KEA DHCP
Index
Kea is the next generation of DHCP software, developed by Internet Systems Consortium (ISC).
It is considered the replacement for ISC-DHCP in larger HA enabled setups and synergizes well with radvd for HA enabled router advertisements.
Currently it is not possible to register hostnames dynamically between KEA and Unbound, only static reservations will be synchronized on an Unbound service restart.
Control Agent
The Kea Control Agent (CA) is a daemon which exposes a RESTful control interface for managing Kea servers. When building a high available dhcp setup, the control agent is a requirement for these kind of setups.
Option |
Description |
|---|---|
Enabled |
Enable control agent |
Bind address |
Address on which the RESTful interface should be available, usually this is localhost (127.0.0.1) |
Bind port |
Choose an unused port for communication here. |
Note
Although the control agent is required to use high availability peers, it does not have to listen on a non loopback address. The peer configuration by default uses the so called “Multi-Threaded Configuration (HA+MT)”, in which case it starts a separate listener for the HA communication.
DDNS Agent
The Kea DHCP DDNS (D2) server is a middleware between the DHCP servers, and authoritative DNS servers. Enabling it is a requirement if dynamic DNS updates (RFC2136) should be sent when clients are assigned an IP address in configured subnets.
Option |
Description |
|---|---|
Enabled |
Enable DDNS server. To send updates to an authoritative nameserver, configure Dynamic DNS inside the DHCPv4 and DHCPv6 subnets. |
Bind address |
Address on which the DHCP DDNS server interface should be available; usually this is localhost (127.0.0.1). |
Bind port |
Portnumber to use for the DHCP DDNS server interface; default is 53001. |
Kea DHCPv4/v6
This is the DHCPv4/v6 service available in KEA, which offers the following tab sheets with their corresponding settings:
Option |
Description |
|---|---|
Service |
|
Enabled |
Enable DHCPv4/v6 server. |
Manual config |
Disable configuration file generation and manage the file (/usr/local/etc/kea/kea-dhcp4.conf) or (/usr/local/etc/kea/kea-dhcp6.conf) manually. |
General settings |
|
Interfaces |
Select interfaces to listen on. |
Valid lifetime |
Defines how long the addresses (leases) given out by the server are valid (in seconds) |
Firewall rules |
Automatically add a basic set of firewall rules to allow dhcp traffic, more fine grained controls can be offered manually when disabling this option. |
Socket type** (DHCPv4 only) |
Socket type used for DHCP communication. |
High Availability |
|
Enabled |
Enable High availability hook, requires the Control Agent to be enabled as well. |
This server name |
The name of this server, should match with one of the entries in the HA peers. Leave empty to use this machines hostname |
Max Unacked clients |
This specifies the number of clients which send messages to the partner but appear to not receive any response. A higher value needs a busier environment in order to consider a member down, when set to 0, any network disruption will cause a failover to happen. |
DHCPv4
Option |
Description |
|---|---|
Subnet |
Subnet to use, should be large enough to hold the specified pools and reservations |
Description |
You may enter a description here for your reference (not parsed). |
Pools |
List of pools, one per line in range or subnet format (e.g. 192.168.0.100 - 192.168.0.200 , 192.0.2.64/26). Leave this blank if you do not want to offer dynamic leases (i.e: “Deny unknown clients”) |
Match client-id |
By default, KEA uses client-identifiers instead of MAC addresses to locate clients, disabling this option changes back to matching on MAC address which is used by most dhcp implementations. |
DHCP option data |
|
Auto collect option data |
Automatically update option data for relevant attributes as routers, dns servers and ntp servers when applying settings from the gui. |
Routers (gateway) |
Default gateways to offer to the clients |
Static routes |
Static routes that the client should install in its routing cache, defined as dest-ip1,router-ip1,dest-ip2,router-ip2 |
DNS servers |
DNS servers to offer to the clients |
Domain name |
The domain name to offer to the client, set to this firewall’s domain name when left empty |
Domain search |
The domain search list to offer to the client |
NTP servers |
Specifies a list of IP addresses indicating NTP (RFC 5905) servers available to the client. |
Time servers |
Specifies a list of RFC 868 time servers available to the client. |
Next server |
Next server IP address |
TFTP server |
TFTP server address or FQDN |
TFTP bootfile name |
Boot filename to request |
IPv6-only Preferred (Option 108) |
The number of seconds for which the client should disable DHCPv4. The minimum value is 300 seconds. |
Options |
Select custom DHCPv4 options that were created in the options tab. |
Dynamic DNS |
|
DNS forward zone |
DNS zone where DHCP clients should be registered (e.g. “home.arpa.”). |
DNS qualifying suffix |
If a DHCP client only sends a hostname in option 81, append this suffix to create an FQDN (e.g. “home.arpa.”). |
DNS server |
Authoritative DNS server receiving dynamic updates. |
TSIG key name |
TSIG key name used for secure DNS updates. |
TSIG key secret |
Base64 encoded TSIG key secret. |
