forked from isc-projects/dhcp
-
Notifications
You must be signed in to change notification settings - Fork 0
/
RELNOTES
5247 lines (3929 loc) · 215 KB
/
RELNOTES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Internet Systems Consortium DHCP Distribution
Version 4.4.3-P1
October 5, 2022
Release Notes
Please note that that ISC DHCP is licensed under the Mozilla Public
License, MPL 2.0. Please see https://www.mozilla.org/en-US/MPL/2.0/ to read
the MPL 2.0 license terms.
NOTE: This software is now End-Of-Life. 4.4.3 is the final release planned.
We will continue to keep the public issue tracker and user mailing list open.
For information on how to install, configure, and run this software, as
well as how to find documentation and report bugs, please consult the
README file.
ISC DHCP uses the standard GNU configure command for installation. Please review the
output of `./configure --help` to see what options are available.
The system has only been tested on Linux and FreeBSD, and may not work on
other platforms. Please subscribe to the dhcp-users mailing list at
https://lists.isc.org/mailman/listinfo/dhcp-users and report any problems
and/or suggested fixes to dhcp-users@lists.isc.org.
ISC DHCP is open source software maintained by Internet Systems
Consortium. This product includes cryptographic software written
by Eric Young (eay@cryptsoft.com).
Changes since 4.4.3 (Bug Fixes)
! Corrected a reference count leak that occurs when the server builds
responses to leasequery packets. Thanks to VictorV of Cyber Kunlun
Lab for reporting the issue.
[Gitlab #253]
CVE: CVE-2022-2928
! Corrected a memory leak that occurs when unpacking a packet that has an
FQDN option (81) that contains a label with length greater than 63 bytes.
Thanks to VictorV of Cyber Kunlun Lab for reporting the issue.
[Gitlab #254]
CVE: CVE-2022-2929
Changes since 4.4.2-P1 (New Features)
- Two new OMAPI function calls were added, `dhcpctl_timed_connect()`
and `dhcpctl_timed_wait_for_completion()`. These provide timed
versions of creating a connection and waiting for an operation
to complete.
[GitLab #76]
- The BIND libraries have been updated to the latest version, 9.11.36. This fixes a number
of compilation issues on various systems, including OpenWRT. Thanks to
Philip Prindeville for testing on OpenWRT.
[GitLab #218, #171, #180, #192]
- Support was added for the new DHCPv4 option v6-only-preferred, specified
in RFC 8925. A new reason code, V6ONLY, was added to the client script
and the client Linux script sample was updated.
[GitLab #132]
Changes since 4.4.2-P1 (Bug Fixes)
- Minor corrections were made to allow compilation under gcc 10.
[GitLab #117]
- The logic in dhclient that causes it to decline DHCPv4 leases if the
client script exits abnormally (i.e. crashes) has been corrected.
[GitLab #123]
- The limit on the size of a lease file that can be loaded at startup
is now only enforced on 32-bit systems.
[GitLab #92]
- The PRNG initialization has been improved. It now uses the configure flag
`--with-randomdev=PATH`, which specifies the device from which to read the
initial seed. That is typically `/dev/random` (the default value) or
`/dev/urandom`, but may be specified otherwise on the local system. The old
behavior can be forced by disabling this feature (`--with-randomdev=no`).
If the initialization is disabled or reading from the random device fails,
the previous algorithm (retrieve the last four bytes of hardware addresses
from all network interfaces that have them, and use the current time and
process ID) is used.
[GitLab #197]
- A minor dhclient code fix was made to remove compilation warnings.
[GitLab #190]
- The hard-coded MD5 algorithm name was removed in OMAPI connection logic.
Previously, using any other algorithm via a key-algorithm statement would
allow OMAPI connections to be made, but subsequent actions such as updating
an object would fail.
[GitLab #148]
- The parallel build has been improved. Thanks to Sergei Trofimovich for
the patch. The parallel build is still experimental, as officially the
BIND 9 code does not support the parallel build for libraries.
[GitLab #91]
- Handling of LDAP options (`ldap-gssapi-principal` and `ldap-gssapi-keytab`)
has been improved. This is contributed code that has not been tested by ISC. Thank
you to Petr Mensik and Pavel Zhukov for the patches!
[GitLab !56,!75]
- It is now possible to use `option -g ipaddr` in the dhcrelay to replace the giaddr sent to
clients with the given ipaddr, to work around bogus clients like Solaris 11
grub which use giaddr instead of the announced router (3) to set up their
default route. Thanks to Jens Elkner for the patch!
[GitLab #223, !86, !92]
Changes since 4.4.2 (Bug Fixes)
- Corrected a buffer overwrite possible when parsing hexadecimal
literals with more than 1024 octets.
[Gitlab #182]
CVE: CVE-2021-25217
Changes since 4.4.2b1 (Bug Fixes)
- Added a clarification on DHCPINFORMs and server authority to
dhcpd.conf.5
[Gitlab #37]
- Only emit lease scrubbing log messages when DEBUG_FAILOVER_MESSAGES
is defined.
[Gitlab #72]
- Added the interface name to socket initialization failure log messages.
Prior to this the log messages stated only the error reason without
stating the target interface.
