--- title: release notes 3.1.9 --- # Kea 3.1.9 Release Notes, May 27, 2026 Welcome to Kea 3.1.9, a release of the 3.1 development series. As with any other development release, use this with caution: development releases are not recommended for production use. Kea is a DHCP implementation developed by Internet Systems Consortium (ISC) that features DHCPv4 and DHCPv6 servers with DNS update and a REST API; optional database support (MySQL and PostgreSQL); optional RADIUS, YANG/NETCONF, and Kerberos GSS-TSIG support; and much more. Kea provides extensive management capabilities, including but not limited to: TLS support, Role-Based Access Control, run-time configuration monitoring and updates via a REST API, host reservations, and client classification. The text below references issue numbers. For more details, visit the Kea GitLab page at https://gitlab.isc.org/isc-projects/kea/-/issues. For details about Docker issues, visit the page at https://gitlab.isc.org/isc-projects/kea-docker/-/issues/. For details about packaging, visit the page at https://gitlab.isc.org/isc-projects/kea-packaging/-/issues/. The following bug fixes and features have been implemented since the previous release: 1. **Shared databases**: The Shared FLQ allocator, a mechanism for sharing the queue of available leases across a common database, is now available. When two or more Kea servers share the same database, earlier versions sometimes tried to allocate the same lease more than once. Kea was able to recover, but the conflict handling made the whole process inefficient. This is now solved with the SFLQ mechanism. It is particularly well suited for situations where there are multiple Kea servers running with high pool utilization. This change requires DB schema update [#4336, #4491, #4492]. Documentation was added [#4489]. New API commands were added for Shared FLQ: `sflq-pool4-del`, `sflq-pool4-get-all`, `sflq-pool4-get-by-range`, `sflq-pool4-get-by-subnet`, `sflq-pool4-rebuild`, `sflq-pool6-del`, `sflq-pool6-get-all`, `sflq-pool6-get-by-range`, `sflq-pool6-get-by-subnet`, and `sflq-pool6-rebuild` [#4466]. 2. **New interface API**: The `interface-add`, `interface-list` and `interface-redetect` API commands were added, which can be used to add interfaces, list currently detected interfaces, and issue a re-detect procedure which updates the interface configuration, respectively. The re-detect procedure only adds newly discovered interfaces and addresses, without removing any previously detected interfaces or addresses [#3144]. 3. **Parsers**: Leading zeros in JSON integer and floating point values are not valid JSON syntax and thus are strongly discouraged. Incorrect number values in Kea config files are still accepted for now, but raise warnings. We also fixed a bug which caused a leading plus sign ("+") not to be always rejected [#4438, #4495]. The parsers are now more strict about invalid socket parameters [#3971]. We fixed a problem with parsing some floating-point values [#4493]. 4. **GSS-TSIG and Microsoft DNS**: It is now possible to use GSS-TSIG with faulty DNS implementations. We added an "ignore-bad-direction" workaround flag to the GSS-TSIG hook library to accept DNS update responses with the request signature sent by bogus servers [#4326]. 5. **NETCONF**: We fixed `kea-netconf` communication over HTTP sockets with the Kea DHCP daemons. The control-socket type is now mandatory for each server in the "managed-servers" configuration map [#4460]. The `kea-netconf` daemon now prints information about the control channel being opened [#331]. 6. **Security**: The build system was updated to install libraries, binaries, and directories to be installed with 755 permissions, as opposed to 750. The remaining files are installed with 644 permissions, as opposed to 640 [#3993, #4477, #4171]. 7. **Bug fixes**: We fixed a problem where Kea would not support small pools of just one address [#4444]. The state model library now uses signed/unsigned types consistently [#4348]. We fixed a minor problem with an excess placeholder in one HA log message [#4459]. An empty `client-classes` list is now accepted in the configuration [#4453]. The `ddns-ttl-max` parameter is now parsed properly [#4445]. 8. **Build improvements**: The build system no longer leaves an `rbac` symlink [#4487]. Cross-compilation was fixed in Meson [#3982]. The build system no longer attempts to download Google Test source, even when tests and fuzzing are disabled [#4488]. The library versions were updated [#4542]. Hammer was updated to allow control of the number of processes running when generating packages [#4528]. We fixed problems with hammer running on Rocky Linux [#4450]. Hammer is now able to prepare a system for Kea based on Fedora 44 [#4480]. 9. **Tests**: The CI pipelines now perform changelog linting. This small improvement will help maintaining a clearer and more readable ChangeLog [#4497]. Running RADIUS unit-tests was fixed on FreeBSD 15 [#4452]. We updated Valgrind running scripts and fixed several problems reported by Valgrind. In the process, the last old Perl script was removed. Kea is now officially Perl-free software [#4483]. The timeout of `dhcp-ha-lib` tests was adjusted [#4465]. A couple of IfaceMgr test timeouts were tweaked [#4464]. 10. **Temporary address leftovers**: RFC9915, an updated version of the DHCPv6 protocol specification, was published, so this Kea release introduces support for it. The actual changes are small: support for leftovers from partial temporary addresses (IA_TA) is now removed, as the feature was deprecated. Removal of old IA_TA types required DB schema changes [#4368, #4490]. 