# Kea 3.1.6 Release Notes, February 25, 2026

Welcome to Kea 3.1.6, a release of the 3.1 development series. As with
any other development release, use this with caution: development
releases are not recommended for production use.

Kea is a DHCP implementation developed by Internet Systems Consortium
(ISC) that features DHCPv4 and DHCPv6 servers with DNS update and a REST
API; optional database support (MySQL and PostgreSQL); optional RADIUS,
YANG/NETCONF, and Kerberos GSS-TSIG support; and much more. Kea provides
extensive management capabilities, including but not limited to: TLS
support, Role-Based Access Control, run-time configuration monitoring
and updates via a REST API, host reservations, and client classification.

The text below references issue numbers. For more details, visit the Kea
GitLab page at https://gitlab.isc.org/isc-projects/kea/-/issues. For
details about Docker issues, visit the page at
https://gitlab.isc.org/isc-projects/kea-docker/-/issues/. For details
about packaging, visit the page at
https://gitlab.isc.org/isc-projects/kea-packaging/-/issues/.

The following bug fixes and features have been implemented since the
previous release:

1. **Experimental RADIUS over TLS**: RADIUS over TLS (radsec) is now
supported. This new feature was added recently and has not been fully
tested yet, so please consider it experimental and use it with care;
feedback is appreciated. There are several new parameters: `protocol`
(accepts `TLS` or `UDP`), and a new `tls` section that includes
`trust-anchor`, `cert-file`, `key-file` and more. For details, see the
new `RADIUS/TLS Configuration` section in the Kea ARM [#4274].

2. **RADIUS security**: Support for the Message-Authenticator attribute
is now available. It can be controlled using new
`use-message-authenticator` parameters to the RADIUS hook library
[#4333]. Several RADIUS RFCs are now listed as supported [#4285]. We
fixed several TSAN warnings in the RADIUS code [#4317].

3. **Interfaces and sockets**: The `config-test` and `config-set` API
commands now properly use a newly detected interface for testing or
applying a new configuration [#3370]. We fixed a problem where the Kea
server was binding on other interfaces when retrying to open sockets on
configured interfaces [#3062, #3134, #3728, #4349]. We clarified that
the DHCPv6 daemon does not bind on global IPv6 addresses by default
[#2212]. We fixed a problem with the DHCPv6 daemon incorrectly stating
the raw sockets being used [#4199].

4. **Classification improvements**: The template classes `template-test`
expressions may now test for membership in `KNOWN`/`UNKNOWN` [#4256].

5. **Other bug fixes**: We fixed a harmless but annoying message about
"Lease Expires On 01-01-1970" information from the `kea-dhcp-ddns` log
messages [#4280]. We fixed an issue in `kea-dhcp6` that caused the
server to not use a reserved host name or recognize a change to the
selected subnet for subnet-level reservations	within a shared-network,
when a lease existed for the reservation but was in either the RELEASED
or EXPIRED-RECLAIMED state [#4262].

6. **Packaging**: The systemd scripts for our RPM and DEB packages were
tweaked slightly; the running service now restarts automatically
(`Restart=on-failure`). Thanks to Nathan Neulinger for reporting the
issue and providing a patch [kea-packaging#60].

7. **Build improvements**: We fixed a problem with the hammer build tool
to install package dependencies on FreeBSD 15 properly [#4332]. We fixed
a compilation warning about unused lambda capture [#4335].

8. **Documentation**: A new third-party hook, KEALint, is now listed on
the wiki list of community hooks [#4337]. We fixed several grammatical
errors in various files. Thanks to lyqfjcs for the patch [#4316]. We
removed an outdated note about GSS-TSIG being subscriber-only, as it has
been open source for a while [#4322]. We fixed an inaccurate reference
to version 2.7.8 in the lease-caching section of the ARM [#4284].

9. **Test improvements**: We fixed integer overflow problems in one
CfgIfaceTest [#4351]. We fixed problems with
HttpsCtrlChannelDhcpv{4,6}Test.controlChannelShutdown tests running on
RHEL8 [#4328].
 
## Incompatible Changes

1. **RADIUS**: With the introduction of RADIUS over TLS, when the TLS
transport protocol is configured, the `servers` and
`idle-timer-interval` parameters are no longer allowed in the `access`
and `accounting` scopes. RADIUS over UDP is still supported but by
default requires a Message-Authenticator attribute in all received
messages. Users are strongly encouraged to consider migration to TLS to
mitigate the Blast RADIUS vulnerability.