[Gitlab #75]
- Corrected buffer pointer logic in dhcrelay functions that manipulate
agent relay options. Thanks to Thomas Imbert of MSRC Vulnerabilities
& Mitigations for reporting the issue.
[Gitlab #71]
- Corrected unresolved symbol errors building relay_unittests when
configured to build using libtool.
[Gitlab #80]
Changes since 4.4.1 (New Features)
- A new configuration parameter, ping-cltt-secs (v4 operation only), has
been added to allow the user to specify the number of seconds that must
elapse since CLTT before a ping check is conducted. Prior to this, the
value was hard coded at 60 seconds. Please see the server man pages for
a more detailed discussion.
[ISC-Bugs #36283]
- A new configuration parameter, ping-timeout-ms (v4 operation only),
has been added that allows the user to specify the amount of time
the server waits for a ping-check response in milliseconds rather
than in seconds (via ping-timeout). When greater than zero, the value
of ping-timeout-ms will override the value of ping-timeout. Thanks
to Jay Doran from Bluecat Networks for suggesting this feature.
[Gitlab #10]
- An experimental tool called, Keama (KEA Migration Assistant), which helps
translate ISC DHCP configurations to Kea configurations, is now included
in the distribution.
[Gitlab #34]
Changes since 4.4.1 (Bug Fixes)
- Corrected a misuse of the BIND9 DDNS API which caused DDNS updates to be
carried out over TCP rather than UDP. The coding error was exposed by
migration to BIND9 9.11. Thanks to Jinmei Tatuya at Infoblox for
reporting the issue.
[ISC-Bugs #47757]
- Bind9 now defaults to requiring python to build. The Makefile for
building Bind9 when bundled with ISC DHCP was modified to turn off
this dependency.
[Gitlab #3]
- Corrected a dual-stack mixed-mode issue that occurs when both
ddns-guard-id-must-match and ddns-other-guard-is-dynamic
are enabled and that caused the server to incorrectly interpret
the presence of a guard record belonging to another client as
a case of no guard record at all. Thanks to Fernando Soto
from BlueCat Networks for reporting this issue.
[Gitlab #1]
- Corrected a compilation issue that occurred when building without DNS
update ability (e.g. by undefining NSUPDATE).
[Gitlab #16]
- Corrected an issue that was causing the server, when running in
DHPCv4 mode, to segfault when class lease limits are reached.
Thanks to Peter Nagy at Porion-Digital for reporting the matter
and submitting a patch.
[Gitlab #13]
- Made minor changes to eliminate warnings when compiled with GCC 9.
Thanks to Brett Neumeier for bringing the matter to our attention.
[Gitlab #15]
- Fixed potential memory leaks in parser error message generation
spotted by Coverity, CIDs: 1448191, 1448193, 1448194, 1448195
[Gitlab #30]
- Updated URL of IEEE oui.txt in contrib/dhcp-lease-list.pl. Thanks
to Tommy Smith for contributing the patch.
[Gitlab #26]
- Fixed define flags when using SO_BINDTODEVICE. Thanks to Joe LeVeque for
reporting the issue.
[GitLab #19]
- Applied a patch from OpenBSD to always set the scope id of outbound
DHPCv6 packets. Note this change only applies when compiling under
OpenBSD. Thanks to Brad Smith at OpenBSD from bringing it to our
attention.
[Gitlab #33]
- Modified dhclient to not discard config file leases that are
duplicates of server-provided leases and to retain such leases
after they have been used as the fallback active lease and
DHCP service has been restored. This allows them to be used
more than once during the lifetime of a dhclient instance.
This applies to DHCPv4 operation only.
[Gitlab #9]
- Corrected a number of reference counter and zero-length buffer leaks.
Thanks to Christopher Ertl of MSRC Vulnerabilities & Mitigations for
pointing them out.
[Gitlab #57]
- Closed a small window of time between the installation of graceful
shutdown signal handlers and application context startup, during which
the receipt of shutdown signal would cause a REQUIRE() assertion to
occur. Note this issue is only visible when compiling with
ENABLE_GENTLE_SHUTDOWN defined.
[Gitlab #53]
- Corrected a buffer overflow that can occur when retrieving zone
names that are more than 255 characters in length.
[Gitlab #20]
- The "d" domain name option format was incorrectly handled as text
instead of RFC 1035 wire format. Thanks to Jay Doran at BlueCat Networks
for reporting this issue.
[Gitlab #2]
- Improved the error message issued when a host declaration has both
a uid and a dhcp-client-identifier. Server configuration parsing will
now fail if a host declaration specifies more than one uid.
[Gitlab #7]
- Updated developer's documentation on building and running unit tests.
Removed support for --with-atf=bind as BIND9 no longer bundles in ATF
source.
[Gitlab #35]
- Fixed a syntax error in ldap.c which cropped up under Ubuntu
18.04.1/gcc 7.4.0. Thanks to Charles Hedrick for pointing it out.
[Gitlab #51]
- Added clarification to dhcp-options.5 section on ip-address values
describing the first-use DNS resolution of options with hostnames as
values (e.g. next-server).
[Gitlab #28]
- The option format for the server option omapi-key was changed to a
format type 'k' (key name); while server options ldap-port and
ldap-init-retry were changed to 'L' (unsigned 32-bit integer). These
three options were inadvertantly broken when the 'd' format content
was changed to comply with RFC 1035 wire format (see Gitlab #2).
