RFC: Kea DHCP Dynamic DNS (DDNS/nsupdate) support

[brendanbank]

Hi all,

I've been working on adding Dynamic DNS (DDNS) support to the Kea DHCP plugin in OPNsense and would love to get feedback before submitting a pull request.

Why this feature?

I'm in the process of migrating from ISC DHCP to Kea DHCP, but one of the blockers for me (and I suspect others) is the lack of DDNS support — the ability to automatically register forward (A) and reverse (PTR) DNS records when leases are handed out. This was available in ISC DHCP via nsupdate and is something I rely on in my network. With ISC DHCP reaching end-of-life, having feature parity in Kea is important for a smooth migration.

What it does

• Integrates the Kea DHCP-DDNS daemon (D2) with the existing Kea DHCPv4 plugin
• TSIG key management (HMAC-SHA256, HMAC-SHA512, etc.) for authenticated DNS updates (RFC 2845)
• DDNS domain profiles with configurable forward and reverse zones, DNS server addresses, and per-zone TSIG keys
• Per-subnet DDNS configuration with automatic hostname prefix options:
    Network name — uses the OPNsense interface description (e.g. mylan.dyn.example.com)
    Interface name — uses the physical interface name (e.g. vlan0.021.dyn.example.com)
    Custom prefix — free-form input
    No prefix — hostnames placed directly under the zone
• Reverse zone auto-computation from subnet CIDR, with manual override for non-standard delegations (e.g. 10.in-addr.arpa instead of per-/24 zones)
• DHCID conflict resolution (RFC 4703) enabled by default

Future plans

IPv6 (DHCPv6) DDNS support with AAAA and ip6.arpa PTR records is planned as a follow-up.

Code and documentation

• Core implementation: brendanbank/core feature/kea-ddns
• Documentation: brendanbank/docs feature/kea-ddns-docs

A note on the implementation: I'm proficient in Python but not so much in PHP, so I've used Claude Code to help write the PHP code. The implementation follows the existing OPNsense MVC patterns and has been tested on a production firewall with BIND9 as the DNS server, with both forward and reverse updates working correctly across multiple subnets with TSIG authentication. That said, an extra pair of eyes on the PHP would be very welcome.

I'd appreciate any feedback on the approach, the UI/UX, or the code itself before I open a PR against the main repos.

Thanks,
Brendan

[Monviech (Cedrik)]

Just for reference there is already a competing PR open for that feature:

https://github.com/opnsense/core/pull/9401

You can read for the general feedback in there and compare it to your approach.