ISC DHCP 3.1.x Development Release Info

ISC Dynamic Host Configuration Protocol (DHCP)

DHCP Distribution: Version 3.1.1rc2

Released: April 29, 2008

Version 3.1.1rc2 of the ISC DHCP Distribution is a feature release.

This RELEASE CANDIDATE is located at http://ftp.isc.org/isc/dhcp/dhcp-3.1.1rc2.tar.gz. . The release is PGP signed, you can get the signature here.

Version 3.1.x of the ISC DHCP Distribution includes the following major new features compared to its 3.0.x derivative:

Failover protocol 'MAC Address Affinity' to reduce pool churn.
Support for the 'reserved' and 'bootp' failover flags, which means in lay terms that static allocations can be made to clients in which 'on events' can be supported.
Several other failover optimizations and changes.
Management of class and subclass statements via OMAPI.
Many new configuration statement functions.
Initial formal support for VIVCO/VIVSO options.

For a full list of new features added in this release, please observe the changes list directly following this section.

As of this release:

OMAPI is known to have a problem with memory leaks.

For information on how to install, configure and run this software, as well as how to find documentation and report bugs, please consult the README file.

The Dynamic DNS Update support is a descendent of an implementation done by Lans Carstensen and Brian Dols at Rose-Hulman Institute of Technology, Jim Watt at Perkin-Elmer, Irina Goble at Integrated Measurement Systems, and Brian Murrell at BC Tel Advanced Communications. I'd like to express my thanks to all of these good people here, both for working on the code and for prodding me into improving it.

We've had successful builds on the following systems:

AIX 5.1
FreeBSD-5.2.1
HP/UX 11.11i
Linux-2.4
MacOS X 10.3.
SunOS 5.9 sun4u and i386
Tru64 V5.1

Changes since 3.1.1rc1

Changes in 4.0.x to common/options.c "pretty_domain()" (which turns wireformat rfc1035 into printable form for dhclient.leases) were pulled down. This addresses a bug where "option domain-search , ;" would appear in dhclient.leases.
Changes in 4.0.x to common/tables.c "option_dereference()" were pulled down. This addresses a bug where overlapping option code definitions in a config file may cause an attempt to free a NULL pointer.

Changes since 3.1.1b1

A memory leak when using omapi has been fixed.

Changes since 3.1.0

Fixed --version flag in dhcrelay
Clarified error message when lease limit exceeded
Fixed a buffer overflow error which could have allowed a denial of service under unusual server configurations
Eliminated a spurious error message from the client
Bug in server configuration parser caused server to get stuck on startup for certain bad pool declarations. Thanks to Guillaume Knispel for the bug report and fix.
Fixed file descriptor leak on listen failure. Thanks to Tom Clark.
Bug in octal parsing fixed. Thanks to Bernd Fuhrmann for the report and fix.
Log messages when failover peer names mismatch have been improved to point out the problem.
Manpage entries in dhcp-options.5 for the 'domain-list' format have been updated.
A bug was repaired where MAC Address Affinity for virgin leases always mapped to the primary. Virgin leases now have an interleaved preference between primary and secondary.
A bug was repaired where MAC Address Affinity for clients with no client identifier was sometimes mishashed to the peer. Load balancing during runtime and pool rebalancing were opposing.
An assertion in lease counting relating to reserved leases was repaired.
The subnet-mask option inclusion now conforms with RFC2132 section 3.3; it will only appear prior to the routers option if it is present on the Parameter-Request-List. The subnet-mask option will also only be included by default (if it is not on the PRL) in response to DISCOVER or REQUEST messages.
The FQDN option is only supplied if the client supplied an FQDN option or if the FQDN option was explicitly requested on the PRL.
Dynamic BOOTP leases are now load balanced in failover.
The warning logged when an address range doesn't fit in the subnets they were declared has been updated to be more helpful and identify the typo in configuration that created the spanning addresses.
The 'min-secs' configuration parameter's log message has been updated to be more helpful.
A cosmetic bug during potential-conflict recovery that caused the peer's 'conflict-done' state message to be logged as 'unknown-state' has been repaired. It is now logged correctly.
A bug in failover pool rebalancing that caused POOLREQ message ping-pongs was repaired.
A flaw in failover pool rebalancing that could cause POOLREQ messages to be sent outside of the min-balance/max-balance scheduled intervals has been repaired.
A bug was fixed where the 'giaddr' may be used to find the client's subnet rather than its own 'ciaddr'.
A log message was introduced to clarify the situation where a failover 'address' parameter (the server's local address) did not resolve to an IPv4 address.
The minimum site code value was set to 224 in 3.1.0 to track RFC3942. This broke a lot of legacy site local configurations. The new code in place will track site local space minimum option codes and logs a warning to encourage updates and exploration of site local code migration problems. Option codes less than 128 in site local spaces remain inaccessible.
A possible relay agent option bug was repaired where random server initialization state may have been used to signal the relay agent information options sub-option code for the 'END' of the option space.
Fixes to allow code to compile on Mac OS X Leopard (10.5).
When server is configured with options that it overrides, a warning is issued when the configuration file is read, rather than at the time the option is overridden. This was important, because the warning was given every time the option was overridden, which could create a lot of unnecessary logging.
When a failover server suspects it has encountered a peer running a version 3.0.x failover server, a warning that the failover wire protocol is incompatible is printed.
The failover server no longer issues a floating point error if it encounters a previously undefined option code.
An incomplete addition of the 'D' atom for domain RFC1035 format domain name parsing was corrected. This corrects problems with parsing the new doamin search order option in dhclient.leases.

