https://kb.isc.org/docs Introduction This document discusses database connectivity problems, parameters that can be adjusted to make Kea compensate for those problems, and some of the implications of doing so. Scenario Symptoms Often this discussion begins with error messages like this: DATABASE_MYSQL_FATAL_ERROR Unrecoverable MySQL error occurred: unable to execute for <SELECT ...>, reason: Server has gone away (error code: 2006). DHCP6_PACKET_PROCESS_STD_EXCEPTION ... exception occurred during packet processing: fata ... Mon, 06 Apr 2026 20:56:16 GMT Kea DHCP > Troubleshooting Kea https://kb.isc.org/docs/kea-database-resilience https://kb.isc.org/docs/kea-database-resilience Your browser does not support PDF.click here to download Thu, 02 Apr 2026 20:15:33 GMT About ISC > Support Subscriber Newsletter https://kb.isc.org/docs/isc-support-subscriber-news-q1-2026 https://kb.isc.org/docs/isc-support-subscriber-news-q1-2026 Title: Operational Notification: Impact of Stricter Glue Checking Document Version: 1.0a Posting date: 15 December 2025 Canonical URL: https://kb.isc.org/docs/strict-glue Program impacted: BIND Versions affected: BIND 9.18.41 and later 9.20.15 and later 9.21.14 and later Description: BIND versions released in October 2025 included changes in how BIND processes referrals in delegations. BIND now only trusts glue records if, in the associated NS record, the target name (right side) is a subdoma ... Thu, 02 Apr 2026 14:59:34 GMT BIND 9 > Operational Notifications https://kb.isc.org/docs/strict-glue https://kb.isc.org/docs/strict-glue The BIND 9 Software Vulnerability Matrix (previously know as the "BIND 9 Security Vulnerability Matrix") is a tool to help DNS operators understand the current security risk for a given version of BIND. It has two parts: The first part is a table listing all of the vulnerabilities covered by this page. The first column is a reference number for use in the tables in the second part. The second column is the CVE (Common Vulnerabilities and Exposure) number for the vulnerability, linked to its pag ... Wed, 01 Apr 2026 19:56:00 GMT BIND 9 > Security Advisories https://kb.isc.org/docs/aa-00913 https://kb.isc.org/docs/aa-00913 Introduction This article summarizes the TCP and UDP ports (service ports) used by the Kea DHCP server. Standard Ports These ports are specified by the various protocols Kea implements and uses. They are documented here for completeness. Changing them is generally impractical, outside of very controlled circumstances (e.g., a lab environment). Proto Port Assignment UDP 67 DHCPv4 server UDP 68 DHCPv4 client UDP 546 DHCPv6 server UDP 547 DHCPv6 client Both 53 DNS The "Proto" column gives ... Wed, 01 Apr 2026 19:12:44 GMT Kea DHCP > Configuring Kea https://kb.isc.org/docs/kea-ports https://kb.isc.org/docs/kea-ports Summary When configuring Kea to use a database for storage of leases or host reservations, use a unique database for each Kea server. Within a single Kea high availability group (HA group), the database may be shared, subject to certain considerations. Guidance Use a unique database for every Kea server. A database can be made unique by creating a different database name on the same database server, or by using different database servers. For example, if you use a central database server, creat ... Tue, 31 Mar 2026 19:56:21 GMT Kea DHCP > Configuring Kea https://kb.isc.org/docs/kea-unique-databases https://kb.isc.org/docs/kea-unique-databases BIND 9.16 introduced a new method to maintain DNSSEC on your zones. In addition to the inline-signing and auto-dnssec configuration options, there is now dnssec-policy (also see the configuration reference in the ARM). dnssec-policy replaces auto-dnssec auto-dnssec has been removed since the 9.19.16 development release in favour of the newer, more flexible dnssec-policy. With dnssec-policy, you can specify a Key And Signing Policy (KASP) and group all KASP-related configurations together, maki ... Tue, 31 Mar 2026 15:25:47 GMT BIND 9 https://kb.isc.org/docs/dnssec-key-and-signing-policy https://kb.isc.org/docs/dnssec-key-and-signing-policy Summary Stork 2.4 with Kea 3.0 may have issues due to default permissions of the Kea control sockets. The underlying