Differences

This shows you the differences between two versions of the page.

--- docker_notes:docker-dhcp [2024-07-21 Sun wk29 12:15] – [DNSSEC] baumkp
+++ docker_notes:docker-dhcp [2025-06-08 Sun wk23 19:34] (current) – [main dhcp4] baumkp
@@ Line 1: / Line 1: @@
 {{tag>linux docker kea dhcp}}
-======Docker - DHCP Server======
+======Docker - DHCP Kea Server======
 Since mid 2023 I have been running a Docker ISC Kea Image using base Docker Alpine Linux images, with S6 init system. <fs x-small>(ISC Kea is a modern replacement for their DHCP.)</fs>  The main DHCP server runs on my main server and I have an automatic fall over back up on my separate Linux router.  I basically followed the Kea template [[https://kea.readthedocs.io/en/latest/arm/config-templates.html#template-home-network-of-a-power-user|Home Network of a Power User]].  I was never quite sure I had the automatic fall over back-up working. On 2023-01-02 I modified a configuration file on the primary server with a syntax error, 8 days later I notice millions of lines of errors on my log files.  Sure enough the backup had simply been working.  I fixed up the simple syntax error and the primary server took back over.  Everything basically worked as expected.
 ISC also has a project for a simple GUI interface primarily for Kea and basic for Bind9.  There is apparently no Alpine package yet for Stork.
-ISC-Kea seems to be provided in a number of packages
+=====History=====
-^Package^Descriptiion^Comment^
+The article by Lee Hutchinson [[https://arstechnica.com/information-technology/2024/10/finally-upgrading-from-isc-dhcp-server-to-isc-kea-for-my-homelab/|Finally upgrading from isc-dhcp-server to isc-kea for my homelab]] was written after I made my upgrade to Kea.  He wrote an a much earlier article on [[https://blog.bigdinosaur.org/running-bind9-and-isc-dhcp/|running BIND9 and ISC_DHCP]] in his blog, which I found referenced in [[https://arstechnica.com/gadgets/2016/04/the-ars-guide-to-building-a-linux-router-from-scratch/|The Ars guide to building a Linux router from scratch]]. It looks like he updated this [[https://arstechnica.com/information-technology/2024/02/doing-dns-and-dhcp-for-your-lan-the-old-way-the-way-that-works/|Doing DNS and DHCP for your LAN the old way—the way that works]] with a semi related part 2 [[https://arstechnica.com/information-technology/2024/03/banish-oem-self-signed-certs-forever-and-roll-your-own-private-letsencrypt/|Banish OEM self-signed certs forever and roll your own private LetsEncrypt]].  In my earlier implementation of my router [[https://wiki.kptree.net/doku.php?id=linux_router:dns_dhcp|DHCP and DNS]] that was written on "bare metal I did follow Lee's notes on DDNS between ISC-DHCP and BIND9.  I never particularly like the DDNS between ISC DHCP and BIND9 for the following reasons:
-|isc-kea-admin|This package provides backend database initialization and migration scripts and a DHCP benchmark tool. If you are not using a database backend, you may not need this.|Not using a database backend at this time|
+  *I makes the BIND9 file messy.  The DDNS entries are all over the place in the zone files with different timetolife headers all over the place too.
-|isc-kea-common|Common libraries for the ISC Kea DHCP server. Install this.|Need this.|
+  *One had to take greater care to freeze Bind9 when adjusting zone files as DHCP could be writing to it. With Bind in a Docker container, I just restart the container after adjusting the zone file.
-|isc-kea-ctrl-agent|This package provides the REST API service agent for Kea DHCP.|?|
+  *I just static IPv4 addresses for my main home server services and manually define the domain names in the Bind zone files where required.  The dynamically defined DNS is simply not important for me.
-|isc-kea-dev|Development headers for ISC Kea DHCP server. Install if you plan to create any custom Kea hooks.|Probably do not need.|
+  *Other less critical non-server addresses that I want a constant LAN IP I define as static in Kea.
-|isc-kea-dhcp4-server|DHCPv4 server.|Need this.|
+  *Whilst I expect DDNS certainly has some benefits the use of simple setup of back up of DNS and DHCP is much more beneficially to me.  I run my main home server and NAS and a separate router service focused server. Both of these run Kea and Bind in Docker containers in back-up mode.  If I fiddle with either machine the other provides reliable backup DHCP and DNS. This is much more beneficial to me than DDNS.  If DHCP or DNS are unavailable on my home network it can be very confusing, difficult, time consuming and frustrating to make it work again.  Backup DHCP and DNS on my home server system is simply so much more beneficial than DDNS.