Changes since 3.1.0rc1

The parse warning that 'deny dyanmic bootp;' must be configured for failover protected subnets was removed.

Changes since 3.1.0b2

Silenced compiler warnings on NetBSD
Failover rebalance events no longer play ping pong with round errors (moving leases between free and back to backup where there are an odd number of leases).
The 'pool' log line has been split into two messages, one before the rebalance run, and one after.
Any queued BNDACKs are transmitted before transmitting new BNDUPDs. This enforces the correct sequence of events for the remote server processing these messages.
Fixed a bug in which write_lease() might report a failure incorrectly
supersede_lease() now requeues leases in their respective hardware address hash bucket. This mirrors client identifier behaviour.

Changes since 3.1.0b1

Added -x option to dhclient, which triggers dhclient processes to exit gracefully without releasing leases first.
Fixed a bug that caused OMAPI clients to freeze when opening lease objects.
A new server config option "fqdn-reply" specifies whether the server should send out option 81 (FQDN). Defaults to "on". If set to "off", the FQDN option is not sent, even if the client requested it. This is needed because some clients misbehave otherwise. Thanks to Christof Chen at Allianz.
Allow trace output files (-tf option) to be overwritten, rather than crashing dhcpd if the file already exists
A bug was fixed that caused dhcpd to segfault if a pool was declared outside the scope of a subnet in dhcpd.conf.
Some uninitialized values were repaired in dhcpleasequery.c that caused the server to abort.
A new server config option, 'do-reverse-updates', has been added which causes the server to abstain from performing updates on PTR records. Thanks to a patch from Christof Chen at Allianz.
A bug was repaired in subencapsulation support, where spaces separated by empty spaces would not get included.
Corrected one situation where the column index variable might be used without being initialized, in expression-printing.
Silenced several other compiler warnings.
A bug in dhclient was repaired which caused it to send parameter request lists of 55 bytes in length no matter how long the declared PRL was.
'dhcp.c(3953): non-null pointer' has been repaired. This fixes a flaw wherein the DHCPv4 server may ignore a configured server-identifier.
A flaw in failover startup sequences was repaired that sometimes left the primary DHCP server's pool rebalance schedules unscheduled.
Corrected a flaw that broke encapsulated spaces included due to presence on the parameter request list.

Changes since 3.1.0a3

The execute() statement has been changed from a "numeric expression" to an "executable statement", so that it can now be used with the syntax "execute(cmd, arg, ...)" rather than "eval(execute(cmd, arg, ...))".
Some spelling fixes.

Changes since 3.1.0a2

A bug was fixed where attempting to permit leasequeries results in a fatal internal error, "Unable to find server option 49".
A bug was fixed in dhclient rendering the textual output form of the domain-search option syntax.

