Moved from ISC-DHCPv4 to KeaDHCPv4 resulted in broken dynamic DHCP DNS records

[SpikeyGG]

With the release of OPNsense 26 and announcement of deprecating ISC-DHCP (which I was using) I decided to move to Kea DHCP. I went through the complete migration and everything was working great for a few weeks. Then I needed to do some maintenance in my wiring closet so I took the whole network down, performed the maintenance, and brought everything back up. All of it seemed to be working but then I realized that all my DNS records for dynamic DHCP addresses were pointing at the wrong host!

I'm using Kea DHCP with Unbound DNS. Previously, with ISC-DHCP taking the network down and bringing it back online would not cause any issues with static nor dynamic DHCP hosts. I was hoping that eventually the bad records would "work themselves out" but it has been over a month and they're still wrong. I can see the correct dynamic leases in Kea's "Leases DHCPv4" list but nslookups for the name always give a different IP. In fact, I even turned on the Kea DDNS Agent at port 53001 and when querying that service, it too has the wrong IP!

I tried a couple of times already to flush the Unbound cache and force it to rebuild but somehow it always finds/restores (or never removes) the bad records. I also have mDNS deployed and it seems to always be working great -- I'm not sure why but I also don't know how to use nslookup to query it (if that is even possible).

Here's an example the device "media-equipment" which is actually at 172.27.80.29 (see Lease screenshot), however, the .mynet address shows 172.27.80.19:

Code Select Expand

Microsoft Windows [Version 10.0.19045.7184]
(c) Microsoft Corporation. All rights reserved.

C:\Users\SpikeyGG>ping media-equipment.mynet

Pinging media-equipment.mynet [172.27.80.19] with 32 bytes of data:
Reply from 172.27.80.19: bytes=32 time=2ms TTL=254
Reply from 172.27.80.19: bytes=32 time=1ms TTL=254

Ping statistics for 172.27.80.19:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms
Control-C
^C
C:\Users\SpikeyGG>ping media-equipment.local

Pinging media-equipment.local [172.27.80.29] with 32 bytes of data:
Reply from 172.27.80.29: bytes=32 time=2ms TTL=254
Reply from 172.27.80.29: bytes=32 time=2ms TTL=254

Ping statistics for 172.27.80.29:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 2ms, Average = 2ms
Control-C
^C
C:\Users\SpikeyGG>
Here is an nslookup issued to both port 53 (Unbound DNS) and port 53001 (Kea DDNS Agent) showing that they both report the wrong address:

Code Select Expand

C:\Users\SpikeyGG>nslookup -port=53001 media-equipment.mynet 172.27.20.1
Server:  UnKnown
Address:  172.27.20.1

Name:    media-equipment.mynet
Address:  172.27.80.19


C:\Users\SpikeyGG>nslookup -port=53 media-equipment.mynet 172.27.20.1
Server:  UnKnown
Address:  172.27.20.1

Name:    media-equipment.mynet
Address:  172.27.80.19


C:\Users\SpikeyGG>

I had tried manually setting the Kea DHCP options for:

• ddns-send-updates
• ddns-override-no-update
• ddns-override-client-update

before those options were included in the OPNsense Kea DHCPv4 subnet options; but they didn't seem to help. Now that they're included, I have all three checked on my 172.27.80.0/26 subnet but all the records continue to be broken.

Anyone have suggestions of how to get my Unbound DNS (or even Kea DDNS Agent) fixed without resorting to use static IPs for all my dynamic DHCP devices?