Good news releasing the commercial extensions as open source too. It opens up new ways of automating operations.
kayson · 6h ago
I wonder when this will make it into pfsense... The transition to kea has been a bit of a mess with tons of bugs. Thankfully it's controlled by an option, and it seems like 2.8.0 knocked out quite a few of them
Helmut10001 · 54m ago
I have been using Kea on pfSense CE for a long time — I think it was version 23.0.x. Or you mean 3.0 in particular? I also have OPNsense and I am not completely convinced of their aggressive update strategy yet. For a firewall, I prefer stability over features. Jumping to the newest releases every month can have tradeoffs.
Note: in general, both OPNsense and pfSense are excellent. I have never had any problems with either one.
v5v3 · 6h ago
Is opnsense ahead for this then? Or same
mortos · 5h ago
I don't follow pfsense too much but my understanding is OPNsense typically brings in package updates faster as they have a more frequent update cycle. I can't speak too much to bugs as I haven't migrated to Kea but imo some core functionality wasn't there until recently. And Dnsmasq seems like a better fit for me anyway, which is where I'll migrate to.
From the 25.1.6 OPNsense May update notes:
> Last but not least: Kea DHCPv6 is here. And with it full DHCP and router advertisement support in Dnsmasq to bridge the gap for ISC users who do not need or want Kea. We are going to make Dnsmasq DHCP the default in new installations starting with 25.7, too. ISC DHCP will still be around as a core component in 25.7 but likely moves to plugins for 26.1 next year.
I've been using it on opnsense since the first version it was released in. I aggressively switched because wanted to ditch my weird setup to do multi subnets (forwarding though a l3 switch). Haven't had any issues.
latchkey · 6h ago
I have a positive ending Kea story. We deployed 20,000 PS5 APUs (AKA: AsRock BC-250) each is a individual blade computer that was PXE booted.
We started to see strange behavior on the network and it took a bit of trial and error to figure out what was going wrong. Eventually, we traced it down to dnsmasq being unable to keep up with all the DHCP UDP traffic regardless of how we tuned the kernel/networking buffers.
Switched to Kea and all of our problems magically went away.
kaladin-jasnah · 6h ago
Wow, I didn't know the BC250s were used at such scale. I bought two to play with for dirt cheap, but haven't gotten around to it yet.
Are they primarily used for mining?
a012 · 2h ago
Can one run mainline Linux on these boards?
voxadam · 2h ago
Information on running the AMD BC-250 powered ASRock mining boards as a desktop
More than that, it is an ISC project, is the successor to ISC DHCP (now end-of-life & unsupported for a few years), and weirdly started out as part of BIND 10.
(This is one place where I think a little editorializing to the page title to add context would be helpful.)
digitalPhonix · 7h ago
A DHCP server for those who are wondering
bravetraveler · 6h ago
Won't take long, ISC doesn't do 'much' but they do it well
kjellsbells · 5h ago
I remember Dan Bernstein (djb) being scathing about BIND. To the extent of writing his own DNS suite. Is that all ancient history now?
simtel20 · 5m ago
Most of the criticisms were accurate, if often very, very, very detail-oriented. DJB has always had a few settings: either you're on his level, on his wavelength, or he treats you as maybe bright enough to tie your own shoelaces on a good day.
That said, if you want to run a dns server and don't have huge scalable business to run on it, you can just run tinydns for a couple of decades and not worry about security issues, it just runs. BIND is more complex, and has evolved a lot more to do more because new features are implemented it as the reference, and so it needs to both scale up and out, and also change a lot, and for that, you get https://kb.isc.org/docs/aa-00913. So anyway, you can make up your mind, but my impression as a greying beard is that ISC has always been a risk you usually just need to accept if you need their tools since no-one else is doing anything to dethrone them.
Kea is ISC's new DHCP server.
* https://packages.debian.org/source/trixie/isc-dhcp
* https://isc.org/blogs/isc-dhcp-eol/
Note: in general, both OPNsense and pfSense are excellent. I have never had any problems with either one.
From the 25.1.6 OPNsense May update notes:
> Last but not least: Kea DHCPv6 is here. And with it full DHCP and router advertisement support in Dnsmasq to bridge the gap for ISC users who do not need or want Kea. We are going to make Dnsmasq DHCP the default in new installations starting with 25.7, too. ISC DHCP will still be around as a core component in 25.7 but likely moves to plugins for 26.1 next year.
https://docs.opnsense.org/releases/CE_25.1.html#may-08-2025
We started to see strange behavior on the network and it took a bit of trial and error to figure out what was going wrong. Eventually, we traced it down to dnsmasq being unable to keep up with all the DHCP UDP traffic regardless of how we tuned the kernel/networking buffers.
Switched to Kea and all of our problems magically went away.
Are they primarily used for mining?
https://github.com/mothenjoyer69/bc250-documentation
More than that, it is an ISC project, is the successor to ISC DHCP (now end-of-life & unsupported for a few years), and weirdly started out as part of BIND 10.
Ref: https://www.isc.org/dhcphistory/#the-kea-dhcp-server
(And I vaguely recall it's used as the DHCP component in a few other things, like maybe Infoblox).
(This is one place where I think a little editorializing to the page title to add context would be helpful.)
That said, if you want to run a dns server and don't have huge scalable business to run on it, you can just run tinydns for a couple of decades and not worry about security issues, it just runs. BIND is more complex, and has evolved a lot more to do more because new features are implemented it as the reference, and so it needs to both scale up and out, and also change a lot, and for that, you get https://kb.isc.org/docs/aa-00913. So anyway, you can make up your mind, but my impression as a greying beard is that ISC has always been a risk you usually just need to accept if you need their tools since no-one else is doing anything to dethrone them.
Find something as popular that hasn't been scathed-about; I'll wait