24.1 - DHCP server moves to KEA - implications?

[bimbar]

KEA is a good product. I actually like it quite a bit better than the old DHCP. Both itself and the actual implementation in opnsense.

[koushun]

Anyone being able to ping hostnames instead of IP adresses, when KEA is utilized? The only host which is able to resolve is the firewall itself.

[almodovaris]

About pinging hostnames: that was once a problem in Zenarmor, perhaps you are using a similar app.

[koushun]

Yeah, no bueno-- I tried to stop Zenarmor, it did not work.

I believe it is not a feature which is fully integratred yet, with KEA:
https://github.com/opnsense/core/issues/7475

I believe NSD would have to be the Authorative DNS nameserver and KEA should send updates to the NSD server which will update the relevant zone. And then one would have to restart Unbound under each update.

http://troubleshooters.com/linux/unbound_nsd/nsd.htm

[meyergru]

The mentioned missing feature parity is a practical problem so far - I cannot really try KEA because I make use of all of these features:

1. Network booting with different file names depending on architecture (for netboot.xyz)
2. Web Proxy Auto Detection
3. Custom Options:
      - Option 43 (Unifi Controller)
      - Option 7 (Log Server)

[simon45]

I fully agree wirth @meyergru and I would define the KEA implementation in OpnSense as V.0.5. The hype is far too big or too early.

After I managed to bring the static leases access with https://github.com/EasyG0ing1/Migration, I reverted to ISC. So few settings of KEA are exposed in the UI. E.g. Netboot.xyz is unusable with a single filename.

What added to the frustration, is that the help text in the settings are of low quality. Since many settings like DNS and Gateway are missing, I was blindly assuming the 'next server' was the gateway. Why not add parts of the explanation from https://kea.readthedocs.io/en/kea-2.2.0/arm/dhcp4-srv.html?

And finally, https://github.com/opnsense/core/issues/7189 was closed incompletly, but just adding 'next server'. Nothing about the remaining options.

[franco]

> And finally, https://github.com/opnsense/core/issues/7189 was closed incompletly, but just adding 'next server'. Nothing about the remaining options.

Other things aside your view here is that not enough people put enough effort in it so you feel the need to voice this and keep working with ISC that works well for you?

One thing you should probably understand is that ISC pushed Kea and quit working on ISC. To come here and state the fact that we're only doing this now in order to be ready when this becomes really really pressing for security reasons for a lot of users is like laughing at children learning to ride a bike and falling over. They just didn't put in the effort, right?

You also have to note that nobody ripped out ISC and forced Kea on people which makes this "hot take" even less relevant. But that's just my opinion.


Cheers,
Franco

[simon45]

It was this text in the release notes of 24.4 which created the urgency for me.

'dhcp: add Kea DHCPv4 server option with HA capabilities as an alternative to the end of life ISC DHCP'

I though wow, that was quick. From 'it will take time to match features' to 'end of life' in such a short period.

[Patrick M. Hausen]

EOL announced by the upstream provider of the software. Not going away from OPNsense any time soon.

[franco]

https://www.isc.org/blogs/isc-dhcp-eol/

>>> PUBLISHED 04 Oct 2022 <<<<


Cheers,
Franco