-|isc-kea-dhcp6-server|DHCPv6 server.|Do not need at this time.|
-|isc-kea-dhcp-ddns-server|DDNS server.|Need this.|
-|isc-kea-doc|Kea documentation. Highly recommended.|On a Docker container?|
-|isc-kea-hook-flex-option|Flexible Options hook.|What is this?|
-|isc-kea-hook-ha|High Availability hook.|What is this?|
-|isc-kea-hook-lease-cmds|Lease Commands hook.|What is this?|
-|isc-kea-hook-mysql-cb|MySQL Configuration Backend.|Dont need this at this time.|
-|isc-kea-hook-pgsql-cb|PostgreSQL Configuration Backend.|Dont need this.|
-|isc-kea-hook-stat-cmds|Statistics Commands hook.|?|
-|isc-kea-http|This package is essential, install it.|It is essential...|
-|isc-kea-perfdhcp|Optional. Includes a DHCP performance testing tool from ISC.|?|
-|isc-kea-shell|Text client for Kea DHCP Control Agent.|?|
+There are more references on building a home router and related here: [[https://wiki.kptree.net/doku.php?id=linux_router:dns_dhcp#main_references_used_2017|Main references used]], sadly some of these already suffer from link rot even though the information was still relevant.
+=====Kea Packages and Hooks=====
+ISC-Kea seems to be provided in a number of [[https://kb.isc.org/docs/isc-kea-packages|packages]]
+^ Package  ^ Use   ^ Descriptiion   ^ Comment   ^
+| isc-kea                 |  | ISC Kea metapackage                                                                                                                                                     | This installs everything                   |
+| isc-kea-admin         |      | This package provides backend database initialization and migration scripts and a DHCP benchmark tool. If you are not using a database backend, you may not need this.  | Not using a database backend at this time  |
+| isc-kea-common        |  X    | Common libraries for the ISC Kea DHCP server. Install this.                                                                                                             | Need this.                                 |
+| isc-kea-ctrl-agent      |  X  | This package provides the REST API service agent for Kea DHCP.                                                                                                          | ?                                          |
+| isc-kea-dev            |     | Development headers for ISC Kea DHCP server. Install if you plan to create any custom Kea hooks.                                                                        | Probably do not need.                      |
+| isc-kea-dhcp4-server |  X     | DHCPv4 server. (''isc-kea-dhcp4'' for Alpine)                                                                                                                           | Need this.                                 |
+| isc-kea-dhcp6-server   |     | DHCPv6 server. (''isc-kea-dhcp6'' for Alpine)                                                                                                                           | Do not need at this time.                  |
+| isc-kea-dhcp-ddns      |     | DDNS server.                                                                                                                                                            | Need this.                                 |
+| isc-kea-doc          |       | Kea documentation. Highly recommended. Example documents are located here ''/usr/share/doc/kea/examples/''                                                              | On a Docker container?                     |
+| isc-kea-hook-flex-option |     | Flexible Options hook.                                                                                                                                                  | What is this?                              |
+| isc-kea-hook-ha        |  X   | High Availability hook.                                                                                                                                                 | What is this?                              |
+| isc-kea-hook-lease-cmds |  X  | Lease Commands hook.                                                                                                                                                    | What is this?                              |
+| isc-kea-hook-mysql-cb  |     | MySQL Configuration Backend.                                                                                                                                            | Dont need this at this time.               |
+| isc-kea-hook-pgsql-cb   |    | PostgreSQL Configuration Backend.                                                                                                                                       | Dont need this.                            |
+| isc-kea-hook-stat-cmds  |    | Statistics Commands hook.                                                                                                                                               | ?                                          |
+| isc-kea-http          |      | This package is essential, install it.                                                                                                                                  | It is essential...                         |
+| isc-kea-perfdhcp     |       | Optional. Includes a DHCP performance testing tool from ISC.                                                                                                            | ?                                          |
+| isc-kea-shell         |   X   | Text client for Kea DHCP Control Agent.                                                                                                                                 | ?                                          |
+See [[https://kea.readthedocs.io/en/latest/arm/hooks.html#available-hook-libraries|16.4. Available Hook Libraries]] for the available hook libraries.  I have removed the hook reference from the above table that I do not use.
