Kea 3.0, our first LTS version
ISC is excited to announce the release of Kea 3.0.0! This is a major release, and is the first Long-Term Support (LTS) version of Kea.
Read post
ISC is excited to announce the release of Kea 3.0.0! This is a major release, and is the first Long-Term Support (LTS) version of Kea.
The software and release notes can be downloaded from our website at https://www.isc.org/download/#Kea.
More Open, with Longer-term Support
With this release, we are ending maintenance of Kea 2.4 and opensourcing TWELVE Kea hooks that were previously under a commercial license. Now, Kea open source users should be able to use all the features of Stork, including managing host reservations and subnet configuration.
We have heard that you would like the option to upgrade Kea less frequently. We have been releasing a new stable version every year and supporting it for two years, but Kea 3.0 will be our first release with a three-year life span. We will continue supporting two stable versions at a time, including the 3.0 LTS version and one other. We also plan to have more frequent maintenance releases, at least one every six months for our stable versions.
Kea 3.0 includes a number of major changes which are not backwards-compatible.
This is a significant release, which brings so many changes, that we decided to skip the Kea 2.8 version number and release Kea 3.0 as the next stable branch after Kea 2.6.
Users are strongly encouraged to read the Kea 3.0 release notes carefully before upgrading. Some changes will require configuration changes. Our helpful support team has compiled a list of things to be aware of when upgrading to Kea 3.0.
Here are a handful of the most significant changes:
- The installation process has changed because we have changed the packaging for Kea hook libraries. Most Kea hook libraries have become open source and are freely available; the only exceptions are the Role-Based Access Control hook (RBAC) and the Configuration Backend hook (CB), which remain commercially licensed. The open source hook libraries will be available in the Kea source tarball and for package installation from the official ISC repositories on Cloudsmith.io. The
isc-kea-hookspackages in the open-source repository will contain many more hooks than in previous versions. Most users will no longer need to bother with access tokens to install Kea.
For details on package installation, see: https://kb.isc.org/docs/isc-kea-packages.
-
Hopefully, all our users have already noted the security enhancements were made to Kea 2.4.2 and 2.6.3, as outlined in the following Common Vulnerabilities and Exposures: CVE-2025-32801, CVE-2025-32802, and CVE-2025-32803. In addition to these, other significant security changes were made in Kea 3.0. Administrators will need to change some file locations, set new passwords, and better secure remote management interfaces. A command-line switch can disable some of these security checks, but these decisions will require some careful thought. We have updated the security section in the Kea ARM to provide more guidance about securing your system.
-
We are planning to remove the Kea Control Agent in a future release. As of Kea 3.0, the CA is no longer needed to provide remote access. The DHCPv4, DHCPv6, and DHCP-DDNS daemons now have native support for API sockets over HTTP and TLS (HTTP), without the need to use the Control Agent (CA). This will give us a cleaner, simpler architecture, and reduce the opportunities for misconfiguration. Role-based Access Control (RBAC) hook users will have to update their configuration so that the RBAC hook is loaded by the Kea daemon, rather than the CA. This is a long-term refactoring project: the CA will still be supported in Kea 3.0, but will be removed in the next development branch.
-
We have made several changes in client-classification to make it more flexible and to ease the migration path from ISC DHCP. It is now possible to add options based on the client or the subnet or both, and the option inheritance has been adjusted to match that in ISC DHCP.
-
Modernizing our build system, moving from auto tools to Meson, was another major change, which will speed up the build process and be easier to maintain in the long run. Users who build their own images may find these notes to be helpful: https://gitlab.isc.org/isc-projects/kea/-/wikis/Processes/How-To-Meson.
-
The libraries that enable the use of MySQL or PostgreSQL database backends have been restructured so that these are separate libraries that users can choose to include or omit from their deployments. Users who are using database backends will now have to install these hooks, which were previously included with all installations.
New or recently updated KB articles
- Things to be aware of when upgrading to Kea 3.0
- Fetching Kea Sources
- Migrating Kea to a New MySQL Database Server
- Standard DHCP Options Defined in ISC DHCP and Kea
- Kea HA Quickstart Guide
- Limiting DHCP Decline
- Facilitating Classification with Template Classes
Other Helpful References
- Kea Administrator Reference Manual (ARM) - if you access this on the ReadTheDocs site, you may access any of the many available versions of the ARM.
- ISC Software Support Policy and Version Numbering - this has been updated to show the new longer lifecycle for Kea 3.0
- Notes on Building Kea with Meson