## License

This version of Kea is released under the Mozilla Public License,
version 2.0.

https://www.mozilla.org/en-US/MPL/2.0

Some Kea hook libraries are provided under the MPL 2.0; others are
licensed with the [Kea Hooks Basic Commercial End User
License](https://www.isc.org/kea-premium-license/). The source for each
hook library includes the applicable license.

## Download

Pre-built ISC packages for current versions of the most popular Linux
operating systems are available at:

https://cloudsmith.io/~isc/repos/

Pre-built Docker images, as well as Docker files, are available. For
details, see:

https://gitlab.isc.org/isc-projects/kea-docker

The Kea source and PGP signature for this release may be downloaded from:

https://www.isc.org/download

The signature was generated with the ISC code-signing key, which is
available at:

https://www.isc.org/pgpkey

ISC provides detailed documentation, including installation instructions
and usage tutorials, in the Kea Administrator Reference Manual.
Documentation is included with the installation or at
https://kea.readthedocs.io/en/latest/index.html in HTML, PDF, or EPUB
formats. ISC maintains a public open source code tree, wiki, issue
tracking system, milestone planner, and roadmap at
https://gitlab.isc.org/isc-projects/kea.

Limitations and known issues with this release can be found at
https://gitlab.isc.org/isc-projects/kea/-/wikis/known-issues-list.

We ask users of this software to please let us know how it worked for
you and what operating system you tested on. Feel free to share your
feedback on the Kea Users mailing list
(https://lists.isc.org/mailman/listinfo/kea-users). We would also like
to hear whether the documentation is adequate and accurate. Please open
tickets in the Kea GitLab project for bugs, documentation omissions and
errors, and enhancement requests. We want to hear from you even if
everything worked.

## Support

Professional support for Kea is available from ISC. We encourage all
professional users to consider this option; Kea maintenance is funded
with support subscriptions. For more information on ISC's Kea software
support, see https://www.isc.org/support/.

Free best-effort support is provided by our user community via a mailing
list. Information on all public email lists is available at
https://www.isc.org/community/mailing-list. If you have any comments or
questions about working with Kea, please share them to the Kea Users
list (https://lists.isc.org/mailman/listinfo/kea-users). Bugs and
feature requests may be submitted via GitLab at
https://gitlab.isc.org/isc-projects/kea/-/issues.

## Changes

The following summarizes the changes since the previous release.

2446.	[sec]*		fdupont
	Added the 'use-message-authenticator' parameter to the RADIUS
	hook library. When true (the default when the transport
	protocol is not TLS) a Message-Authenticator is added to
	messages sent by Kea, and required in received messages.
	(Gitlab #4333)

2445.	[doc]		fdupont
	Added supported RADIUS standards to the RADIUS hook library
	documentation in the ARM.
	(Gitlab #4285)

2444.	[func]		fdupont
	Implemented RADIUS/TLS in the RADIUS hook library.
	(Gitlab #4274)

2443.	[bug]		tmark
	Fixed an issue in kea-dhcp6 that caused the server to
	not use a reserved host name or recognize a change to
	the selected subnet for subnet-level reservations
	within a shared-network when a lease exists for the
	reservation but is in either the RELEASED or
	EXPIRED-RECLAIMED states.
	(Gitlab #4262)

2442.	[func]		razvan
	Removed "Lease Expires On" information from the kea-dhcp-ddns
	log messages.
	(Gitlab #4280)

2441.	[func]		tmark
	Template classes template-test expressions may
	now test for membership in 'KNOWN'/'UNKNOWN'.
	(Gitlab #4256)

2440.	[build]		razvan
	The library version numbers have been bumped up for the Kea 3.1.6
	development release.
	(Gitlab #4354)

2439.	[bug]		razvan
	Fixed a bug which was causing kea-dhcp servers to bind on other
	interfaces while retrying to open sockets on configured
	interfaces.
	(Gitlab #3062, #3134)

2438.	[bug]		razvan
	The "config-test" and "config-set" commands can now properly use
	newly detected interfaces for testing or applying a new
	configuration.
	(Gitlab #3370)

2437.	[bug]		razvan
	Removed a log that incorrectly stated that the v6 socket was
	using raw format.
	(Gitlab #4199)

---

Thank you again to everyone who assisted us in making this release
possible.

We look forward to receiving your feedback.