+  *[[https://kb.isc.org/docs/kea-configuration-sections-explained|Kea configuration sections explained]]
+  *[[https://kea.readthedocs.io/en/latest/arm/config-templates.html#template-home-network-of-a-power-user|Templates]]
 ====Network Ports====
 From IANA Service Name and Transport Protocol Port online [[https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml|Number Registry]]:
@@ Line 36: / Line 52: @@
 ====DHCP testing====
-''%%sudo nmap --script broadcast-dhcp-discover%%'' will test the DHCP servers on the same network.
+''%%sudo nmap --script broadcast-dhcp-discover%%'' will test for DHCP servers on the same network. It will only report the first DHCP server discovered.
 ===Reference===
@@ Line 52: / Line 69: @@
   *''ln -s .config/dhcp_plus.conf .config/dhcp.conf'' to run plus
     *The ''-f'' flag can be used to overwrite an existing link file instead of deleting first.
+  *It makes more sense in this case to use a hard link as docker can not resolve the soft link.  A hard link only works on the same device, but this should not be an issue with Docker volume command, as a hard linked file is the same as any other regular file in the same directory.
 The plus configuration allows a secondary backup dhcp server to be operated.++++
+  *Kea Docs [[https://kea.readthedocs.io/en/latest/arm/dhcp4-srv.html|The DHCPv4 Server]]
   *''kea-dhcp4 -c /app/dhcpv4_plus.conf'' to start kea dhcp4 using configuration file ''/app/dhcpv4_plus.conf''.  This configuration file is designed to work with the kea control agent setup.  Where as the basic configuration ''/app/dhcpv4_basic.conf'' is not.
+++++Upgrade problem to 2.6.0 with dhcp4 parameter id in subnet configuration, TL;DR;|
+I had a problem when upgrading to to Kea 2.6.0 that stopped kea-dhcp4 operating with an error ''file: /etc/kea/kea-dhcp4.conf, reason: subnet configuration failed: missing parameter ‘id’''.  The error also reported the configuration line where the missing parameter was expected.  Adding the missing parameter to the file as per Kea docs [[https://kea.readthedocs.io/en/kea-2.6.0/arm/dhcp4-srv.html#ipv4-subnet-identifier|ipv4-subnet-identifier]] resolved this error.  Apparently this parameter was auto assigned in earlier versions of Kea, if not manually assigned in configuration file.  In Kea version 2.6.0 manual assignment became mandatory, see [[https://kb.isc.org/docs/changes-to-be-aware-of-when-migrating-to-kea-2-6-0|Changes to Be Aware of When Migrating to Kea 2.6.0]].++++
+++++Upgrade problems from Kea 2.6.2 to 2.6.3, yet again broken or perhaps enforced configuration backwards compatibility, TL;DR;|
+The socket files **must** now be in ''/run/kea'' and directory permission must be set to 750.
+I previously used a general docker volume director directive to place all my configuration files into /app and then configured from there as required.
+    #"name": "/app/kea.leases4.csv",
+    #Kea 2.6.3 requires /var/lib/kea
+    "name": "/var/lib/kea/kea.leases4.csv",
+    "output": "/app/log/kea-dhcp4.log",
+    "output": "/var/log/kea/kea-dhcp4.log",
+Symlinking did not seem to work:   /bin/ln -sf /app/log/ /var/log/kea , so I created a specific docker volume to the log file and this did work,  - '/mnt/docker_store/kea/.config/log:/var/log/kea'.
+++++
 ====ctrl-agent -t /app/kea-ctrl-agent.conf====
   *''kea-ctrl-agent -t /app/kea-ctrl-agent.conf'' to test the kea-cont-agent configuration file ''/app/kea-ctrl-agent.conf''
@@ Line 62: / Line 99: @@
 ====Kea logging====
-  *[[https://kb.isc.org/docs/kea-logging-configuration|Kea Logging Configuration]]
+  *[[https://kb.isc.org/docs/kea-logging-configuration|Kea Logging Configuration]], [[https://kea.readthedocs.io/en/latest/arm/logging.html|Kea Docs 19. Logging]]
 I have stored log files in the .config directory that is a Docker mounted volume for persistence and easy external viewing outside container.  The following logs files can be seen.
