Kea DHCP: Modern, open source DHCPv4 and DHCPv6 server
97 points
11 hours ago
| 16 comments
| isc.org
| HN
guerby
3 hours ago
[-]
Looking at the CVE history, first "LTS" release 3.0.0 was quickly replaced by 3.0.1

https://kb.isc.org/docs/cve-2025-40779

"CVE-2025-40779: Kea crash upon interaction between specific client options and subnet selection"

https://github.com/isc-projects/kea/commit/0afd42b5dfb2e547b...

unprotected null pointer use, kea is in C++

reply
BrandoElFollito
5 hours ago
[-]
I use dnsmasq mostly for its fantastic integration with DNS.

DHCP and DNS go hand in hand in a network, I really struggle to understand why they are not more integrated in otherwise great solutions (such as kea)

reply
harry8
2 hours ago
[-]
Yeah. Nowadays I use pi-hole which is dnsmasq underneath and use it with unbound.

Works great. Minimal fuss, efficient setup, little maintenance, I don't have to understand the guts. Everything on my local network is addressable.

Ad blocking at the router is also something you don't want live without once you've gone there but pi-hole is a great solution even if you don't want that.

reply
BrandoElFollito
1 hour ago
[-]
I use Pihole as well (even tried to synchronize two for HA but I gave up). It is fantastic.

What worries me with dnsmasq is that it is a personal project maintained on a personal git (by a great person!). Sure, one can fork and whatnot but without several people participating it can fade out pretty quickly.

reply
mieses
2 hours ago
[-]
dnsmasq is great. The best part is that you can assign the same IP to multiple interfaces on the same device (to multiple MAC addresses) which drives network purists crazy and is no longer supported by systemd-networkd (because they are puritans). Separated DHCP/DNS can not do this. I will look into kea and whether they can do this.
reply
brianjlogan
10 hours ago
[-]
I ran my own home router and I used Kea and Power DNS using Systemd Containers to provide service for my whole home.

I was really impressed. I think the folks who put it together did a good job of addressing the major warts of my experience with isc-dhcp-server.

I'm sure it's a tremendous challenge writing software that's supposed to live up to modern expectations while still attempting to deliver on all of the legacy dependents and their unique use cases.

Makes me think of that article on how Cloudflare wrote their own Golang DNS Server and like some 900 whopping people use LOC records but they still support it

reply
BLKNSLVR
11 hours ago
[-]
OPNSense deprecated (is deprecating?) the included ISC DHCP server and now has the Kea DHCP server as standard. I migrated to from ISC to Kea in OPNSense and it was relatively painless, and it's been working well since. No complaints here, but my setup is pretty vanilla.

I can't comment on the DNS integration, but I might look a bit deeper because it sounds useful.

reply
toast0
9 hours ago
[-]
ISC shut down the DHCP project in 2022 (and afaik, nobody has taken it up as a fork), so it's less of a OPNSense decision and more of an ISC decision. Nothing is stopping anyone from continuing to user ISC dhcp for a long time, but people are reluctant.
reply
olowe
6 hours ago
[-]
OpenBSD’s dhcpd(8) is apparently basic on the one from the ISC: https://man.openbsd.org/dhcpd

Not sure this counts as a fork or when it was “reworked” by OpenBSD, though.

reply
TheCycoONE
10 hours ago
[-]
It sounded like they were encouraging dnsmasq for home use. I migrated to that successfully. My DHCPv6 is working flawlessly now whereas I was never able to get it running smoothly/persistently on ISC.

I understand Kea has more features so I'm a little curious what I'm missing.

reply
avhception
4 hours ago
[-]
I, too, was under the impression that Kea is now mostly out and they're going the dnsmasq route. There were open issues about some basic features with Kea, too: https://github.com/opnsense/core/issues/7475
reply
guerby
4 hours ago
[-]
LWN discussion of some 2025 CVE on kea: https://lwn.net/Articles/1023093/

Comments are less positive than here on HN.

reply
nullify88
8 hours ago
[-]
I've been running Kea at dayjob in production for the last 5-ish years, setup in a HA manner. It's worked solidly.
reply
sharts
9 hours ago
[-]
I’m wondering if this fixes the issue in pfsense which causes the Unbound DNS server to restart every time a new dhcp lease is created.
reply
jesprenj
3 hours ago
[-]
unfortunate that you can't start it without the ethernet interface in UP state. if you start it while the ethernet cable is disconnected, it will start the daemon but not actually "listen" on the device, even after the cable gets plugged in.

my solution: create a bridge with your ethernet device and add a dummy device and UP the said summy device, thereby UPing the bridge.

reply
nagisa
10 hours ago
[-]
In my homelab I've been using very barebones options (the one built into systemd-networkd as well as the dhcp server built into RouterOS) and never found myself needing a web interface, a database or anything… really. It has been sufficient to add the couple dozen static allocations to the configuration files and forget DHCP exists. Even HA is not something I found myself wanting as nodes will retain their lease well over the period of downtime incurred during botched upgrades.