[Gitlab #68]
Changes since 4.4.0 (New Features)
- none
Changes since 4.4.0 (Bug Fixes)
- A delayed-ack value of 0 (the default), now correctly disables the delayed
feature. A change in 4.4.0 prohibited lease updates marking leases active
from be written to the lease file when delayed-ack is 0. This in turn,
caused servers to lose active lease assignments upon restart.
[ISC-Bugs #47141]
! Option reference count was not correctly decremented in error path
when parsing buffer for options. Reported by Felix Wilhelm, Google
Security Team.
[ISC-Bugs #47140]
CVE: CVE-2018-5733
! Corrected an issue where large sized 'X/x' format options were causing
option handling logic to overwrite memory when expanding them to human
readable form. Reported by Felix Wilhelm, Google Security Team.
[ISC-Bugs #47139]
CVE: CVE-2018-5732
- Added use of new Bind9 compatibility header files, that are now necessary
to supply type definitions for primitive data types, removed from Bind9
proper. Altered util/bind.sh to pull from Bind9 repo on gitlab.
[ISC-Bugs #48072]
[ISC-Bugs #48071]
Changes since 4.4.0b1 (New Features)
- Duplicate address detection when binding to a new IPv6 address was added
to the following dhclient scripts: linux,freebsd,netbsd,openbsd, and macos.
The scripts will check for DAD errors after binding to a new IPv6 address
for at most --dad-wait-time seconds. If a DAD error is detected the script
will exit with a value of 3, instructing dhclient to decline the address. If
dad-wait-time is zero (the default), DAD error checking is not peformed.
[ISC-Bugs 46805]
- Support for sending and receiving additional DHCP4 options has been added
to both the dhcpd and dhclient. Specifically: option codes 93,94, and 97
(RFC 4578); code 150 (RFC 5859); and codes 209,219, and 211 (RFC 5071).
Beyond configuring, sending, requesting, and receiving these options neither
server nor client apply any additional logic based on their values.
Thanks to Peter Lewis for requesting this change.
[ISC-Bugs 47062]
Changes since 4.4.0b1 (Bug Fixes)
- Added clarifying text to dhcpd.conf.5 explaining the class match expressions
cannot rely on the results of executable statements.
[ISC-Bugs #45451]
- Fixed a bug which causes dhcpd and dhclient to crash on certain
systems when given relative path names for lease or pid files on
the command line. Affected systems are those on which the C library
function, realpath() does not support a second parameter value of
NULL (see manpages for realpath(3)).
[ISC-Bugs #46957]
- Fixed a build issue when building with embedded BIND9 under OpenBSD that
was causing BIND9 build to not generate dns/enumclass.h and dns/enumtype.h.
[ISC-Bugs #46971]
- Added <dhcp>/m4/README to the distribution tarball. Some versions of
ac_local() treat the absence of the m4 subdirectory as error rather than
warning. This was causing the call to autoreconf, necessary for building
with libtool, to fail.
[ISC-Bugs #47075]
Changes since 4.4.0a1 (New Features)
- Added experimental support for relay port (draft-ietf-dhc-relay-port-10.txt)
feature for DHCPv4, DHCPv6 and DHCPv4-over-DHCPv6. Relay port has to be
enabled at compile time via --enable-relay-port and is fully backward
compatible (i.e. works with previous implementations of servers and relays
using the standard ports). A new --rp <relay-port> command line option
specifies to dhcrelay an alternate source port for upstream (i.e. toward
the server) messages. Thanks to Naiming Shen and Enke Chen of Cisco
systems for submitting these patches.
[ISC-Bugs #44535]
- Added --release-on-roam to dhcpd server. When enabled and the server detects
that a DHCPv6 client (IAID+DUID) has roamed to a new network, it will release
the pre-existing leases on the old network and emit a log statement similar
to the following:
"Client: <id> roamed to new network, releasing lease: <address>"
The server will carry out all of the same steps that would normally occur
when a client explicitly releases a lease. This behavior is disabled by
default and may only be specified globally. Prior to this the server renders
the leases unavailable until they expire or the server is restarted. Clients
that need leases in multiple networks must supply a unique IAID in each IA.
When release-on-roam is disabled (the default) the server maintains the
prior behavior of making such leases unavailable until they expire or the
server is restarted. Clients that need leases in multiple networks must
supply a unique IAID in each IA. This parameter may only be specified at
the global level. Thanks to Fernando Soto from BlueCat Networks for
suggesting this change.
[ISC-Bugs #44576]
[ISC-Bugs #46849]
- Support for delayed-ack is now compiled in by default. Prior to this
it had to be enabled at compile time via --enable-delayed-acks. The
default value for delayed-ack, however, has been changed from 28 to 0
(i.e. disabled). This was done to minimize the impact on users not
currently using the feature. Please note that the delayed-ack feature
is not currently compatible with support for DHPCv4-over-DHCPv6 so
when a 4to6 port command line argument enables this in the server the
delayed-ack value is reset to 0.
