# Kea 3.1.1 Release Notes, August 27th, 2025

Welcome to Kea 3.1.1, a second monthly release of the 3.1 development
series. As with any other development release, use this with caution:
development releases are not recommended for production use.

Kea is a DHCP implementation developed by Internet Systems Consortium
(ISC) that features DHCPv4 and DHCPv6 servers with DNS update and a REST
API; optional database support (MySQL and PostgreSQL); optional RADIUS,
YANG/NETCONF, and Kerberos GSS-TSIG support; and much more. Kea provides
extensive management capabilities, including but not limited to: TLS
support, Role-Based Access Control, run-time configuration monitoring
and updates via a REST API, host reservations, and client classification.

The text below references issue numbers. For more details, visit the Kea
GitLab page at https://gitlab.isc.org/isc-projects/kea/-/issues. For
details about Docker issues, visit the page at
https://gitlab.isc.org/isc-projects/kea-docker/-/issues/. For details
about packaging, visit the page at
https://gitlab.isc.org/isc-projects/kea-packaging/-/issues/.

The following bug fixes and features have been implemented since the
previous release:

1. **Vulnerability**: We corrected an issue in `kea-dhcp4` that caused
the server to abort if a client sent a unicast request with particular
options, and Kea failed to find an appropriate subnet for that client.
This addresses CVE-2025-40779 [#4048].

2. **Adaptive lease-time**: Kea now implements an adaptive lease-time
mechanism that was available in ISC DHCP. If configured, Kea detects
situations where pool utilization is high and there are not many
addresses left. It then decreases the lease lifetimes to recycle the
leases faster and thus delay or even avoid running out of addresses
completely [#226].

3. **Vendor sub-options**: The `kea-dhcp4` server now supports
configuring vendor option (code 125) with suboptions [#3861].

4. **New command**: `kea-dhcp6` now supports a new
`lease6-get-by-hw-address` command that can be used to get IPv6 leases
by hardware address [#3826].

5. **Option class tags in host reservations and config backends**: The
DHCPv6 daemon now correctly supports option-class tags
(i.e."client-classes") in host and config backends for both MySQL and
PostgreSQL. The equivalent DHCPv4 support was added in the previous
release [#3770].

6. **Build**: We added support for Botan crypto library v3; the old v2
version that reached EOL is no longer supported [#4057, #3553]. Netconf
dependencies (libyang, sysrepo) were updated to 3.x versions [#3931].

7. **Bug fixes**: The code no longer adds the qualifying suffix to fully
qualified host names specified in host reservations [#3949]. We fixed a
bug where reused expired IPv6 leases wouldn't get a hardware address
associated with them [#4058]. We improved the locking mechanism to use
fchmod instead of umask [#4037]. We fixed an issue in `kea-dhcp-ddns`
which was causing GSS-TSIG key exchanges to timeout when NCR traffic was
intermittent [#4049]. We removed a redundant call to a subnet selection
routine [#4047].

8. **Documentation**: We updated the Kea ARM with a note that the
`KEA_DHCP_DATA_DIR` variable also changes
 the `server-id` file location [#3984].

## Incompatible Changes

None.

## Known Issues

* 

## License

This version of Kea is released under the Mozilla Public License,
version 2.0.

https://www.mozilla.org/en-US/MPL/2.0

Some Kea hook libraries are provided under the MPL 2.0; others are
licensed with the [Kea Hooks Basic Commercial End User
License](https://www.isc.org/kea-premium-license/). The source for each
hook library includes the applicable license.

## Download

Pre-built ISC packages for current versions of the most popular Linux
operating systems are available at:

https://cloudsmith.io/~isc/repos/

Pre-built Docker images, as well as Docker files, are available. For
details, see:

https://gitlab.isc.org/isc-projects/kea-docker

The Kea source and PGP signature for this release may be downloaded from:

https://www.isc.org/download

The signature was generated with the ISC code-signing key, which is
available at:

https://www.isc.org/pgpkey

ISC provides detailed documentation, including installation instructions
and usage tutorials, in the Kea Administrator Reference Manual.
Documentation is included with the installation or at
https://kea.readthedocs.io/en/latest/index.html in HTML, PDF, or EPUB
formats. ISC maintains a public open source code tree, wiki, issue
tracking system, milestone planner, and roadmap at
https://gitlab.isc.org/isc-projects/kea.

Limitations and known issues with this release can be found at
https://gitlab.isc.org/isc-projects/kea/-/wikis/known-issues-list.

We ask users of this software to please let us know how it worked for
you and what operating system you tested on. Feel free to share your
feedback on the Kea Users mailing list
(https://lists.isc.org/mailman/listinfo/kea-users). We would also like
to hear whether the documentation is adequate and accurate. Please open
tickets in the Kea GitLab project for bugs, documentation omissions and
errors, and enhancement requests. We want to hear from you even if
everything worked.

## Support

Professional support for Kea is available from ISC. We encourage all
professional users to consider this option; Kea maintenance is funded
with support subscriptions. For more information on ISC's Kea software
support, see https://www.isc.org/support/.

Free best-effort support is provided by our user community via a mailing
list. Information on all public email lists is available at
https://www.isc.org/community/mailing-list. If you have any comments or
questions about working with Kea, please share them to the Kea Users
list (https://lists.isc.org/mailman/listinfo/kea-users). Bugs and
feature requests may be submitted via GitLab at
https://gitlab.isc.org/isc-projects/kea/-/issues.

## Changes

The following summarizes the changes since the previous release.

Core:

2391.	[bug]		fdupont
	When reusing an expired lease, kea-dhcp6 now correctly saves
	the client hardware address in the lease.
	(Gitlab #4058)

2390.	[func]		fdupont
	Added the new "adaptive-lease-time-threshold" parameter
	for the FLQ (Free Lease Queue) allocator which reduces
	the lifetime of leases when pools of a subnet have an
	occupancy rate above a configured threshold (new feature
	from ISC DHCP).
	(Gitlab #226)

2389.	[bug]		tmark
	Corrected an issue in kea-dhcp4 which caused
	broadcasted client queries to fail to match subnets
	restricted to classes assigned during early global
	host lookups.
	(Gitlab #4047)

2388.	[bug]		tmark
	Fixed an issue in kea-dhcp-ddns which was
	causing GSS-TSIG key exchanges to timeout when
	NCR traffic is intermittent.
	(Gitlab #4049)

2387.	[func]*		andrei, razvan
	Updated kea-netconf to libyang and sysrepo version 3.
	(Gitlab #3931)

2386.	[sec]		tmark
	Corrected an issue in kea-dhcp4 that caused the server
	to abort if a client sent a unicast request with a particular
	options, and Kea failed to find an appropriate subnet
	for that client.
	CVE:2025-40779
	(Gitlab #4048)

2385.	[bug]		tmark
	Avoid adding the qualifying-suffix to fully qualified
	host names specified in host reservations.
	(Gitlab #3949)

2384.	[bug]		tmark
	kea-dhcp6 now correctly supports option class-tags
	(i.e."client-classes") in host and config back ends
	for both MySQL and PosgreSQL.
	(Gitlab #4014)

Premium:

214.	[bug]		tmark
	Config back end for DHCPv6 now correctly supports option
	class-tags (i.e."client-classes").
	(Gitlab #4014)

---

Thank you again to everyone who assisted us in making this release
possible.

We look forward to receiving your feedback.