How fancy does a network needs to be before this starts making sense? Who are the target audience for this project?

reply
NetworkPerson
8 hours ago
[-]
I’ve hit twice over the last year where it was needed. Though in one case, it’s because a server that was physically old enough to vote happened to be handling dhcp and dns. I set the other, only slightly less old, server to be primary on both but left the original functioning just in case with failed.

The main need I had was for a bank. Network functionality is obviously highly important there. Windows updates impacted the dhcp service on one server, which wasn’t an obvious thing till leases started running out the following morning. Multiple DC’s, so set up for HA to avoid issues in the future. It’s almost never needed but great to have when total uptime is key to operations.

reply
kevin061
2 hours ago
[-]
We use Kea at work and make extensive use of its hooks system to customise what leases we give out, and in which of our 8 datacenters. Our infrastructure is hundreds of thousands of machines and Kea's distributed nature makes it a breeze.
reply
denkmoon
9 hours ago
[-]
I assume it's just how pfsense is using Kea, but moving to this has been a bit regretful. Since moving from the legacy one to Kea, my static reservations don't work first time. Clients get given an address from the pool and then some time later (hours) get their static reservation. No clue why, from reading doc it seems like this is intended behaviour and that static reservations are discouraged??

On isc-dhcp, clients got their static reservation straight up.

reply
zenoprax
8 hours ago
[-]
Do you mean "Static Mappings"? I have a couple dozen of those and had no issue during my pfSense upgrade. I also rely heavily on two settings in "Services > DHCP Server":

- [x] Enable DNS Registration (leases will auto-register with the DNS Resolver)

- [x] Enable Early DNS Registration (static mappings will auto-register with the DNS Resolver)

I do not use the "Create a static ARP table entry for this MAC & IP Address pair." option for individual static mappings.

Hopefully this helps you in your troubleshooting.

reply
tw04
9 hours ago
[-]
I’ve got 60+ static reservations across multiple VLANs and don’t see this behavior. I’m not sure where you read it’s expected behavior, but it isn’t.

I’m guessing it’s something in you’re config.

reply
denkmoon
9 hours ago
[-]
on pfsense?
reply
toast0
9 hours ago
[-]
> Clients get given an address from the pool and then some time later (hours) get their static reservation.

I'm still on isc-dhcp (and not pfsense either) but is there a chance you have two DHCP servers running?

reply
Lammy
10 hours ago
[-]
Kea has broken with my config twice now over as many years when upgrading versions. I regret jumping from ISC-DHCPd for my 2023 PF-box reinstall just because they called it “EOL”
reply
zombielinux
9 hours ago
[-]
I've deployed Kea in some interesting applications. I quite like its failover options for redundancy purposes.

Definitely has a learning curve for odd devices that "support" DHCP, but I've been happy with how it works, its outputs, and how it can easily be segmented.

reply
VTimofeenko
7 hours ago
[-]
Can you expand on the applications you deployed kea in?
reply
WarOnPrivacy
11 hours ago
[-]
Once day I will stop procrastinating and migrate my pfsense boxes over to Kea. I hope I like it.

I'll be thrilled if the expected DNS integration works and I don't get the side effects I get now from ISC.

reply
gerdesj
11 hours ago
[-]
I migrated my home router over to Kea and was distinctly unimpressed - it just carried on working 8) I do run a pretty full on pfBlocker-NG. I run quite a few other pfs too (31).

At work I have a CARP cluster of two elderly Dell servers with a lot of NICS. I have a change logged for next week.

reply
PikachuEXE
10 hours ago
[-]
Migrated from ISC to Kea on OPNSense and zero issue so far
reply
iwontberude
10 hours ago
[-]
Moved a large enterprise deployment to kea and it’s been fantastic. Very easy to troubleshoot.
reply