TSIG key algorithm |
Algorithm used for TSIG authentication with the DNS server (e.g. hmac-sha256) |
DHCPv6
Option |
Description |
|---|---|
Subnet |
Subnet to use, should be large enough to hold the specified pools and reservations |
Interface |
Select which interface this subnet belongs to |
Allocator |
Select allocator method to use when offering leases to clients. |
PD Allocator |
Select allocator method to use when offering prefix delegations to clients |
Description |
You may enter a description here for your reference (not parsed). |
Pools |
List of pools, one per line in range or subnet format (e.g. 2001:db8:1::-2001:db8:1::100, 2001:db8:1::/80). Leave this blank if you do not want to offer dynamic leases (i.e: “Deny unknown clients”) |
DHCP option data |
|
DNS servers |
DNS servers to offer to the clients |
Domain search |
The domain search list to offer to the client |
Options |
Select custom DHCPv6 options that were created in the options tab. |
Dynamic DNS |
|
DNS forward zone |
DNS zone where DHCP clients should be registered (e.g. “home.arpa.”). |
DNS qualifying suffix |
If a DHCP client only sends a hostname in option 81, append this suffix to create an FQDN (e.g. “home.arpa.”). |
DNS server |
Authoritative DNS server receiving dynamic updates. |
TSIG key name |
TSIG key name used for secure DNS updates. |
TSIG key secret |
Base64 encoded TSIG key secret. |
TSIG key algorithm |
Algorithm used for TSIG authentication with the DNS server (e.g. hmac-sha256) |
Option |
Description |
|---|---|
Subnet |
Subnet to use, should be large enough to hold the specified prefix. |
Prefix |
The prefix that will be used as prefix delegation pool. |
Prefix length |
The length of the prefix for the prefix delegation pool. |
Delegated length |
The length of each delegated prefix offered via the prefix delegation pool. |
Description |
You may enter a description here for your reference (not parsed). |
DHCPv4
Option |
Description |
|---|---|
Subnet |
Subnet this reservation belongs to |
IP address |
IP address to offer to the client |
MAC address |
MAC/Ether address of the client in question |
Hostname |
Offer a hostname to the client |
Description |
You may enter a description here for your reference (not parsed). |
DHCP option data |
|
Auto collect option data |
Automatically update option data for relevant attributes as routers, dns servers and ntp servers when applying settings from the gui. |
Routers (gateway) |
Default gateways to offer to the clients |
Static routes |
Static routes that the client should install in its routing cache, defined as dest-ip1,router-ip1,dest-ip2,router-ip2 |
DNS servers |
DNS servers to offer to the clients |
Domain name |
The domain name to offer to the client, set to this firewall’s domain name when left empty |
Domain search |
The domain search list to offer to the client |
NTP servers |
Specifies a list of IP addresses indicating NTP (RFC 5905) servers available to the client. |
Time servers |
Specifies a list of RFC 868 time servers available to the client. |
Next server |
Next server IP address |
TFTP server |
TFTP server address or FQDN |
TFTP bootfile name |
Boot filename to request |
Options |
Select custom DHCPv4 options that were created in the options tab. |
DHCPv6
Option |
Description |
|---|---|
Subnet |
Subnet this reservation belongs to |
IP address |
IP address to offer to the client |
DUID |
DUID of the client in question |
Hostname |
Offer a hostname to the client |
Domain search |
The domain search list to offer to the client |
Options |
Select custom DHCPv6 options that were created in the options tab. |
Description |
You may enter a description here for your reference (not parsed). |
Option |
Description |
|---|---|
Description |
You must enter a description here. It is used to reference this option inside reservations and subnets. |
Match DHCP option |
|
Match Code |
The server will only send the option defined in “Set DHCP option” if a client first sends the option defined in “Match DHCP option”. Leave empty to always send the option. |
Match Encoding |
Encoding used to evaluate the match condition. “Hex” supports all encapsulated and structured options generically via payload in hexadecimal byte pairs. |
Match Data |
Data to match against the selected DHCP option. |
Set DHCP option |
|
Set Code |
DHCP option to offer to the client. |
Set Encoding |
Choose the encoding type. “Hex” supports all encapsulated and structured options generically via payload in hexadecimal byte pairs. |
Set Data |
Payload to send to a client. |
Force |
Always send the option, also when the client does not ask for it in the parameter request list. |
Option |
Description |
|---|---|
Name |
Peer name, there should be one entry matching this machines “This server name” |
Role |
This peers role |
Url |
This specifies the URL of our server instance, which should use a different port than the control agent. For example http://my-host:8001/ |
Note
Define HA peers for this cluster. All nodes should contain the exact same definitions (usually two hosts, a primary and a standby host)
Configuration examples
DHCPv4 for medium/large HA setups
KEA DHCPs main strength is the ability to synchronize leases between multiple servers, which makes it ideal for medium to large HA setups (more than 1000 unique clients) where you cannot use Dnsmasq DHCP.