Changes since 3.1.0a1

A bug in the FQDN universe that added FQDN codes to the NWIP universe's hash table was repaired.
The servers now try harder to transmit pending binding updates when entering normal state.
UPDREQ/UPDREQALL handling was optimized - it no longer dequeues and requeues all pending updates. This should reduce the number of spurious 'xid mismatch' log messages.
An option definition referencing leak was fixed, which resulted in early termination of dhclient upon the renewal event.
Some default hash table sizes were tweaked, some upwards, some downwards. 3.1.0a1's tables resulted in a reduction in default server memory use. The new selected values provide more of a zero sum (increasing the size of tables likely to be populated, decreasing the size of tables unlikely).
Lease structures appear in three spearate hashes: by IP address, by UID, and by hardware address. One type of table was used for all three, and improvements to IP address hashing were applied to all three (so UID and hardware addresses were treated like 4-byte integers). There are now two types of tables, and the uid/hw hashes use functions more appropriate to their needs.
The max-lease-misbalance percentage no longer causes scheduled rebalance runs to be skipped: it still governs the schedule, but every scheduled run will attempt balance.
A segfault bug in recursive encapsulation support has been corrected.

Changes since 3.0 (New Features)

A workaround for certain STSN servers that send a mangled domain-name option was introduced for dhclient. The client will now accept corrupted server responses, if they contain a valid DHCP_MESSAGE_TYPE (OFFER, ACK, or NAK). The server will continue to not accept corrupt client packets.
Support for 'reserved' (psuedo-static) and BOOTP leases via failover was introduced.
Support for adding, removing, and managing class and subclass statements via OMAPI.
The failover implementation was updated to comply with revision 12 of the protocol draft.
'make install' now creates the initial zero-length dhcpd.leases file if one does not already exist on the system.
RFC3942 compliance, site-local option spaces start at 224 now, not 128.
The Load Balance Algorithm was misimplemented. The current implementation matches RFC 3074.
lcase() and ucase() configuration expressions have been added which adjust their arguments from upper to lower and lower to upper cases respectively. Thanks to a patch from Albert Herranz.
The dhclient 'reject ...;' statement, which rejects leases given by named server-identifiers, now permits address ranges to be specified in CIDR notation. Thanks to a patch from David Boyce.
The subnet-mask option is now supplied by default, but at lowest priority. This helps a small minority of clients that provide parameter request lists, but do not list the subnet-mask option because they were designed to interoperate with a server that behaves in this manner.
The FQDN option is similarly supplied even if it does not appear on the parameter request list, but not to the exclusion of options that do appear at the parameter request list. Up until now it had ultimate priority over the client's parameter request list.
Varying option space code and length bit widths (8/16/32) are now supported. This is a milestone in achieving RFC 3925 "VIVSO" and DHCPv6 support.
A new common (server or client) option, 'db-time-format local;', has been added which prints the local time in /var/db/dhcpd.leases rather than UTC. Thanks to a patch from Ken Lalonde.
Some patches to improve DHCP Server startup speed from Andrew Matheson have been incorporated.
Failover pairs now implement 'MAC Affinity' on leases moving from the active to free states. Leases that belonged to the failover secondary are moved to BACKUP state rather than FREE upon exiting EXPIRED state. If lease rebalancing must move leases, it tries first to move leases that belong to the peer in need.
The server no longer sends POOLREQ messages unless the pool is severely misbalanced in the peer's favor (see 'man dhcpd.conf' for more details).
Pool rebalance events no longer happen upon successfully allocating a lease. Instead, they happen on a schedule. See 'man dhcpd.conf' for the min-balance and max-balance statements for more information.
The DHCP Relay Agent Information Option / Link Selection Sub-Option is now supported. (See RFC3527 for details).
A new DDNS related server option, update-conflict-detection, has been added. If this option is enabled, dhcpd will perform normal DHCID conflict resolution (the default). If this option is disabled, it will instead trust the assigned name implicitly (removing any other bindings on that name). This option has not been made available in dhclient.
In those cases where the DHCP software manufactures an IP header (to transmit via bpf, lpf, etc), the IP TTL the software selects has been increased from 16 to 128. This is intended to match Microsoft Windows DHCP Client behaviour, to increase compatibility.
'ignore client-updates;' now has behaviour that is different from 'deny client-updates;'. The client's request is not truly ignored, rather it is encouraged. Should this value be configured, the server updates DNS as though client-updates were set to 'deny'. That is, it enters into DNS whatever it is configured to do already, provided it is configured to. Then it sends a response to the client that lets the client believe it is performing client updates (which it will), probably for a different name. In essence, this lets the client do as it will, ignoring this aspect of their request.
Support for compressed 'domain name list' style DHCP option contents, and in particular the domain search option (#119) was added.
The DHCP LEASEQUERY protocol as defined in RFC4388 is now implemented. LEASEQUERY lets you query the DHCP server for information about a lease, using either an IP address, MAC address, or client identifier. Thanks to a patch from Justin Haddad.
DHCPD is now RFC2131 section 4.1 compliant (broadcast to all-ones ip and ethernet mac address) on the SCO platform specifically without any strange ifconfig hacks. Many thanks go to the Kroger Co. for donating the hardware and funding the development.
A new common configuration executable statement, execute(), has been added. This permits dhcpd or dhclient to execute a named external program with command line arguments specified from other configuration language. Thanks to a patch written by Mattias Ronnblom, gotten to us via Robin Breathe.
A new dhcp server option 'adaptive-lease-time-threshold' has been added which causes the server to substantially reduce lease-times if there are few (configured percentage) remaining leases. Thanks to a patch submitted from Christof Chen.
Encapsulated option spaces within encapsulated option spaces is now formally supported.