[ISC-Bugs #42446]
- The server (-6) now honors the parameter, update-static-leases, for static
(fixed-address6) DHCPv6 leases. It is worth noting that because stateful
data is not retained by the server for static leases, each time a client
requests or renews a static lease, the server will perform DDNS updates for
it. This may have significant performance implications for environments
with many clients that request or renew static leases often. Similarly,
the DNS entries will not be removed by server when a client issues a RELEASE
nor if the lease is deleted from the configuration. In such cases the DNS
entries must be removed manually. This feature is disabled by default.
Thanks to both Bill Shirley and dgutier-at-cern-dot-ch for requesting
this change.
[ISC-Bugs #34097]
[ISC-Bugs #41054]
[ISC-Bugs #41450]
- Added to the server (-6) a new statement, local-address6, which specifies
the source address of packets sent by the server. An additional flag,
bind-local-address6, disabled by default, binds the service socket to
to local-address6. Note that bind-local-address does not work with direct
clients: a relay has to forward packets to the server using the
local-address6 destination.
[ISC-Bugs #46084]
Changes since 4.4.0a1 (Bugs)
- The server now recognizes environment variables PATH_DHCPD_DB and
PATH_DHCPD_PID. These had been incorrectly compiled out of the code
unless DHCPv6 support was disabled. Additionally, the server man
pages were corrected to accurately reflect how the server chooses
file names (see lease-file-name and pid-file-name statements). Thanks
to Fernando Soto at Bluecat Networks for bringing this matter to our
attention.
[ISC-Bugs #46859]
- Removed an "Impossible condition" error upon exit in the dhcpd server that
has been shutdown via OMAPI. This condition was only apparent under Solaris
when building with --enable-use-sockets and --enable-ipv4-pktinfo.
[ISC-Bugs #36118]
- Corrected some minor Coverity issues: CID 1426059, 1426058, and 1426057.
[ISC-Bugs #46836]
- Added missing text to dhclient.8 and expanded release note coverage
for --address-prefix-len changes.
Changes since 4.3.6 (New Features)
- Added --enable-bind-install to install embedded bind includes and
libraries. Default is to not install them (it was the previous
behavior). If you'd like to change the includedir and/or libdir
installation directories to something different than for ISC DHCP
you must pass them using the --with-bind-extra-config configuration
arguments.
[ISC-Bugs #39318]
- Added support of dynamic shared libraries with libtool. A new
--enable-libtool configuration parameter is available but
should not be used directly: *please* read the build configuration
section in the README file for the recommended procedure.
[ISC-Bugs #29402]
- IPv6 operation now supports an EUI-64 based address allocation which will
calculate addresses for clients with EUI-64 DUIDs based on those DUIDs when
enabled by setting use-eui-64 true. The parameter may defined down to the
pool scope. Note this feature must be compiled in by defining EUI_64 in
includes/site.h. This flag is undefined by default.
[ISC-Bugs #43927]
- The directory includes/isc-dhcp and it's only occupant, dst.h, have
been removed from the source tree. They are obsolete for branches
other than v4_1_esv.
[ISC-bugs #45541]
- Replaced ISC licensing with Mozilla Public License, MPL 2.0 licensing
throughout. Please see https://www.mozilla.org/en-US/MPL/2.0/ to read
the MPL 2.0 license terms.
[ISC-Bugs #45541]
- Load balancing for failover peers can now be disabled by setting
"load balance max secs" to 0. Doing so for both peers means both
servers will respond to all DHCPDISCOVERs or DHCPREQUESTs as soon as
they are received.
[ISC-Bugs #39669]
- Added a new dhclient command line parameter, --prefix-len-hint <length>.
When used in conjunction with -P, it directs dhclient to use the given
length as the prefix length hint when requesting prefixes. Thanks to both
Indy, of the FireballISO open source project and H. Peter Anvin for
suggesting this change.
[ISC-Bugs #43792]
[ISC-Bugs #35112]
[ISC-Bugs #32228]
[ISC-Bugs #29470]
- dhclient will now wait for 10 seconds after declining an IPv4 address
before issuing a discover. This is in keeping with RFC 2131, section 3.1.5.
Prior to this dhclient did not wait at all. The amount of time dhclient
waits can be specified via a new command line parameter:
--decline-wait-time <seconds>. A value of zero equates to no wait at all.
Thanks to Pavel Kankovsky for bringing this matter to our attention.
**NOTE: THIS IS CHANGE IN DEFAULT BEHAVIOR.
[ISC-Bugs #45457]
- dhclient will now include the lease address when logging DHCPOFFERs,
DHCPREQUESTs, DHCPACKs, DHCPRELEASEs, and DHCPDECLINEs. Additionally,
DHCPOFFERs will be logged before their corresponding DHCPREQUESTs are
sent and logged.
[ISC-Bugs #2729]
- When given the -T command line argument, in addition to reading the
current lease file, the server will write the leases to a temporary
lease file. This can help detect issues in server configuration that
only surface when leases are written to the file. The current lease
file will not be modified and the temporary lease file is removed upon
completion of the test.
[ISC-Bugs #22267]
- dhclient will now generate a DHCPv6 DECLINE message containing all IA_NA
addresses which for which the client script indicates a DAD failure. After
receiving the DECLINE reply, dhclient will restart the solicit process.
Note, the client script must exit with a value of 3 to signify that the
address failed DAD. Thanks to Jiri Popelka of Red Hat for submitting the
patch that was the foundation for this change.
