"
I decided to be proactive and prepare for the forced deprecation of ISC DHCP by migrating my subnets over to Kea one at a time. I was pushed into this after a failed upgrade on my daughter's OPNsense firewall broke ISC and subsequently forced Kea into her apartment. Because I run an enterprise-level network at my own home, I started with my Trusted VLAN (VLAN 10) on an igb interface, but the experience was a total failure that wasted hours of my time today. I've officially rolled back to ISC and I have no intention of upgrading OPNsense to 26.1.x until Kea is actually ready for prime time.
The most glaring problem is the total lack of Unbound DNS registration. For anyone running a "non-home" network where FQDNs like plex.weirdtable.org are a matter of best practice, Kea is currently unusable. Since Kea cannot register dynamic leases in Unbound, my local service discovery completely broke. I was left chasing ghost IPs because Unbound was still serving stale records from the other subnets while Kea stayed silent. It is ridiculous to expect us to manage manual static overrides for every single device just to get basic internal DNS functionality back. Sure, mDNS works fine at Layer 2, but some of us geeks run actual enterprise infrastructure in-house.
Beyond the internal DNS mess, OPNsense needs to implement a way for Kea to update external DNS servers—specifically Microsoft DNS or a list of standard RFC 2136-compliant servers—when assigning a lease. Without the ability to send NameChangeRequests to an external DNS provider, Kea remains a silo that breaks any professional-tier network architecture. ISC handled this with ease for decades; losing this feature isn't just a "minor gap," it's a complete regression for anyone managing a domain.
The broadcast contention issues are just as bad. Trying to run a "split-brain" environment where Kea handled one VLAN while ISC handled the others caused massive broadcast contention. Even though the gateway was reachable via unicast, Kea's raw socket implementation on the virtual sub-interface seemed to fight with the legacy ISC BPF device. My Plex host and wireless clients on a Unifi WAP simply stopped receiving DHCPOFFER packets entirely. As soon as I disabled Kea and unified everything back under ISC, the broadcasts were instantly picked up and the network stabilized.
It's incredibly frustrating since we've all known ISC was going away for well over a year now. It seems like forking the project or focusing on feature parity before forcing a transition would have been a better solution than rebuilding a DHCP system from scratch. Until Kea achieves 1:1 feature parity with ISC—specifically regarding Unbound sync, RFC 2136 DDNS support, and broadcast reliability—I'll be sticking with the legacy service even if it means staying on an older release of OPNsense.
The most glaring problem is the total lack of Unbound DNS registration. For anyone running a "non-home" network where FQDNs like plex.weirdtable.org are a matter of best practice, Kea is currently unusable. Since Kea cannot register dynamic leases in Unbound, my local service discovery completely broke. I was left chasing ghost IPs because Unbound was still serving stale records from the other subnets while Kea stayed silent. It is ridiculous to expect us to manage manual static overrides for every single device just to get basic internal DNS functionality back. Sure, mDNS works fine at Layer 2, but some of us geeks run actual enterprise infrastructure in-house.
Beyond the internal DNS mess, OPNsense needs to implement a way for Kea to update external DNS servers—specifically Microsoft DNS or a list of standard RFC 2136-compliant servers—when assigning a lease. Without the ability to send NameChangeRequests to an external DNS provider, Kea remains a silo that breaks any professional-tier network architecture. ISC handled this with ease for decades; losing this feature isn't just a "minor gap," it's a complete regression for anyone managing a domain.
The broadcast contention issues are just as bad. Trying to run a "split-brain" environment where Kea handled one VLAN while ISC handled the others caused massive broadcast contention. Even though the gateway was reachable via unicast, Kea's raw socket implementation on the virtual sub-interface seemed to fight with the legacy ISC BPF device. My Plex host and wireless clients on a Unifi WAP simply stopped receiving DHCPOFFER packets entirely. As soon as I disabled Kea and unified everything back under ISC, the broadcasts were instantly picked up and the network stabilized.
It's incredibly frustrating since we've all known ISC was going away for well over a year now. It seems like forking the project or focusing on feature parity before forcing a transition would have been a better solution than rebuilding a DHCP system from scratch. Until Kea achieves 1:1 feature parity with ISC—specifically regarding Unbound sync, RFC 2136 DDNS support, and broadcast reliability—I'll be sticking with the legacy service even if it means staying on an older release of OPNsense.
