Using Official ISC Packages for Kea
  • 04 Jul 2023
  • 11 Minutes to read
  • Contributors
  • Dark
  • PDF

Using Official ISC Packages for Kea

  • Dark
  • PDF

Article Summary


ISC offers binary packages of Kea DHCP for our users and customers, hosted on Cloudsmith. They are provided along with the source code tarballs for every release.

Thank you to Cloudsmith!
The repository for Kea open source packages is provided by Cloudsmith at no charge as a free community service for non-profit open source projects.

The open source packages contain the base Kea software and the following hook libraries:

  • Flexible Option
  • High Availability
  • Lease Commands
  • MySQL Configuration Backend
  • PostgreSQL Configuration Backend
  • Run Script
  • Statistics Commands

For a full list of hooks provided by the latest development release, please refer to the list of Available Hook Libraries in the ARM.

Why Use ISC's Kea Packages?

  1. Update quickly and efficiently directly from our repository, in one step, and skip the added step of downloading and building binaries locally;
  2. Get all the latest bug fixes and features immediately, without waiting for your OS distribution to pick up the changes and release them. We provide binary packages along with sources at the time of release (sometimes the binaries are posted a few hours later, but generally the same day).

Supported Operating Systems

ISC has created packages for what we think are the most popular operating systems for production DHCP servers. If your preferred operating system is not packaged, remember you can still build from our published sources.

We provide the following types of packages:

  • RPM for RHEL, CentOS, Fedora
  • deb for Debian and Ubuntu
  • apk for Alpine
Supported OS Versions

Please note that we only provide packages for currently supported versions of an operating system. When we release a new version of Kea, we evaluate the OSes we support. We add packages for newly released operating system versions as we are able to, and remove packages for operating system versions and Kea versions that become end-of-life.

A current list of supported systems and their versions can be found in the Kea documentation.)

ISC-Provided Kea Packages

ISC provides packages for the open source components, as well as the premium, subscriber-only, and enterprise hooks packages.

ISC Packages vs OS Packages

Kea binaries are available in several packages. RHEL, CentOS, Fedora, Debian, Ubuntu, and Alpine all provide their own Kea packages, which may not be packaged the same way as the ISC-provided packages. To avoid confusing ISC packages with those from other distributors, with the exception of FreeRADIUS packages, all ISC packages start with the isc-kea- prefix.

Open Source Package Names

The names of the packages can be found below for all supported systems.

Open Source Packages
isc-kea ISC Kea metapackage (install everything)
isc-kea-ctrl-agent Kea Control Socket REST API Server
isc-kea-dhcp-ddns Kea DHCP DDNS Server
isc-kea-dhcp4-server or isc-kea-dhcp4 for Alpine Kea DHCPv4 Server
isc-kea-dhcp6-server or isc-kea-dhcp6 for Alpine Kea DHCPv6 Server
isc-kea-hooks Open Source hooks package for Kea
isc-kea-common Common libraries and files needed by Kea
isc-kea-admin Kea Database Admin Utilities
isc-kea-perfdhcp A DHCP benchmarking tool from ISC
isc-kea-hooks Open Source hooks package for Kea
isc-kea-doc Documentation for Kea
isc-kea-dev or isc-kea-devel for RPM Development headers for Kea
Upgrading beyond Kea 2.3.2

Package names have changed in Kea 2.3.2. For upgrade guidance from a prior version, please refer to the following KB article: Upgrading Beyond Kea 2.3.2.

Premium Package Names (for ISC Support Subscribers)

ISC support subscribers are entitled to additional hooks not included in the open source. Entitlement is based on support level, but the full list of additional hooks available to subscribers is:

Premium Hook Packages
Hook name
isc-kea-premium-class-cmds Classification Commands hook library
isc-kea-premium-cb-cmds Config Backend Commands hook library
isc-kea-premium-ddns-tuning DDNS Tuning hook library
isc-kea-premium-flex-id Flexible Identifier hook library
isc-kea-premium-forensic-log Forensic Logging hook library
isc-kea-premium-gss-tsig GSS-TSIG library
isc-kea-premium-host-cache Host Cache hook library
isc-kea-premium-host-cmds Host Commands hook library
isc-kea-premium-lease-query Leasequery library
isc-kea-premium-limits Limits library
isc-kea-premium-radius, not available for Alpine RADIUS hook library
isc-kea-premium-rbac Role-Based Access Control
isc-kea-premium-subnet-cmds Subnet Commands hook library

For more information about obtaining the subscriber-only and enterprise Kea hook libraries, please contact us at All of the Kea hook libraries are described fully in the Kea ARM.

RADIUS packages
The FreeRADIUS support requires a special patch from ISC to work with Kea. If you are using RADIUS with Kea, make sure you are installing the FreeRADIUS packages from the ISC repository.

The names of the FreeRAIDUS packages are different on each system. They don't need to be installed explicitly. Instead, they will be installed automatically by the packages that require them.