11. **REST API**: The legacy `service` parameter is no longer silently ignored: if it is a not-empty list, it must have only one element matching the name of the server the command was sent to. It is recommended not to add a service parameter, as the Control Agent was removed and the parameter can no longer be used. [#4341]. ## Incompatible Changes The following incompatible changes were introduced: 1. The installed libraries and binaries have updated (relaxed) permissions (see #3993). This should not cause any problems in principle, but please take a close look if you have your own scripts built around Kea. 2. The database schema was updated. ## License This version of Kea is released under the Mozilla Public License, version 2.0. https://www.mozilla.org/en-US/MPL/2.0 Some Kea hook libraries are provided under the MPL 2.0; others are licensed with the [Kea Hooks Basic Commercial End User License](https://www.isc.org/kea-premium-license/). The source for each hook library includes the applicable license. ## Download Pre-built ISC packages for current versions of the most popular Linux operating systems are available at: https://cloudsmith.io/~isc/repos/ Pre-built Docker images, as well as Docker files, are available. For details, see: https://gitlab.isc.org/isc-projects/kea-docker The Kea source and PGP signature for this release may be downloaded from: https://www.isc.org/download The signature was generated with the ISC code-signing key, which is available at: https://www.isc.org/pgpkey ISC provides detailed documentation, including installation instructions and usage tutorials, in the Kea Administrator Reference Manual. Documentation is included with the installation or at https://kea.readthedocs.io/en/latest/index.html in HTML, PDF, or EPUB formats. ISC maintains a public open source code tree, wiki, issue tracking system, milestone planner, and roadmap at https://gitlab.isc.org/isc-projects/kea. Limitations and known issues with this release can be found at https://gitlab.isc.org/isc-projects/kea/-/wikis/known-issues-list. We ask users of this software to please let us know how it worked for you and what operating system you tested on. Feel free to share your feedback on the Kea Users mailing list (https://lists.isc.org/mailman/listinfo/kea-users). We would also like to hear whether the documentation is adequate and accurate. Please open tickets in the Kea GitLab project for bugs, documentation omissions and errors, and enhancement requests. We want to hear from you even if everything worked. ## Support Professional support for Kea is available from ISC. We encourage all professional users to consider this option; Kea maintenance is funded with support subscriptions. For more information on ISC's Kea software support, see https://www.isc.org/support/. Free best-effort support is provided by our user community via a mailing list. Information on all public email lists is available at https://www.isc.org/community/mailing-list. If you have any comments or questions about working with Kea, please share them to the Kea Users list (https://lists.isc.org/mailman/listinfo/kea-users). Bugs and feature requests may be submitted via GitLab at https://gitlab.isc.org/isc-projects/kea/-/issues. ## Changes The following summarizes the changes since the previous release. 2477. [build] andrei The library version numbers have been bumped up for the Kea 3.1.9 development release. (Gitlab #4542) 2476. [func] fdupont Added the "ignore-bad-direction" workaround flag to the GSS-TSIG hook library to accept DNS update responses with the request signature sent by bogus servers. (Gitlab #4326) 2475. [func]* fdupont Disallowed leading zeros in JSON floating point values. Now incorrect number values in Kea config files are still accepted but raise warnings. Also fixed the bug which made leading plus '+' not be always rejected. (Gitlab #4495) 2474. [func] fdupont Removed the 'socket-name' vs 'socket-address' exclusivity check when parsing config files. Note that configuring both for the same control socket is still rejected but because 'socket-name' makes sense only for the 'unix' type, and 'socket-address' for the 'http' and 'https' types. (Gitlab #3971) 2473. [func] tmark IA_TA lease6 lease type has been removed from the MySQL and PostgreSQL schemas. (Gitlab #4490) 2472. [bug] fdupont Corrected an issue that prevented using pools of only one element (e.g. address or prefix) with either the Random or FLQ allocators. (Gitlab #4444) 2471. [bug] tmark Corrected an issue in PostgreSQL SFLQ allocation that was generating one too many free leases. SFLQ pool creation automatically rebuilds pools whose delegated length has changed (MySQL and PostgreSQL). These changes required a schema update. (Gitlab #4491) 2470. [func] tmark Added API commands for managing SFLQ Allocator pools to lease-cmds hook library. (Gitlab #4492) 2469. [build] fdupont Kea can now be cross-compiled using Meson. (Gitlab #3982) 2468. [func]* fdupont Added support for the last DHCP RFC 9915 including the deprecation of the unicast option. (Gitlab #4368) 2467. [bug] fdupont The from JSON double value to string no longer produces an incorrect output when there is only an exponent part. (Gitlab #4493) 2466. [doc] tmark Added documentation for the Shared FLQ Allocator to the ARM. (Gitlab #4489) 2465. [func]* fdupont Disallowed leading zeros in JSON integer values as required by the standard to become compatible with some other JSON tools e.g. the go implementation used by Stork. Now incorrect integer values in Kea config files are still accepted but raise warnings. (Gitlab #4438) 2464. [func] fdupont Extended the parser to accepted an empty "client-classes" list in Kea server configuration files. (Gitlab #4453) 2463. [bug] razvan Fixed kea-netconf communication over HTTP sockets with the kea dhcp demons. The control socket type is now mandatory for each server in the "managed-servers" configuration map. (Gitlab #4460) 2462. [func] razvan Added 'interface-add', 'interface-list' and 'interface-redetect' which can be used to add interfaces, list currently detected interfaces and issue a re-detect procedure which updates the interface configuration respectively. The re-detect procedure only adds newly discovered interfaces and addresses, without removing any previously detected interfaces or addresses. (Gitlab #3144) Thank you again to everyone who assisted us in making this release possible. We look forward to receiving your feedback.