**NOTE: THIS IS CHANGE IN DEFAULT BEHAVIOR.
[ISC-Bugs #21237]
[ISC-Bugs #23357]
[ISC-Bugs #36966]
- Replaced compilation option, enable-secs-byteorder, with a run-time, server
configuration parameter, check-secs-byte-order. When enabled, the
server will check for clients that do the byte ordering on the secs field
incorrectly. This field should be in network byte order but some clients
get it wrong. When this parameter is enabled the server will examine the
secs field and if it looks wrong (high byte non zero and low byte zero) swap
the bytes. The default is disabled. This parameter is only useful when
doing load balancing within failover.
[ISC-Bugs #45364]
- The default value for server (-6) parameter, prefix-length-mode, has been
changed from "exact" to "prefer". In "prefer" mode the server will offer
the first available prefix with the same length as that requested by the
client. If none are found then it will offer the first available prefix of
any length. This is more in line with with RFC 8168 and should improve
the out-of-the-box user experience.
**NOTE: THIS IS CHANGE IN DEFAULT BEHAVIOR.
[ISC-Bugs #45615]
- Added support for 'dhcp-cache-threshold' to IPv6 operation: If a client
renews before 'dhcp-cache-threshold' percent of its lease has elapsed
(default 25%), the server will reuse the allocated lease (provide a
lease within the currently allocated lease-time) rather than extend or
renew the lease. This allows the server to reply without needlessly
writing leases to disk. The preferred and valid lease lifetimes
sent to the client will be reduced by the age of the lease. The option
may be specified down to the pool level and is supported for all three
pool types: NA, TA, and PD.
[ISC-Bugs #45292]
- Added three new server configuration parameters which influence DDNS:
1. ddns-dual-stack-mixed-mode - alters DNS conflict resolution behavior
to mitigate issues with non-compliant clients in dual stack environments.
2. ddns-guard-id-must-match - relaxes the DHCID RR client id matching
requirement of DNS conflict resolution.
3. ddns-other-guard-is-dynamic - alters dual-stack-mixed-mode behavior to
allow unguarded DNS entries to be overwritten in certain cases
[ISC-Bugs #42620]
[ISC-Bugs #42621]
[ISC-Bugs #44753]
- A "key-algorithm <algorithm>" statement has been added to omshell to
allow the specification of the key algorithm to use during transaction
authentication. Prior to this it was hard-coded to be hmac-md5. It now
supports all of the same algorithms as the dhcpd server: hmac-md5 (the
default), hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, and hmac-sha512.
[ISC-Bugs #46771]
- Added a server configuration parameter, persist-eui-64-leases, which
determines whether or not EUI-64 based leases are written to the
leases file. Default is true.
[ISC-Bugs #45046]
- Changed the default value of the prefix length passed by dhclient into the
client script for each IPv6 address from 64 to 128. This was done to comply
with RFC3315bis draft (-09, page 64) and RFC5942, Section 4, point 1.
In addition, dhclient now supports a command line argument,
--address-prefix-len, which may be used to override the default value.
**WARNING**: This change may not be backwardly compatible with your
environment. If you are operating without a router, such as between VMs on
a host, you may find they cannot see each with prefix length of 128. In
such cases, you'll need to either provide routing or use the command line
parameter to set the value to 64. Alternatively you may change the default
at compile time by setting DHCLIENT_DEFAULT_PREFIX_LEN in includes/site.h.
[ISC-Bugs #23252]
[ISC-Bugs #37221]
- Modified dhclient (-6) to bypass sending a confirm (INIT REBOOT) when it has
only expired address associations. Thanks to Jiri Popelka at Red Hat for
raising the issue and submitting the patch.
[ISC-Bugs #22675]
Changes since 4.3.6 (Bugs):
- Corrected an issue where the server would return a client's previously
released prefix lease even when the client provides a prefix length
hint that does not match the prior lease. Now the server will only
return the previous lease if it exactly matches the hint. If not
it will attempt to allocate a new prefix based on the hint and the
prefix-length-mode. Thanks to Tim DeNike - Lightspeed Communications
for pointing out the error of our ways.
[ISC-bugs #45780]
- Added explicit include of BIND9 isc/util.h to adapt to revisions
in BIND9 (see BIND9 ticket #46311). Prior to this the build was failing
with implicit function declarations errors for POST() and INSIST().
[ISC-bugs #46332]
- Added to code ignore empty IPv4 host name option (code 12). While RFC 2132
states the option cannot be empty, some clients are apparently capable of
sending it. Prior to this the server was attempting to use it and store it
in the lease file causing issues with DDNS and so forth.
[ISC-bugs #43786]
- Corrected dhclient command line parsing for --dad-wait-time that causes
even valid values to fail as invalid on some environments.
[ISC-Bugs #46535]
- Replaced iasubopt::heap_index with separate values for active and inactive
heaps: iasubopt::active_index and iasubopt::inactive_index. This was done
to accommodate a change in behavior in BIND9 isc_heap_delete().
[ISC-bugs #46719]
! Plugged a socket descriptor leak in OMAPI, that can occur when there is
data pending to be written to an OMAPI connection, when the connection
is closed by the reader. Thanks to Pavel Zhukov at RedHat for bringing
this issue to our attention and whose patch helped guide us in the right
direction.
