]. We implemented a generic TCP/TLS client. This code is not used yet, but it will be as soon as the upcoming RADIUS over TLS becomes operational [#4283]. RADIUS now uses the user context of a lease to store RADIUS-specific information [#3251]. 7. **RBAC**: A small tweak was implemented in the Role-Based Access Control subscriber hook: log information about authentication being rejected is now logged on the INFO level, making it easier to spot [#4299]. 8. **Bug fixes**: The `exchange-timeout` parameter of the GSS-TSIG hook library configuration is no longer ignored [#4265]. We fixed a problem with handling incorrect prefix lengths [#4295]. The `lease{4,6}-write` commands now delete a file if writing to it fails [#4249]. We fixed a bug in the Limits hook that incorrectly checked the `retry-on-startup=true` and MySQL/PostgreSQL backends [#4242]. 9. **Build improvements**: We fixed a compilation problem with Boost 1.90 [#4264,#4266]. Hammer, the Kea build tool, now supports Alpine 3.23, Fedora 43, and FreeBSD 15 [#4245]. When compiling from sources, Kea now has optimization enabled by default [#4296]. We fixed a compilation problem on FreeBSD 15 [#4237, #4246]. Support for Meson 1.10 was added [#4263]. 10. **Testing**: Fuzz jobs were tweaked to no longer run automatically in Gitlab CI [#4273]. We fixed a problem with `kea-dhcp{4,6}-tests` failing when the UNIX socket path was too long [#4311]. We fixed a problem with `logger_lock_test` on RHEL8 [#4308]. 11. **Documentation**: We added a section to the Kea ARM that explains how to gather debugging information in case of a Kea crash [#4147]. We documented the received and sent statistics of the Leasequery hook library. We also moved initialization to the server, so the statistics are no longer deleted when the hook library is unloaded [#4186]. ## Incompatible Changes 1. Support for the `realm` parameter in RADIUS was removed; the parameter never worked and no one ever noticed. It is still possible to use the realm concept by specifying an explicit username, e.g. "user@myrealm" [#3103]. ## License This version of Kea is released under the Mozilla Public License, version 2.0. https://www.mozilla.org/en-US/MPL/2.0 Some Kea hook libraries are provided under the MPL 2.0; others are licensed with the [Kea Hooks Basic Commercial End User License](https://www.isc.org/kea-premium-license/). The source for each hook library includes the applicable license. ## Download Pre-built ISC packages for current versions of the most popular Linux operating systems are available at: https://cloudsmith.io/~isc/repos/ Pre-built Docker images, as well as Docker files, are available. For details, see: https://gitlab.isc.org/isc-projects/kea-docker The Kea source and PGP signature for this release may be downloaded from: https://www.isc.org/download The signature was generated with the ISC code-signing key, which is available at: https://www.isc.org/pgpkey ISC provides detailed documentation, including installation instructions and usage tutorials, in the Kea Administrator Reference Manual. Documentation is included with the installation or at https://kea.readthedocs.io/en/latest/index.html in HTML, PDF, or EPUB formats. ISC maintains a public open source code tree, wiki, issue tracking system, milestone planner, and roadmap at https://gitlab.isc.org/isc-projects/kea. Limitations and known issues with this release can be found at https://gitlab.isc.org/isc-projects/kea/-/wikis/known-issues-list. We ask users of this software to please let us know how it worked for you and what operating system you tested on. Feel free to share your feedback on the Kea Users mailing list (https://lists.isc.org/mailman/listinfo/kea-users). We would also like to hear whether the documentation is adequate and accurate. Please open tickets in the Kea GitLab project for bugs, documentation omissions and errors, and enhancement requests. We want to hear from you even if everything worked. ## Support Professional support for Kea is available from ISC. We encourage all professional users to consider this option; Kea maintenance is funded with support subscriptions. For more information on ISC's Kea software support, see https://www.isc.org/support/. Free best-effort support is provided by our user community via a mailing list. Information on all public email lists is available at https://www.isc.org/community/mailing-list. If you have any comments or questions about working with Kea, please share them to the Kea Users list (https://lists.isc.org/mailman/listinfo/kea-users). Bugs and feature requests may be submitted via GitLab at https://gitlab.isc.org/isc-projects/kea/-/issues. ## Changes The following summarizes the changes since the previous release. 2433. [sec] fdupont Added to the RADIUS hooks library and security documentation a warning about the Blast-RADIUS vulnerability which affects the RADIUS protocol. (Gitlab #4254) 2432. [build] razvan The library version numbers have been bumped up for the Kea 3.1.5 development release. (Gitlab #4306) 2431. [build] fdupont Set debug to true and optimization to 2 by default in meson project default so the same as the 'debugoptimized' buildtype. (Gitlab #4296) 2430. [func] fdupont The RADIUS hook library no longer accepts the 'realm'` config parameter which was never implemented i.e. it was silently ignored. (Gitlab #3103) 2429. [func] fdupont Create UNIX sockets as group writable so a tool is allowed to connect to them as soon as it is run by a member of the group (vs. requiring to be run by the owner). Note to disallow this the group execute permission can be removed from the socket parent directory. (Gitlab #4260) 2428. [func] fdupont Added to the RADIUS hooks library a new per service "idle-timer-interval" parameter which makes a "Status-Server" message to be periodically sent. The value 0 (default) disables this. (Gitlab #4283) 2427. [doc] fdupont Added a section in the ARM explaining how to generate core dump files. (Gitlab #4147) 2426. [bug] fdupont The "exchange-timeout" parameter of GSS-TSIG hook library configuration is no longer ignored. (Gitlab #4265) 2425. [bug] fdupont Added check for prefix length in ipv6-prefix option data type. (Gitlab #4295) 2424. [bug] tmark API commands provided by the lease-cmds hook library now update in-memory statistics. (Gitlab #4176) 2423. [func] fdupont Documented received and sent statistics of the lease query hook library. Also moved initialization to the server so they are no longer deleted when the hook library is unloaded. (Gitlab #4186) 2422. [func] fdupont Added 'pkt4-duplicate' and 'pkt6-duplicate' statistics to count incoming packets that are dropped because they are duplicates of packets currently being processed. Previously such packets were counted as queue full. (Gitlab #4187) 2421. [func] fdupont HA now increments drop statistics such as 'pkt4-not-for-us' and 'pkt6-not-for-us' when inbound packets are deemed to be out of scope. (Gitlab #4184) 2420. [func] tmark Memfile lease back end now supports the ``on-fail`` parameter though without retry. When set to either ``stop-retry-exit`` or ``serve-retry-exit`` the server will exit on unrecoverable write errors. If set to ``serve-retry-continue`` the server will continue to run but write errors will continue until corrective action is taken. Applies to both kea-dhcp4 and kea-dhcp6. (Gitlab #4220) 2419. [func] fdupont Added 'lease4-get-by-state' and 'lease6-get-by-state' commands to retrieve leases by state and optionally subnet. (Gitlab #4230) --- Thank you again to everyone who assisted us in making this release possible. We look forward to receiving your feedback.