As example we configure a network with two KEA DHCP instances on a master and backup OPNsense.
To configure KEA with a minimal HA setup for LAN using the 192.168.1.0/24 network follow these steps:
- LAN Network:
CARP IPv4 address:
192.168.1.1/24Master IPv4 address:
192.168.1.2/24Backup IPv4 address:
192.168.1.3/24
Attention
All configuration must be done on the master, and afterwards synchronized to the backup via
Go to :
Option |
Value |
|---|---|
Enabled |
|
Bind address |
|
Bind port |
|
Press Apply then go to and follow through these tabs:
Option |
Value |
|---|---|
Service |
|
Enabled |
|
General settings |
|
Interfaces |
|
Firewall rules** |
|
High Availability |
|
Enabled |
|
This server name |
(It is highly recommended to use the offered default value) |
Press Apply and go to Subnets
Option |
Value |
|---|---|
Subnet |
|
Pools |
|
DHCP option data |
|
Auto collect option data |
(This must be unchecked for HA) |
Routers (gateway) |
|
DNS servers |
|
Press Save and go to HA Peers
First entry:
Option |
Value |
|---|---|
Name |
(Use the name that is displayed in the settings Tab for “This server name” on the master) |
Role |
|
URL |
|
Second entry:
Option |
Value |
|---|---|
Name |
(Use the name that is displayed in the settings Tab for “This server name” on the backup) |
Role |
|
URL |
|
Press Save and Apply
Now the initial configuration is finished, and we synchronize it with the backup server. Both servers will always share the exact same configuration.
Go to and ensure that KEA is selected in Services to synchronize.
Then go to and press Synchronize and reconfigure all.
Immediately afterwards, KEA will be active on both master and backup, and a bidirectional lease synchronization will be configured.
DHCP Options
Each subnet and reservation has an DHCP option data list available. If Auto collect option data is enabled, some DHCP options like router, DNS server and system domain are added automatically. Additional fields can be filled out with other common options.
In cases where more advanced DHCP options need to be sent, you can use the Options tab found in and .
When adding a new option, you can enter matching and setting parameters:
When matching a DHCP option, a client class with a test is created. The set option will only be sent to clients that pass the test.
When setting a DHCP option, the payload will be sent unconditionally if no match exists in the same input mask.
To send a created option, attach it to a reservation or subnet in their respective tabs with the available Options dropdown menu.
Combining both set and match enables you to create multiple options with the same code, but different payloads. A common example is matching based on client architecture and sending a specific boot file as payload:
Go to and follow through these tabs:
Create an option for BIOS boot:
Option |
Description |
|---|---|
Description |
|
Match DHCP option |
|
Match Code |
|
Match Encoding |
|
Match Data |
|
Set DHCP option |
|
Set Code |
|
Set Encoding |
|
Set Data |
|
Create an option for EFI boot:
Option |
Description |
|---|---|
Description |
|
Match DHCP option |
|
Match Code |
|
Match Encoding |
|
Match Data |
|
Set DHCP option |
|
Set Code |
|
Set Encoding |
|
Set Data |
|
Press Save and go to Subnets
Select an available subnet, and add the Options you created:
Option |
Value |
|---|---|
Options |
|
Press Save and Apply
With this configuration, any client that sends client-system [93] containing the value 0 will be provided with bootfile-name [67] and undionly.kpxe.