Changes since 3.0.5rc1

A bug was repaired in fixes to the dhclient, which saught to run the dhclient-script with the 'EXPIRE' state should it receive a NAK in response to a REQUEST. The client now iterates the PREINIT state after the EXPIRE state, so that interfaces that might be configured 'down' can be brought back 'up' and initialized.
DHCPINFORM handling for clients that properly set ciaddr and come to the server via a relay aget has been repaired.

Changes since 3.0.4

A warning that host statements declared within subnet or shared-network scopes are actually global has been added.
The default minimum lease time (if min-lease-time was not specified) was raised from 0 to 300. 0 is not thought to be sensible, and is known to be damaging.
Added additional fatal error sanity checks surrounding lease binding state count calculations (free/active counts used for failover pool balancing).
Some time value size fixes in 3.0.4 brought on from FreeBSD /usr/ports were misapplied to server values rather than client values. The server no longer advertises 8-byte lease-time options when on 64-bit platforms.
A bug where leases not in ACTIVE state would get billed to billed classes (classes with lease limitations) was fixed. Non-active leases OFFERed to clients are no longer billed (but billing is checked before offering).
The dhcpd.conf.5 manpage was updated in regard to the ddns-domainname configuration option - the default configuration and results should be more clear now.
If the dhclient were to receive a DHCPNAK while it was in the RENEW state (and consequently, had an active, 'bound' address and related configuration options), it would fail to 'tear down' this information before proceeding into INIT state. dhclient now iterates the dhclient- script with the 'EXPIRE' action to cause these teardowns prior to entering INIT state. Thanks to a patch from Chris Zimmerman.
The omapi.1 manpage had some formatting errors repaired thanks to a patch from Yoshihiko Sarumaru.
A few lines of code that were failover-specific were moved within #if defined() clauses so that compilation without failover could be made possible.
The log message emitted when the 'leased-address' value was not available in dhcpd.conf "executable statements" has been updated to be more helpful. Manpage information for this value has also been updated.
Abandoned or dissociated (err condition) leases now remove any related dynamic dns bindings. Thanks to a patch from Patrick Schoo.
Attempting to write a new lease file to replace a corrupt (due to encountering non-retryable errors during writing) lease file should no longer result in an infinite recursion.
Host declaration hardware addresses and client identifiers may only be configured once. dhcpd will now fail to load config files that specify multiple identifiers (previous versions would silently over-ride the value with the later configured value).

Changes since 3.0.4b3

Some manual pages were clarified pursuant to discussion on the dhcp-server mailing list.