FreeRADIUS Packages
freeradius-client deb FreeRADIUS client library
freeradius-client-devel deb FreeRADIUS development files
libfreeradius-client RPM FreeRADIUS client library
libfreeradius-client-dev RPM FreeRADIUS development files

Using the Cloudsmith Repositories

All ISC binary packages for Kea are contained in our repositories on Cloudsmith. Note that the source tarballs are also available alongside the binary packages for Kea 2.2.0 and later versions. We have both open source repositories, which are available to anyone, and private repositiories for ISC customers, which require a security token to access.

Open Source Repositories

Packages can be downloaded from our public Cloudsmith repository by following these directions. These instructions are for Kea 2.4, but they can be easily customized for other versions by changing kea-2-4 in the commands to kea-2-2, etc., as appropriate. If the repositories are configured manually, the 0D9D9A1439E23DB9 part of the GPG key file also needs to be replaced. The current open source repositories on Cloudsmith are:

Repository Name Comments
kea-1-6 eol stable branch
kea-1-8 eol stable branch
kea-2-0 eol stable branch
kea-2-2 old stable branch
kea-2-4 current stable branch
kea-2-5 current development branch
keama migration tool for ISC DHCP migration to Kea
stork GUI management tool for Kea

Setting Up Repos on Debian

To install packages, you can quickly setup the repository automatically (recommended):

curl -1sLf \
  '' \
  | sudo -E bash

If you need to force a specific distribution/release, you can also do that (e.g. if your system is compatible but not identical):

curl -1sLf \
  '' \
  | sudo -E distro=some-distro codename=some-codename arch=some-arch bash

or ... you can manually configure it yourself before installing packages:

apt-get install -y debian-keyring  # debian only
apt-get install -y debian-archive-keyring  # debian only
apt-get install -y apt-transport-https
# For Debian Stretch, Ubuntu 16.04 and later
# For Debian Jessie, Ubuntu 15.10 and earlier
curl -1sLf '' |  gpg --dearmor > ${keyring_location}
curl -1sLf '' > /etc/apt/sources.list.d/isc-kea-2-4.list
apt-get update

Note: Please replace ubuntu and focal above with your actual operating system, distribution, and distribution version.

If you no longer want to install packages from the repository, you can remove it with:

rm /etc/apt/sources.list.d/isc-kea-2-4.list
apt-get clean
rm -rf /var/lib/apt/lists/*
apt-get update

Setting Up Repos on Fedora/CentOS/RHEL

To install RPM packages, you can quickly setup the repository automatically (recommended):

curl -1sLf \
  '' \
  | sudo -E bash

If you need to force a specific distribution/release, you can also do that (e.g. if your system is compatible but not identical):

curl -1sLf \
  '' \
  | sudo -E distro=some-distro codename=some-codename arch=some-arch bash

or... you can manually configure it yourself before installing packages:

yum install yum-utils pygpgme
rpm --import ''
curl -1sLf '' > /tmp/isc-kea-2-4.repo
yum-config-manager --add-repo '/tmp/isc-kea-2-4.repo'
yum -q makecache -y --disablerepo='*' --enablerepo='isc-kea-2-4'

Note: Please replace el and 9 above with your actual distribution/version and use wildcards when enabling multiple repos.

If you no longer want to install packages from the repository, you can remove it with:

rm /etc/yum.repos.d/isc-kea-2-4.repo
rm /etc/yum.repos.d/isc-kea-2-4-source.repo

Setting Up Repos on Alpine

To install packages, you can quickly setup the repository automatically (recommended):

sudo apk add --no-cache bash
curl -1sLf \
  '' \
  | sudo -E bash

If you need to force a specific distribution/release, you can also do that (e.g. if your system is compatible but not identical):

sudo apk add --no-cache bash
curl -1sLf \
  '' \
  | sudo -E distro=some-distro codename=some-codename arch=some-arch bash

or ... you can manually configure it yourself before installing packages:

curl -1sLf '' > /etc/apk/keys/
curl -1sLf '' >> /etc/apk/repositories
apk update

Note: Please replace v3.18 above with your actual distribution version.

If you no longer want to install packages from the repository, you can remove the entries with:

$EDITOR /etc/apk/repositories

Remove /alpine/v3.18/main line, save then execute:

rm -f /etc/apk/keys/
apk update

Premium Repositories for Support Subscribers

Organizations that purchase professional Kea DHCP support from ISC are encouraged to use the private repositories (designated with a -prv suffix in the repository name). The -prv repositories contain extra software not included in the open source. These repositories are also updated in case of a security vulnerability, prior to publication of that vulnerability.

These instructions provide information on accessing the private Cloudsmith repositories with a token, indicated with your_token_goes_here in the commands. If you are an ISC Kea support customer and need a token, please open a ticket to request one.

