Kea DHCP: Modern, open source DHCPv4 and DHCPv6 server

Looking at the CVE history, first "LTS" release 3.0.0 was quickly replaced by 3.0.1

https://kb.isc.org/docs/cve-2025-40779

"CVE-2025-40779: Kea crash upon interaction between specific client options and subnet selection"

https://github.com/isc-projects/kea/commit/0afd42b5dfb2e547b...

unprotected null pointer use, kea is in C++

I use dnsmasq mostly for its fantastic integration with DNS.

DHCP and DNS go hand in hand in a network, I really struggle to understand why they are not more integrated in otherwise great solutions (such as kea)

I ran my own home router and I used Kea and Power DNS using Systemd Containers to provide service for my whole home.

I was really impressed. I think the folks who put it together did a good job of addressing the major warts of my experience with isc-dhcp-server.

I'm sure it's a tremendous challenge writing software that's supposed to live up to modern expectations while still attempting to deliver on all of the legacy dependents and their unique use cases.

Makes me think of that article on how Cloudflare wrote their own Golang DNS Server and like some 900 whopping people use LOC records but they still support it

OPNSense deprecated (is deprecating?) the included ISC DHCP server and now has the Kea DHCP server as standard. I migrated to from ISC to Kea in OPNSense and it was relatively painless, and it's been working well since. No complaints here, but my setup is pretty vanilla.

I can't comment on the DNS integration, but I might look a bit deeper because it sounds useful.

LWN discussion of some 2025 CVE on kea: https://lwn.net/Articles/1023093/

Comments are less positive than here on HN.

I've been running Kea at dayjob in production for the last 5-ish years, setup in a HA manner. It's worked solidly.

I’m wondering if this fixes the issue in pfsense which causes the Unbound DNS server to restart every time a new dhcp lease is created.

unfortunate that you can't start it without the ethernet interface in UP state. if you start it while the ethernet cable is disconnected, it will start the daemon but not actually "listen" on the device, even after the cable gets plugged in.

my solution: create a bridge with your ethernet device and add a dummy device and UP the said summy device, thereby UPing the bridge.

We use Kea at work and make extensive use of its hooks system to customise what leases we give out, and in which of our 8 datacenters. Our infrastructure is hundreds of thousands of machines and Kea's distributed nature makes it a breeze.

In my homelab I've been using very barebones options (the one built into systemd-networkd as well as the dhcp server built into RouterOS) and never found myself needing a web interface, a database or anything… really. It has been sufficient to add the couple dozen static allocations to the configuration files and forget DHCP exists. Even HA is not something I found myself wanting as nodes will retain their lease well over the period of downtime incurred during botched upgrades.

How fancy does a network needs to be before this starts making sense? Who are the target audience for this project?

I assume it's just how pfsense is using Kea, but moving to this has been a bit regretful. Since moving from the legacy one to Kea, my static reservations don't work first time. Clients get given an address from the pool and then some time later (hours) get their static reservation. No clue why, from reading doc it seems like this is intended behaviour and that static reservations are discouraged??

On isc-dhcp, clients got their static reservation straight up.

Kea has broken with my config twice now over as many years when upgrading versions. I regret jumping from ISC-DHCPd for my 2023 PF-box reinstall just because they called it “EOL”

I've deployed Kea in some interesting applications. I quite like its failover options for redundancy purposes.

Definitely has a learning curve for odd devices that "support" DHCP, but I've been happy with how it works, its outputs, and how it can easily be segmented.

Once day I will stop procrastinating and migrate my pfsense boxes over to Kea. I hope I like it.

I'll be thrilled if the expected DNS integration works and I don't get the side effects I get now from ISC.

Migrated from ISC to Kea on OPNSense and zero issue so far

Moved a large enterprise deployment to kea and it’s been fantastic. Very easy to troubleshoot.