Changes since 3.0.4b2

Null-termination sensing for certain clients that unfortunatley require it in DHCPINFORM processing was repaired.
The host-name option and a few others were moved from "X" format to "t" format to be compatible with new NULL handling functions.
DHCPINFORM processing is a little more careful about return addressing its responses, or if responding via a relay. The INFORM related messages also log the 'effective client ip address' rather than the client's supplied ciaddr (since some clients produce null ciaddrs).
The server was inappropriately sending leases to the RESET state in the event that multiple active leases were found to match a singly-identified client. This was changed to RELEASED (by accepting a different, ACTIVE binding, the client is implicitly releasing its lease). This repairs a bug wherein secondary servers in failover pairs detecting this condition move leases to RESET, and primaries refuse to accept that state transition (properly).
The memset-after-dmalloc() changes made in 3.0.4b1 have been backed out.

Changes since 3.0.4b1

Command line parsing in omshell was repaired - it no longer closes STDIN after reading one line.
The resolver library no longer closes the /etc/resolv.conf file descriptor it opened twice.
Changes to trailing NULL removal in 't' option-atoms has been rethought, it now includes 'd' (domain name) types, and tries hard not to rewind an option beyond the start of the text field it is un-terminating.

Changes since 3.0.3

A DDNS update handling function was misusing the DNS error codes, rather than the internal generic result enumeration. The result is a confusing syslog line, logging the wrong condition.
The DHCP Server was not checking pool balance in the case where it brought a non-ACTIVE lease out of storage for a client that was returning to use a lease it once had long ago, and had since expired.
Failover peers no longer bother to look for free leases to allocate when they already found the client's ACTIVE lease. DISCOVERs are load balanced wether freely-allocated or not, unless the server doubts the peer has leases to allocate.
Fixed a bug in dhcrelay agent addition code that suppressed trailing PAD options - it was suppressing only one trailng PAD option, rather than the entire block of them.
Fixed some unlikely overlapping-region memcpy() bugs in dhcrelay agent option addition and stripping code. Added a few sanity checks.
Added some sanity checks to OMAPI connection/authentication code.
dmalloc() memset()'s the non-debug (data) portion of the allocated memory to zero. Code that memset()'s the result returned by dmalloc() to zero is redundant. These redundancies were removed.
Some type declaration corrections to u_int16_t were made in common/tr.c (Token Ring support) thanks to a patch from Jason Vas Dias at RedHat.
A failover bug that was allowing leases that EXPIRED or were RELEASED where tsfp and tstp are identical timestamps to languish in these transitional states has been repaired. As a side effect, lease databases should be kept more consistent overall, not just for these transitional states.
If the lease db is deleted out from under the daemon, and it moves to rewrite the db, it will go ahead with the operation and move the new db into place once it detects the old db does not exist.
dhclient now ignores IRDA, SIT, and IEEE1394 network interfaces, as it is either nonsensical or (in the case of IEEE1394) is not known to support these interfaces. Thanks to Marius Gedminas and Andrew Pollock of Debian.
Some previously undocumented reasons for dhclient-script invoking has been doucmented in the dhclient-script.8 manpage.
Failover potential expiry calculations (TSTP) have been corrected. Results should be substantially more consistent, and proper given the constraints.
Adjusted lease state validation checks in potential-conflict, to account for possible clock skew similarly to normal state, and several previously illegal transitions were made legal (ex: active->released).
An impossible sanity check was removed from omapi/buffer.c, thanks to a patch from 'infamous42md'.
An OMAPI host/network byte order problem in lease time values has been repaired.
Several minor bugs, largely relating to treating 8-byte time values as 4-byte entities, have been repaired after careful review of the FreeBSD ports collection's patch set. Thanks to the nameless entities who have contributed to the FreeBSD ports.
When writing a trace file, the file is now created with permissions 0600, to help administrators avoid accidentally publicising sensitive config data.
The calculation of the maximum size of DHCP packets no longer includes Ethernet framing overhead. The result is that the 'Maximum Message Size' option advertised by clients, or the default value 576, is no longer reduced by 14 bytes, and instead directly reflects the IP level MTU (and the default, minimum allowed IP MTU of 576).
The special status of RELEASED/EXPIRED/RESET leases when a server is operating in partner-down was fixed. It no longer requires a lease be twice the MCLT beyond STOS to 'reallocate', and the expiry event to turn these into FREE leases without peer acknowledgement (after STOS+MCLT) has been repaired.
Compilation on older Solaris systems (lacking /usr/include/sys/int_types.h) has been repaired.
"append"ing a string onto the end of a "t" type option (such as the domain-name field) that had been improperly NULL-terminated by the DHCP server will no longer result in a truncated string containing only the option from the server, and not the expected appended value. Thanks to a patch from Jason Vas Dias at RedHat.
File handlers on configuration state (config files and lease dbs) should be treated consistently, regardless of wether TRACING is defined or not.
The linux build environment has had some minor improvements - better sensing of 64-bit pointer sizes (only used for establishing an icmp_id), and corrections to #if operators regarding LINUX_MAJOR should it ever move to 3.[01].x.
The server now tries harder to survive the condition where it is unable to open a new lease file to rewrite the lease state database.