The same logic applies to the efi bootfile.
Note
Matching is optional, leave it empty to send the option out to any client in the subnet it is attached to.
Tip
Any option can be sent as user defined hex. This helps for structured and encapsulated options that may have multiple types or are binary blobs.
A common example is vendor specific [43], which is used for vendor specific information.
Just as with the bootfiles example, if you match client specific option codes, you can send out different vendor specific option codes in the same subnet.
Dynamic DNS (RFC2136)
KEA allows registering client FQDNs via dynamic DNS (RFC2136) to an authoritative DNS server.
Such an authoritative DNS server will be ISC BIND or an alternative like PowerDNS. Recursive DNS servers like Dnsmasq or Unbound are not able to fulfill this role.
When clients register their IP address, the DHCP server will receive a Client FQDN (DHCP option 81) that either contains a client hostname or an FQDN. In cases where clients only send a hostname, using the DNS qualifying suffix will construct an FQDN and force an update anyway.
Attention
The client is responsible to send the Dynamic DNS update request via DHCP option 81. Only with this payload, the hostname will be registered in a forward zone. Clients that do not send any hostname cannot be registered, the administrator must ensure all of their devices have unique hostnames configured.
As an example setup, we have configured a zone like this in ISC BIND. The example taken from the KEA DDNS documentation:
:
key "key.four.example.com." {
algorithm hmac-sha224;
secret "bZEG7Ow8OgAUPfLWV3aAUQ==";
};
:
To configure the forward zone for a DHCPv4 range, go to and select a subnet:
Option |
Value |
|---|---|
Subnet |
|
Pools |
|
DHCP option data |
|
Auto collect option data |
(This must be unchecked) |
Routers (gateway) |
|
DNS servers |
|
Domain name |
|
Dynamic DNS |
|
DNS forward zone |
|
DNS qualifying suffix |
|
DNS server |
|
TSIG key name |
|
TSIG key secret |
|
TSIG key algorithm |
|
Next, enable the KEA DDNS Agent. Go to :
Option |
Value |
|---|---|
Enabled |
|
Bind address |
|
Bind port |
|
After applying the configuration, the DHCP servers construct DDNS update requests, known as NameChangeRequests (NCRs), based on DHCP lease change events and then post them to the DDNS Agent. The DDNS Agent attempts to match each request to the appropriate DNS server and carries out the necessary conversation with those servers to update the DNS data.
Note
The TSIG key name must be unique per DNS forward zone. If you configure multiple subnets with an identical DNS forward zone, but different TSIG key names and TSIG key secrets, only the first one will be taken into account. Best practice would be creating one unique DNS forward zone per subnet, each with a unique TSIG key name.
Attention
Only subnets that have a DNS server configured will send DDNS updates.
Prefix Delegation (IA_PD)
Kea supports prefix delegation with static prefixes.
Attention
Dynamic prefixes common with most residential ISPs are not supported.
As an example setup, we will use unique local addresses (ULA) to lease an IA_NA address (/128 IPv6 address) and a IA_PD prefix (/56 IPv6 prefix) to a requesting client.
Prefix: fd80::/48
Go to and follow through these tabs:
Option |
Value |
|---|---|
Service |
|
Enabled |
|
General settings |
|
Interfaces |
|
Firewall rules |
|
For the IA_NA address pool, we take the first /52 prefix (fd80::/52) of the available /48 prefix (fd80::/48)
Option |
Value |
|---|---|
Subnet |
|
Pools |
|
For the IA_PD pool, we take the second /52 prefix (fd80:0:0:1000::/52), and lease up to 16 prefixes (fd80:0:0:1000::/56 - fd80:0:0:10F0::/56) to clients.
Option |
Value |
|---|---|
Subnet |
|
Prefix |
|
Prefix length |
|
Delegated length |
|
After applying the configuration, clients will receive a IA_NA address (e.g. fd80::100/128, fd80::101/128) and a IA_PD prefix (e.g. fd80:0:0:1000::/56, fd80:0:0:1010::/56).
Whenever a IA_PD lease is acknowledged, a route targeting the link local address (LLA) of the requesting DHCPv6 client will be automatically installed.
Since lease files are synchronized in high availability mode, the routes will also be installed and cleaned up on both peers.
Leases DHCPv4/v6
This page offers an overview of the (non static) leases being offered by KEA DHCPv4/v6.
Tip
There are action buttons to quickly register and find reservations.