   * ''.config/log/kea-dhcp4-commands.log''
@@ Line 76: / Line 113: @@
-=====DNSSEC=====
-My local DNS server is a recursive caching type only.  It take local (LAN) DNS queries and answers directly for any LAN name resolution, checks the cache for any external name resolution and then if not found locally or in cache checks the specified external DNS servers to resolve names.  My DNS server is not setup as a public DNS server and is not publicly accessible. Hence DNSSEC is not relevant for this local DNS server query validation.
-For external name resolution Bind9 basically now defaults to automatic use of DNSSEC.  This can be validated with [[https://bind9.readthedocs.io/en/latest/dnssec-guide.html#how-to-test-recursive-server|(How To Test A Recursive Server)]] using:
-    *''dig @192.168.1.14 ftp.isc.org. A +dnssec +multiline'', the query return flag ''ad'' indicates the DNS answer returned a validated answer.
-    *''dig @192.168.1.2 ftp.isc.org. A +dnssec +multiline''
-Equally important the following commands helps confirm that  invalid DNS queries have failed and do not rerun invalid IP address, which would be security risk.  If ''dig @192.168.1.14 www.dnssec-failed.org A'' receives ''status: SERVFAIL"" then ''dig @192.168.1.14 www.dnssec-failed.org A +cd'' will disable DNSSEC and return the IP address showing that the SERVFAIL occurred due to DNSSEC failure.
-Basic Bind9 DNSSEC configuration options
-  * The option (in ''/etc/bind/named.conf.options'') ''dnssec-enable yes;'' is no longer valid and use will cause configuration error.  <fc #ff0000>DO NOT USE!</fc>  DNSSEC is enabled by default.
-  * The option ''dnssec-validation'' is set default to ''auto''.  The other setting options are ''yes'' and ''no''.  No action is required, if the option is not specified in the configuration file it is set to auto by default.
-<fc #ff0000>So I do not need to do any configuration for ''DNSSEC'' to function on external queries.</fc>
-====reference====
-  *[[https://www.cloudflare.com/dns/dnssec/how-dnssec-works/|How DNSSEC Works]]
-  *[[https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en|DNSSEC – What Is It and Why Is It Important?]]
-  *[[https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions|Domain Name System Security Extensions]]
-  *[[https://bind9.readthedocs.io/en/latest/dnssec-guide.html|Bind9 DNSSEC Guide]]
-++++ old references |
-  *[[https://www.talkdns.com/articles/a-beginners-guide-to-dnssec-with-bind-9/|DNSSEC with BIND 9 A Beginner's Guide to DNSSEC with BIND 9]]
-  *[[https://blog.apnic.net/2019/05/23/how-to-deploying-dnssec-with-bind-and-ubuntu-server/|APNIC How to: Deploying DNSSEC with BIND and Ubuntu Server]]
-++++
-=====DNS over TLS (DoT)=====
 =====References=====
   *KPTree.net's bare metal implementation of [[linux_router:dns_dhcp|dns - dhcp]], based upon ISC Bind9 and DHCP on Debian 10 <fs xx-small>(was originally Ubuntu)</fs>.
@@ Line 110: / Line 122: @@
     *[[https://web-wilke.de/install-and-run-kea-dhcp-with-stork-on-debian-11/|Install and run KEA DHCP with Stork on Debian 11]]
     *[[https://github.com/JonasAlfredsson/docker-kea| JonasAlfredsson / docker-kea ]]
+    *[[https://www.henrydu.com/2020/09/15/kea-dhcp-webinar-01/|Kea dhcp webinar 01]]  [[https://www.youtube.com/watch?v=zr8kGTcJ5WY|Youtube Webinar]]
+Kea read the docs [[https://kea.readthedocs.io/en/latest/arm/intro.html|Intro]] give the latest docs and the into states which version this is.  A specific version can be found by changing the ''latest'' in the html path to the Kea version required, e.g. as of writing the current verion I am using is 2.6.1, so '%%https://kea.readthedocs.io/en/2.6.1/arm/intro.html%%'' [[https://kea.readthedocs.io/en/2.6.1/arm/intro.html|Intro]]
-<- docker_notes:docker-dns|Back ^ docker_notes:index|Start page ^ docker_notes:diun-ntfy|Next ->
+<- docker_notes:docker-dns|Back ^ docker_notes:index|Start page ^ docker_notes:vpn|Next ->