Changes since 3.0.3b3

dhclient.conf documentation for interface {} was updated to reflect recent discussion on the dhcp-hackers mailing list.
In response to reports that the software does not compile on GCC 4.0.0, -Werror was removed from Makefile.conf for all platforms that used it. We will address the true problem in a future release; this is a temporary workaround.

Changes since 3.0.3b2

An error in code changes introduced in 3.0.3b2 was corrected, which caused static BOOTP clients to receive random addresses.

Changes since 3.0.3b1

A bug was fixed in BOOTPREQUEST handling code wherein stale references to host records would be left behind on leases that were not allocated to the client currently booting (eg in the case where the host was denied booting).
The dhcpd.conf.5 manpage was updated to be more clear in regards to multiple host declarations (thanks to Vincent McIntyre). 'Interim' style dynamic updates were also retouched.

Changes since 3.0.2

A bug was fixed where a server might load balance a DHCP REQUEST to its peer after already choosing not to load balance the preceeding DISCOVER. The peer cannot allocate the originating server's lease.
In the case where a secondary server lost its stable storage while the primary was still in communications-interrupted, and came back online, the lease databases would not be fully transferred to the secondary. This was due to the secondary errantly sending an extra UPDREQ message when the primary made its state transition to PARTNER-DOWN known.
The package will now compile cleanly in gcc 3.3 and 3.4. As a side effect, lease structures will be 9 bytes smaller on all platforms. Thanks to Jason Vas Dias at Redhat.
Interface discovery code in DISCOVER_UNCONFIGURED mode is now properly restricted to only detecting broadcast interfaces. Thanks to a patch from Jason Vas Dias at RedHat.
decode_udp_ip_header was changed so that the IP address was copied out to a variable, rather than referenced by a pointer. This enforces 4-byte alignment of the 32-bit IP address value. Thanks to a patch from Dr. Peter Poeml.
An incorrect log message was corrected thanks to a patch from Dr. Peter Poeml.
A bug in DDNS was repaired, where if the server's first DDNS action was a DDNS removal rather than a DDNS update, the resolver library's retransmit timer and retry timer was set to the default, implying a 15 second timeout interval. Which is a little excessive in a synchronous, single-threaded system. In all cases, ISC DHCP should now hold fast to a 1-second timeout, trying only once.
The siaddr field was being improperly set to the server-identifier when responding to DHCP messages. RFC2131 clarified the siaddr field as meaning the 'next server in the bootstrap process', eg a tftp server. The siaddr field is now left zeroed unless next-server is configured.
mockup_lease() could have returned in an error condition (or in the condition where no fixed-address was found matching the shared network) with stale references to a host record. This is probably not a memory leak since host records generally never die anyway.
A bug was repaired where failover servers would let stale client identifiers persist on leases that were reallocated to new clients not sending an id.
Binding scopes ("set var = value;") are now removed from leases allocated by failover peers if the lease had expired. This should help reduce the number of stale binding scopes on leases.
A small memory leak was closed involving client identifiers larger than 7 bytes, and failover.
Configuring a subnet in dhcpd.conf with a subnet mask of 32 bits might cause an internal function to overflow heap. Thanks to Jason Vas Dias at Redhat.
Some inconsistencies in treating numbers that the lexer parsed as 'NUMBER' or 'NUMBER_OR_NAME' was repaired. Hexadecimal parsing is affected, and should work better.
In several cases, parse warnings were being issued before the lexical token had been advanced to the token whose value was causing an error... causing parse warnings to claim the problem is on the wrong token.
Host declarations matching on client identifier for dynamic leases will no longer match fixed-address host declarations (this is now identical to behaviour for host records matching on hardware address).