[ISC-Bugs #46767]
- The ability of the server to send back dhcp6.vendor-opts values has been
restored. A change in 4.3.5 (see #29246) which enabled it to send back the
FQDN option unfortunately broke its ability send back dhcp6.vendor-opts.
Thanks to Sumant Gupta (sumantgupta at gmail dot com) of Landis+Gry for
bringing this issue to our attention.
[ISC-Bugs #46427]
Changes since 4.3.6b1
- None
Changes since 4.3.5
- The server now allows the client identifier (option 61) to own leases
in more than one subnet concurrently. Prior to this the server would
incorrectly release an existing lease in one subnet prior to assigning
a lease in another subnet. Note that the prior behavior can be still
be achieved by enabling one-lease-per-client. Thanks to both David Zych at
the University of Illinois and Norm Proffitt of Infoblox for reporting
the issue; and Norm for suggesting a solution.
[ISC-Bugs #41358]
- When replying to a DHCPINFORM, the server will now include options specified
at the pool scope, provided the ciaddr field of the DHCPINFORM is populated.
Prior to this the server only evaluated options down to the subnet scope.
Thanks to Fernando Soto at BlueCat Networks for reporting the issue.
[ISC-Bugs #43219]
[ISC-Bugs #45051]
- When memory allocation fails in a repeated way the process writes
"Run out of memory." on the standard error and exists with status 1.
[ISC-Bugs #32744]
- The new lmdb (Lightning Memory DataBase) bind9 configure option is
now disabled by default to avoid the presence of this library to be
detected which can lead to a link failure.
[ISC-Bugs #45069]
- The linux interface discovery code has been modified to use getifaddrs()
as is done for BSD and OS-X. Prior to this the code would only recognize
the first address on an interface and thereby omit vlans.
Thanks to Jiri Popelka at Redhat, Marius Tomaschewski at SUSE, and Wei
Kong at Novell, who all submitted patches.
[ISC-Bugs #28761]
[ISC-Bugs #31992]
[ISC-Bugs #25428]
[ISC-Bugs #31940]
[ISC-Bugs #32935]
- Fixed a bug in OMAPI that causes omshell to crash when a name-value
pair with a zero length value is shipped in an object. Thanks to
Fernando Soto at BlueCat Networks for reporting the issue and
supplying the patch.
[ISC-Bugs #29108]
- On 64-bit platforms, dhclient now generates the correct value for the
script environment variable, "expiry", the lease expiry value exceeds
0x7FFFFFFF. Prior to this such values would produce negative values
for expiry in the script environment.
[ISC-Bugs #43326]
- Common timer logic was modified to cap the maximum timeout values at
0x7FFFFFFF - 1. Values larger than that were causing fatal timer out of
range errors on 64-bit platforms. Thanks to Jiri Popelka at Red Hat for
reporting the issue.
[ISC-Bugs #28038]
- DHCP6 FQDN option unpacking code now correctly handles values that contain
spaces, special, or non-printable characters. Prior to this the buffer
size needed was underestimated causing a conversion error message to
be logged and DNS updates to be skipped. Thanks to Fernando Soto at
BlueCat Networks for bringing the matter to our attention.
[ISC-Bugs #43592]
- When running in -6 mode, dhclient can enforce the require option statement
and will discard offered leases that do not contain all the required
options specified in the client configuration. If not enabled the client
will still consider such leases. This must be enabled at compile time
(see ENFORCE_DHCPV6_CLIENT_REQUIRE in includes/site.h). Thanks to
Mritunjaykumar Dubey at Nokia for reporting the issue.
[ISC-Bugs #41473]
- Altered DHCPv4 lease time calculation to avoid roll over errors on 64-bit
OS systems when using -1 or large values for default-lease-time. Rollover
values will be replaced with 0x7FFFFFFF - 1. This alleviates unintentionally
short expiration times being handed out when infinite lease times (-1) in
conjunction with failover. Our thanks to Alessandro Gherardi for bringing
the issue to our attention.
[ISC-Bugs #41976]
- Added new compile time option --with-srv-conf-file which specifies a
default location of the server configuration file.
[ISC-Bugs #44765]
- Added --dad-wait-time parameter to dhclient. It specifies the maximum time,
in seconds, that the client process should wait for the duplicate address
detection to complete before initiating DHCP requests. This value is
propagated to the dhclient script and the script is responsible for waiting
the specified amount of time or until DAD has completed. If the script does
not support it, specifying this parameter has no effect. The default value
is 0 which specifies that the script should not wait for DAD. With this
change the following scripts have been modified to support the new parameter:
freebsd, linux, macos, netbsd, openbsd.
[ISC-Bugs #36169]
- The server nows checks both the address and length of a prefix delegation
when attempting to match it to a prefix pool. This ensures the server
responds properly when pool configurations change such that once valid,
"in-pool" delegations are now treated as being invalid. During lease
file loading at startup, the server will discard any PD leases that
are deemed "out-of-pool" either by address or mis-matched prefix length.
Clients seeking to renew or rebind such leases will get a response of
No Binding in the case of the former, and the prefix delegation with
lifetimes set to zero in the case of the latter. Thanks to Mark Nejedlo
at TDS Telecom for reporting this issue.
