This article will detail the installation and configuration of Internet Systems Consortium's Kea DHCP Servers.
- The DHCP servers will provide dynamic IPv4 and IPv6 network address assignments
- The DHCP servers will do DDNS updates of forward and reverse lookup zones with a BIND DNS server.
Install Kea DHCP Server
Install the Kea DHCP server software using your preferred method.
pkg install net/kea
Enable the Kea service in /etc/rc.conf
sysrc kea_enable="YES"
Enable the Desired Daemons
Kea runs using separate daemons for IPv4, IPv6, and DDNS. For the examples provided in this article, we will enable all three.
Edit /usr/local/etc/kea/keactrl.conf
# Start DHCPv4 server? dhcp4=yes # Start DHCPv6 server? dhcp6=yes # Start DHCP DDNS server? dhcp_ddns=yes
Configure the IPv4 DHCP Daemon
Edit /usr/local/etc/kea/kea-dhcp4.conf
{ "Dhcp4": { "interfaces-config": { "interfaces": ["em0"] }, "control-socket": { "socket-type": "unix", "socket-name": "kea4-ctrl-socket" }, "lease-database": { "type": "memfile", "persist": true, }, "valid-lifetime": 28800, "subnet4": [ { "id": 1, "subnet": "192.168.0.0/16", "pools": [ { "pool": "192.168.0.100 - 192.168.0.199" } ], "option-data": [ { "name": "routers", "data": "192.168.0.1" }, { "name": "domain-name-servers", "data": "192.168.0.1, 192.168.0.2" }, { "name": "domain-name", "data": "example.com" }, { "name": "domain-search", "data": "example.com" } ] } ], "loggers": [ { "name": "kea-dhcp4", "severity": "INFO",
"output_options": [ { "output": "syslog" } ] } ], "dhcp-ddns": { "enable-updates": true }, "ddns-update-on-renew": true, "ddns-qualifying-suffix": "example.com.", "ddns-override-client-update": true, "ddns-override-no-update": true, "ddns-replace-client-name": "when-not-present", "ddns-generated-prefix": "dyn" } }
Configure the IPv6 DHCP Daemon
Edit /usr/local/etc/kea/kea-dhcp6.conf
{ "Dhcp6": { "interfaces-config": { "interfaces": ["em0"] }, "control-socket": { "socket-type": "unix", "socket-name": "kea6-ctrl-socket" }, "lease-database": { "type": "memfile", "persist": true, }, "valid-lifetime": 28800, "subnet6": [ { "interface": "em0", "id": 1, "subnet": "2001:db8:1a2b:3c4d::/64", "pools": [ { "pool": "2001:db8:1a2b:3c4d::100 - 2001:db8:1a2b:3c4d::1ff" } ], "rapid-commit": true, "option-data": [ { "name": "dns-servers", "data": "2001:db8:1a2b:3c4d::1, 2001:db8:1a2b:3c4d::2" } ] } ], "loggers": [ { "name": "kea-dhcp6", "severity": "INFO",
"output_options": [ { "output": "syslog" } ] } ], "dhcp-ddns": { "enable-updates": true }, "ddns-update-on-renew": true, "ddns-qualifying-suffix": "example.com.", "ddns-override-client-update": true, "ddns-override-no-update": true, "ddns-replace-client-name": "when-not-present", "ddns-generated-prefix": "dyn" } }
DDNS
NOTE: Dual-stack clients that wish to have both IPv4 and IPv6 mappings for the same FQDN does work, but is network client dependent.
To work properly, dual-stack clients must embed their IPv6 DUID within their IPv4 client identifier option, as described in RFC 4361.
Not all operating system network clients support this. Windows operating systems do not, and will successfully add only one DDNS mapping.. It may be either the IPv4 or the IPv6 host record depending on which succeeded first.
The FreeBSD port net/dhcpcd
does work, and will successfully add both DDNS host mappings. Linux DHCP clients may also work?
Create a TSIG key for DDNS Updates
A TSIG key is used for DDNS updates. execute the following command on the BIND master name server to create the TSIG key file as configured in the examples above:
tsig-keygen ddns-key > /usr/local/etc/namedb/ddns-key
View the key in preparation to transfer the values to the Kea DDNS configuration file.
cat /usr/local/etc/namedb/ddns-key
Configure the DDNS Daemon
Edit /usr/local/etc/kea/kea-ddns.conf
Copy the values from the TSIG key we just created into the "tsig-keys": section.
{ "DhcpDdns": { "control-socket": { "socket-type": "unix", "socket-name": "kea-ddns-ctrl-socket" }, "tsig-keys": [ { "name": "ddns-key", "algorithm": "hmac-sha256", "secret": "EcjdqPeOz0Ekj5HzbQdA+p5gpxxZ7BQobM/+7xC5gvA=" } ], "forward-ddns": { "ddns-domains": [ { "name": "example.com.", "key-name": "ddns-key", "dns-servers": [ { "ip-address": "127.0.0.1" } ] } ] }, "reverse-ddns": { "ddns-domains": [ { "name": "d.4.c.3.b.2.a.1.8.b.d.0.1.0.0.2.ip6.arpa.", "key-name": "ddns-key", "dns-servers": [ { "ip-address": "::1" } ] }, { "name": "168.192.in-addr.arpa.", "key-name": "ddns-key", "dns-servers": [ { "ip-address": "127.0.0.1" } ] } ] }, "loggers": [ { "name": "kea-dhcp-ddns", "severity": "INFO",
"output_options": [ { "output": "syslog" } ] } ] } }
Configure BIND to allow DDNS updates
Note: The following configuration items are to allow the DHCP server to do DDNS updates of the appropriate zones on your BIND name server.
This article does not cover the creation of those zones, and assumes they are already configured.
Add the following to /usr/local/etc/namedb/named.conf
include "/usr/local/etc/namedb/ddns-key";
and within each forward and reverse lookup zone clause that will be dynamically updated add: allow-update { key ddns-key; };
zone "example.com" IN { type primary; file "../dynamic/example.com"; allow-update { key ddns-key; };
};
Restart BIND to apply the changes
service named restart
Start the Kea daemons and monitor logs ensuring IP addresses are being assigned and DDNS updates with BIND are succeeding.
service kea start
Kea Documentation
The latest Kea Administrator Reference Manual can be found at https://kea.readthedocs.io/en/latest/index.html