This article will detail the installation and configuration of Internet Systems Consortium's Kea DHCP Server.
- The DHCP servers will provide dynamic IPv4 and IPv6 network address assignments
- The DHCP servers will do DDNS updates of forward and reverse lookup zones with a BIND DNS server.
Install Kea DHCP Server
Install the Kea DHCP server software using your preferred method.
pkg install net/kea
Enable the Kea service in /etc/rc.conf
sysrc kea_enable="YES"
Enable the Desired Daemons
Kea runs using seperate daemons for IPv4, IPv6, and DDNS. For the examples provided in this article, we will enable all three.
Edit /usr/local/etc/kea/keactrl.conf
# Start DHCPv4 server? dhcp4=yes # Start DHCPv6 server? dhcp6=yes # Start DHCP DDNS server? dhcp_ddns=yes
Configure the IPv4 DHCP Daemon
Edit /usr/local/etc/kea/kea-dhcp4.conf
{
"Dhcp4": {
"interfaces-config": { "interfaces": ["em0"] },
"control-socket": {
"socket-type": "unix",
"socket-name": "/tmp/kea4-ctrl-socket"
},
"lease-database": {
"type": "memfile",
"persist": true,
"name": "/var/db/kea/dhcp4.leases.csv"
},
"valid-lifetime": 28800,
"subnet4": [
{
"id": 1,
"subnet": "192.168.0.0/16",
"pools": [ { "pool": "192.168.0.100 - 192.168.0.199" } ],
"option-data": [
{
"name": "routers",
"data": "192.168.0.1"
},
{
"name": "domain-name-servers",
"data": "192.168.0.1, 192.168.0.2"
},
{
"name": "domain-name",
"data": "example.com"
},
{
"name": "domain-search",
"data": "example.com"
}
]
}
],
"loggers": [
{
"name": "kea-dhcp4",
"output_options": [ { "output": "syslog" } ],
"severity": "INFO",
}
],
"dhcp-ddns": { "enable-updates": true },
"ddns-update-on-renew": true,
"ddns-qualifying-suffix": "example.com.",
"ddns-override-client-update": true,
"ddns-override-no-update": true,
"ddns-replace-client-name": "when-not-present",
"ddns-generated-prefix": "dyn"
}
}
Configure the IPv6 DHCP Daemon
Edit /usr/local/etc/kea/kea-dhcp6.conf
{
"Dhcp6": {
"interfaces-config": { "interfaces": ["em0"] },
"control-socket": {
"socket-type": "unix",
"socket-name": "/tmp/kea6-ctrl-socket"
},
"lease-database": {
"type": "memfile",
"persist": true,
"name": "/var/db/kea/dhcp6.leases.csv"
},
"valid-lifetime": 28800,
"subnet6": [
{
"interface": "em0",
"id": 1,
"subnet": "2001:db8:1a2b:3c4d::/64",
"pools": [ { "pool": "2001:db8:1a2b:3c4d::100 - 2001:db8:1a2b:3c4d::1ff" } ],
"rapid-commit": true,
"option-data": [
{
"name": "dns-servers",
"data": "2001:db8:1a2b:3c4d::1, 2001:db8:1a2b:3c4d::2"
}
]
}
],
"loggers": [
{
"name": "kea-dhcp6",
"output_options": [ { "output": "syslog" } ],
"severity": "INFO",
}
],
"dhcp-ddns": { "enable-updates": true },
"ddns-update-on-renew": true,
"ddns-qualifying-suffix": "example.com.",
"ddns-override-client-update": true,
"ddns-override-no-update": true,
"ddns-replace-client-name": "when-not-present",
"ddns-generated-prefix": "dyn"
}
}
DDNS
NOTE: Dual-stack clients that wish to have both IPv4 and IPv6 mappings for the same FQDN does work, but is network client dependent.
To work properly, dual-stack clients must embed their IPv6 DUID within their IPv4 client identifier option, as described in RFC 4361.
Not all operating system network clients support this, Windows operating systems being a glaring example.
The FreeBSD port net/dhcpcd on the other hand does work. Linux?
Create a TSIG key for DDNS Updates
A TSIG key is used for DDNS updates. execute the following command on the BIND master name server to create the TSIG key file as configured in the examples above:
tsig-keygen ddns-key > /usr/local/etc/namedb/ddns-key
View the key in preparation to transfer the values to the Kea DDNS configuration file.
cat /usr/local/etc/namedb/ddns-key
Configure the DDNS Daemon
Edit /usr/local/etc/kea/kea-ddns.conf
Copy the values from the TSIG key you just created into the "tsig-keys": section.
{
"DhcpDdns": {
"control-socket": {
"socket-type": "unix",
"socket-name": "/tmp/kea-ddns-ctrl-socket"
},
"tsig-keys": [
{
"name": "ddns-key",
"algorithm": "hmac-sha256",
"secret": "EcjdqPeOz0Ekj5HzbQdA+p5gpxxZ7BQobM/+7xC5gvA="
}
],
"forward-ddns": {
"ddns-domains": [
{
"name": "example.com.",
"key-name": "ddns-key",
"dns-servers": [ { "ip-address": "127.0.0.1" } ]
}
]
},
"reverse-ddns": {
"ddns-domains": [
{
"name": "d.4.c.3.b.2.a.1.8.b.d.0.1.0.0.2.ip6.arpa.",
"key-name": "ddns-key",
"dns-servers": [ { "ip-address": "::1" } ]
},
{
"name": "168.192.in-addr.arpa.",
"key-name": "ddns-key",
"dns-servers": [ { "ip-address": "127.0.0.1" } ]
}
]
},
"loggers": [
{
"name": "kea-dhcp-ddns",
"output_options": [ { "output": "syslog" } ],
"severity": "INFO",
}
]
}
}
Configure BIND to allow DDNS updates
Note: The following configuration items are to allow the DHCP server to do DDNS updates of the appropriate zones on your BIND name server.
This article does not cover the creation of those zones, and assumes they are already configured.
Add the following to /usr/local/etc/namedb/named.conf
and within each forward and reverse lookup zone clause that will be dynamically updated add:
allow-update { key ddns-key; };
Restart BIND to apply the changes
service named restart
Start the Kea daemons and monitor logs ensuring IP addresses are being assigned and DDNS updates with BIND are succeeding.
service kea start
Kea Documentation
The latest Kea Administrator Reference Manual can be found at https://kea.readthedocs.io/en/latest/index.html