[ISC-Bugs #35378]
- Modified DDNS support initialization such that DNS related ports will only be
opened by the server (dhcpd) at startup if ddns-update-style is not "none";
by dhclient only if and when the it first attempts an update; and never by
dhcrelay. Prior to this all three always did the initialization at startup
which causes them to always open on and listen for traffic on two random
ports. Thanks to Rodney Beede for reporting this issue.
[ISC-Bugs #45290]
[ISC-Bugs #33377]
- Added error logging to two memory allocation failure checks. Thanks to Bill
Parker (wp02855 at gmail dot com) for reporting the issue.
[ISC-Bugs #41185]
- Corrected a dhclient -6 issue that caused the client to crash with an
"Impossible condition" error after de-preferencing its only IA binding.
The crash occurred when server configuration changes rendered the existing
binding out-of-range and no other leases were available to offer. Thanks
to Pierre Clerissi for bringing this issue to our attention.
[ISC-Bugs #44373]
- By defining CALL_SCRIPT_ON_ONETRY_FAIL in includes/site.h, dhclient will
now call the script with reason set to FAIL when run with -1 (one try) and
there are no server responses. This applies to IPv4 mode only. Thanks for a
patch by Martin Pitt which got to us via Andrew Pollock.
[ISC-bugs #18183]
- The server now detects failover peers that are not referenced in at least
one pool when run with the command line option for test mode, -T. Prior to
this the check was performed too far down stream to be detected in test mode.
[ISC-Bugs #29892]
- Linux script updated. The script is now based on Debian version. It uses
ip tool from iproute2 package and ifconfig is no longer used. This also
addresses an issue of calling arping with inappropriate parameter.
[ISC-bugs #19430]
[ISC-bugs #18111]
- Changed severity of the log message indicating UDP checksum errors in
the received packets from 'info' to 'debug' to avoid logging excessive
number of false positives when UDP checksum offloading is enabled.
[ISC-bugs #41757]
- The directory minires has been removed from the source tree. It has
long been obsolete for branches other than v4_1_esv. Additionally,
includes/minires.h was renamed includes/ns_name.h.
[ISC-bugs #45471]
- Replaced ifconfig parameters "add" and "delete" with "alias" and "-alias"
for IPv6 mode in the client scripts, netbsd and openbsd. This was
preventing IPv6 addresses from being added or removed from interfaces.
Thanks to Tim Dean for reporting this issue.
[ISC-bugs #31573]
Changes since 4.3.5b1
- Corrected a bug which could cause the server to sporadically crash while
loading lease files with the lease-id-format is set to "hex". Our thanks
to Jay Ford, University of Iowa for reporting the issue.
[ISC-Bugs #43185]
- Eliminated a noisy, but otherwise harmless debug log statment that may
appear during server startup when building with --enable-binary-leases
and configuring multiple pools in a shared network. Thanks to Fernando
Soto from BlueCat Networks for reporting the issue and supplying a patch.
[ISC-Bugs #43262]
Changes since 4.3.4
- Fixed util/bindvar.sh error handling.
[ISC-Bugs #41973]
- Correct error message in relay to use remote id length instead
of circuit id length.
[ISC-Bugs #42556]
- Add logic to test directory Makefiles to avoid copying Attfile(s)
when building within the source tree. This eliminates a noisy but
otherwise harmless error message when running "make check".
[ISC-Bugs #41883]
- Leases are now scrubbed of certain prior use information when pool
re-balancing reassigns them from one FO peer to the other. This
corrects an issue where leases that were offered but not used
by the client retained the client hostname from the original
client. Thanks to Pavel Polacek, Jan Evangelista Purkyne University
for reporting the issue.
[ISC-Bugs #42008]
- In the LDAP code and schema add some missing '6' characters to use
the v6 instead of the v4 versions. Thanks to Denis Taranushin for
reporting this issue and supplying its patch.
[ISC-Bugs #42666]
- Correct how the pick-first-value expression is written to a lease
file. Previously it was written as a concat expression due to
a cut and paste error.
[ISC-Bugs #42253]
- Modify the DDNS code to clean up the PTR record even if there
are issues while cleaning up the A or AAAA records.
[ISC-Bugs #23954]
- Added global configuration parameter, abandon-lease-time, which determines
the amount of time a lease remains abandoned. The default is 84600 seconds.
Additionaly, the server now conducts a ping check (if ping checks are
enabled) prior to offering an abandoned lease to client. Our thanks to
David Zych at University of Illinois for reporting the issue and working
with us to produce a viable solution.
[ISC-Bugs #41815]
- Correct handling of interface names during interface discovery. This
addresses an issue where interface names of 15 characters in length
could lead to crashes or interface recognition errors during startup
of dhcpd, dhclient, and dhcrelay.
[ISC-Bugs #42226]
- Updates to contrib/dhcp-lease-list.pl to make it more friendly.
The updates are: looking for the lease file in more places and skipping
the "processing complete" output when creating machine readable
output. Thanks to Cameron Paine (cbp at null dot net) for the
patch.
[ISC-Bugs #42113]
- When reusing a lease for dhcp-cache-threshold return the hostname
to the original lease. Also if the host pointer, UID or hardware address
change don't allow reuse of the lease.