The instructions are very similar to the ones for the open source repositories, given above. They can be easily customized by altering the URLs; the public part should be replaced with the token and kea-2-4 with kea-2-4-prv. For example:


should be changed to


The current private repositories on Cloudsmith are:

Repository Name Comments
kea-1-6-prv eol stable branch
kea-1-8-prv eol stable branch
kea-2-0-prv eol stable branch
kea-2-2-prv old stable branch
kea-2-4-prv current stable branch
kea-2-5-prv current development branch

Source Tarballs in the Package Repository

Official Source Tarball Releases

These instructions are only included for the benefit of of users that are not running an officially supported platform. You should only need to follow these instructions if you plan on installing Kea from source. More information on how to do this can be found on the Installation Page in the ARM.

As of Kea 2.2.0, source tarballs are available alongside the binary packages in the Cloudsmith repository. This is a particular convenience for our support subscribers, who can now use the same token to download the source that they have already been using to install the packages.

To download the source tarball and its signatures from Cloudsmith, use the following set of commands, replacing the version string with the current version you wish to download:

version=2.4.0; \
  for file in kea-$version.tar.gz kea-$version.tar.gz.asc kea-$version.tar.gz.sha1.asc kea-$version.tar.gz.sha256.asc kea-$version.tar.gz.sha512.asc Kea-$version-ReleaseNotes.txt;  do \
  curl -O$version/$file; \

or just a single file:

curl -O

The tarballs (in contrast to the binary packages) have been signed using ISC's code signing key. To verify signatures, after importing the ISC key from please run this set of commands:

version=2.4.0; \
for i in .asc .sha1.asc .sha256.asc .sha512.asc; do \
  gpg --verify kea-enterprise-$version.tar.gz$i kea-enterprise-$version.tar.gz; \

For ISC subscribers, change to the -prv repository, and insert your token into the query. Change the keyword to specify which hooks to download. The possible values include premium, subscription, and enterprise.

version=2.4.0 hooks=premium; \
  for file in kea-$hooks-$version.tar.gz kea-$hooks-$version.tar.gz.asc kea-$hooks-$version.tar.gz.sha1.asc kea-$hooks-$version.tar.gz.sha256.asc kea-$hooks-$version.tar.gz.sha512.asc;  do \
  curl -O<your-customer-token-here>/isc/kea-2-4-prv/raw/versions/$version/$file; \

and use a similar script to verify signatures:

version=2.4.0 hooks=premium; \
for i in .asc .sha1.asc .sha256.asc .sha512.asc; do \
  gpg --verify kea-$hooks-$version.tar.gz$i kea-$hooks-$version.tar.gz; \

Note that in the examples above you will need to replace kea-2-4 and 2.4.0 with the appropriate version that you are planning to use.

Installing Kea Packages

After configuring the repositories on a host machine, the Kea packages can be installed. As there are several packages, we can choose to install only the parts of Kea that are required. The dependencies between packages are set up so any dependent packages will be pulled in as well.

The following examples will install the main Kea metapackage which depends on (and consequently installs) all of the components in the Open Source bundle.

Deb version:

apt install isc-kea

RPM version:

yum install isc-kea

Alpine version:

apk add isc-kea

If you would only like to install specific components, or subpackages, that is also possible. Please refer to the list of packages above to discover which specific packages you need.

Once Kea is installed, it can be configured; the configuration files are located in the /etc/kea/ folder.

Installing Premium Hooks

After setting up the Premium hooks repository, you should be able to install Kea premium hooks with your platform's package manager.

The following command installs a particular Kea premium hook library.

Deb version:

apt install isc-kea-premium-flex-id

RPM version:

yum install isc-kea-premium-flex-id

Alpine version:

apk add isc-kea-premium-flex-id

Please refer to the Premium Packages section above to discover names of other premium hooks which you may have access to.

Managing Kea Services

When using the ISC provided packages, Kea services should be managed using your the service manager of your OS.

Packages do not include keactrl

The keactrl utility is not included in these packages because it is assumed the user would use the operating system's init system to start and stop Kea instead.

Service Names

RPM and Alpine systems

Service Name Description
kea-dhcp4 DHCPv4 Server
kea-dhcp6 DHCPv6 Server
kea-dhcp-ddns DHCP DDNS Server
kea-ctrl-agent Kea Control Agent - REST API

Debian systems

Service Name Description
isc-kea-dhcp4-server DHCPv4 Server
isc-kea-dhcp6-server DHCPv6 Server
isc-kea-dhcp-ddns-server DHCP DDNS Server
isc-kea-ctrl-agent Kea Control Agent - REST API

Service Management

To start, stop, or restart Kea daemons, systemctl should be used on Debian/Ubuntu and RPM based systems, and OpenRC should be used on Alpine.

In the following examples, the kea-dhcp4 service is being enabled, started, and stopped. Adjust the commands to the service you wish to manage.

Deb version:

systemctl enable isc-kea-dhcp4-server
systemctl start isc-kea-dhcp4-server
systemctl stop isc-kea-dhcp4-server

RPM version:

systemctl enable kea-dhcp4
systemctl start kea-dhcp4
systemctl stop kea-dhcp4

Alpine version:

rc-update add kea-dhcp4
service kea-dhcp4 start
service kea-dhcp4 stop