Thanks to Michael Vincent for reporting this and helping us
verify the problem and fix.
[ISC-Bugs #42849]
- Change dmalloc to use a size_t as the length argument to bring it
in line with the call it will make to malloc().
[ISC-Bugs #40843]
- If the failover socket can't be bound, close it. Otherwise if the
user configures an incorrect address in the failover stanza the
server will continue to open new sockets every 90 seconds until
it runs out.
[ISC-Bugs #42452]
- Add DHCPv4-mode, dhcrelay command line options, "-iu" and "-id", that
allow interfaces to be upstream or downstream respectively. Upstream
interfaces will accept and forward only BOOTP replies, while downstream
interfaces will accept and forward only BOOTP requests.
[ISC-Bugs #41547]
- Clean up some memory references in the vendor-class construct.
[ISC-Bugs #42984]
Changes since 4.3.4b1
- None
Changes since 4.3.3
- Corrected a static analyzer warning in common/execute.c
[ISC-Bugs #40374]
- ISC DHCP now follows the common convention to use the base name a
program is invoked with (aka argv[0], vs. a builtin name) for
logs. This should help differentiate syslog entries for DHCPv4 and
DHCPv6 servers. You can define OLD_LOG_NAME in includes/site.h to
keep the previous behavior.
[ISC-Bugs #38692]
- The Linux packet filter code now correctly treats only the least significant
12 bits in an inbound packet's TCI value as the VLAN id (per IEEE 802.1Q).
Prior to this it was using the entire 16 bit value as the VLAN id and
incorrectly discarding packets. Thanks to Jiri Popelka at Red Hat for
reporting this issue and supplying its patch.
[ISC-Bugs #40591]
- Fixed several static analysis issues such as potential null
references, unchecked strdup returns. Thanks to Bill Parker (wp02855 at
gmail dot com) who identified these issues and supplied patches to
address them.
[ISC-Bugs #40754]
[ISC-Bugs #40823]
- Corrected compilation errors that prohibited building the server
and its ATF unit tests when failover is disabled.
[ISC-Bugs #40372]
- Added the lease address to the end of the debug level log message
emitted when an existing lease is renewed within the dhcp-cache-threshold.
Thanks to Nathan Neulinger at Missouri S&T for suggesting the change.
[ISC-Bugs #40598]
- Added dhcpv6 and delayed-ack to settings listed in the "Features:"
section of the configure script output. Additionally, all of the
features reported on will now always show either a "yes" or "no"
value. Prior to this features left to their default setting would
not show a value.
[ISC-Bugs #40381]
- Added a parameter, authoring-byte-order, to the lease file. This value
is automatically added to the top of new lease files by the server and
indicates the internal byte order (big endian or little endian) of the
server. This permits lease files generated on a server with one form of
byte order to be used on a server with the opposite form. Our thanks to
Timothe Litt for calling this to our attention and for the suggestions
he provided.
[ISC-Bugs #38396]
- Fixed a small memory leak in the DHCPv6 version of the client code.
This is unlikely to cause significant issues in actual use.
[ISC-Bugs #40990]
- Corrected a few minor memory leaks in omapi's dereferencing of
host objects. Thanks to Jiri Popelka at Red Hat for reporting
the issue and supplying the patches.
[ISC-Bugs #33990]
[ISC-Bugs #41325]
- Cleaned up some of the Make infrastructure to make --with-libbind
work better. Though it still only works with an absolute path.
[ISC-Bugs #39210]
- Made the embedded bind libraries able to be cross compiled
(please refer to the bind9 documentation to learn how to cross
compile DHCP and its bind library dependency).
[ISC-Bugs #38836]
- Update the client code to better support getting IA_NAs and IA_PDs
in the same packet, see RFC7550 for some discussion.
[ISC-Bugs #40190]
! Update the bounds checking when receiving a packet.
Thanks to Sebastian Poehn from Sophos for the bug report and a suggested
patch.
[ISC-Bugs #41267]
CVE: CVE-2015-8605
- When handling an incorrect command line for dhcpd, dhclient or dhcrelay
print out a specific error message about the first error in addition
to the usage string. This may be disabled by editing includes/site.h.
[ISC-Bugs #40321]
[ISC-Bugs #41454]
- The configure script will now exit with an error message if it cannot find
a GNU-style make tool (needed when building BIND libraries) or pkg-config
(needed to locate ATF used for building unit tests). Prior to this the
script would exit indicating success causing subsequent attempts to build
the software to fail.
[ISC-Bugs #40371]
- Properly terminate strings before passing them to regex and fix
a boundary error when creating certain new data strings.
Thanks to Andrey Jr. Melnikov for the bug report.
[ISC-Bugs #41217]
- Option expressions, such as prepend and append, are now supported when
running dhclient for IPv6. Prior to this such statements in the
client configuration file would be parsed but have no affect. Thanks
to Jiri Popelka at Red Hat for reporting the issue.
[ISC-Bugs #39952]
- A failover primary server will now accept a binding status update from the
secondary which transitions a lease from ACTIVE to ABANDONED. This accounts
for instances in which a client declines a lease and only the secondary
server receives it. Prior to this the primary server would reject such an
update as an "invalid state transition".