issue is corrected in Kea 3.0.3; upgrading Kea is the recommended solution. Workarounds are possible for earlier version of Kea. Environment Stork 2.4.0 or later Kea 3.0.0 or later Symptoms The Stork agent (stork-agent) running on a Kea server will fail to connect to the Kea API offered by the Kea daemons. The Stork server web UI will show messages about daemon communication p ... Tue, 31 Mar 2026 15:12:26 GMT Stork https://kb.isc.org/docs/stork-kea-socket-perms https://kb.isc.org/docs/stork-kea-socket-perms Introduction This article introduces the Kea Application Programming Interface (API). It briefly discusses the architecture of how the Kea API is presented, through control sockets, the direct API, and the Kea Control Agent (KCA). Use of API commands is beyond the scope of this article. Consult the Kea ARM for information on API commands and their usage. Kea API Overview The Kea DHCP server consists of up to four daemons (service processes). These daemons communicate with each other, and with ... Thu, 26 Mar 2026 21:49:21 GMT Kea DHCP https://kb.isc.org/docs/kea-api-sockets https://kb.isc.org/docs/kea-api-sockets CVE: CVE-2026-3591 Title: A stack use-after-return flaw in SIG(0) handling code may enable ACL bypass Document version: 2.0 Posting date: 25 March 2026 Program impacted: BIND 9 Versions affected: BIND 9.20.0 -> 9.20.20 9.21.0 -> 9.21.19 BIND Supported Preview Edition 9.20.9-S1 -> 9.20.20-S1 Versions NOT affected: BIND 9.18.0 -> 9.18.46 BIND Supported Preview Edition 9.18.11-S1 -> 9.18.46-S1 Severity: Medium Exploitable: Remotely Description: A use-after-return vulnerability exists in the ... Wed, 25 Mar 2026 12:50:01 GMT BIND 9 > Security Advisories https://kb.isc.org/docs/cve-2026-3591 https://kb.isc.org/docs/cve-2026-3591 CVE: CVE-2026-3119 Title: Authenticated query containing a TKEY record may cause named to terminate unexpectedly Document version: 2.0 Posting date: 25 March 2026 Program impacted: BIND 9 Versions affected: BIND 9.20.0 -> 9.20.20 9.21.0 -> 9.21.19 BIND Supported Preview Edition 9.20.9-S1 -> 9.20.20-S1 Versions NOT affected: BIND 9.18.0 -> 9.18.46 BIND Supported Preview Edition 9.18.11-S1 -> 9.18.46-S1 Severity: Medium Exploitable: Remotely Description: Under certain conditions, named may ... Wed, 25 Mar 2026 12:48:27 GMT BIND 9 > Security Advisories https://kb.isc.org/docs/cve-2026-3119 https://kb.isc.org/docs/cve-2026-3119 CVE: CVE-2026-3104 Title: Memory leak in code preparing DNSSEC proofs of non-existence Document version: 2.0 Posting date: 25 March 2026 Program impacted: BIND 9 Versions affected: BIND 9.20.0 -> 9.20.20 9.21.0 -> 9.21.19 BIND Supported Preview Edition 9.20.9-S1 -> 9.20.20-S1 Versions NOT affected: BIND 9.18.0 -> 9.18.46 BIND Supported Preview Edition 9.18.11-S1 -> 9.18.46-S1 Severity: High Exploitable: Remotely Description: A specially crafted domain can be used to cause a memory leak i ... Wed, 25 Mar 2026 12:45:36 GMT BIND 9 > Security Advisories https://kb.isc.org/docs/cve-2026-3104 https://kb.isc.org/docs/cve-2026-3104 CVE: CVE-2026-1519 Title: Excessive NSEC3 iterations cause high CPU load during insecure delegation validation Document version: 2.0 Posting date: 25 March 2026 Program impacted: BIND 9 Versions affected: BIND 9.11.0 -> 9.16.50 9.18.0 -> 9.18.46 9.20.0 -> 9.20.20 9.21.0 -> 9.21.19 BIND Supported Preview Edition 9.11.3-S1 -> 9.16.50-S1 9.18.11-S1 -> 9.18.46-S1 9.20.9-S1 -> 9.20.20-S1 (Versions prior to 9.11.0 were not assessed.) Severity: High Exploitable: Remotely Description: If a BIND reso ... Wed, 25 Mar 2026 12:42:21 GMT BIND 9 > Security Advisories https://kb.isc.org/docs/cve-2026-1519 https://kb.isc.org/docs/cve-2026-1519 CVE: CVE-2026-3608 Title: Stack overflow in Kea daemons Document version: 2.0 Posting date: 25 March 2026 Program impacted: Kea Versions affected: Kea 2.6.0 -> 2.6.4 3.0.0 -> 3.0.2 Severity: High Exploitable: Remotely Description: Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error. Impact: Loss of DHCP services CVSS Score: 7.5 ... Wed, 25 Mar 2026 08:14:07 GMT Kea DHCP > Security Advisories https://kb.isc.org/docs/cve-2026-3608 https://kb.isc.org/docs/cve-2026-3608 ISC offers binary packages for BIND 9. Versions supported Please note that we only provide packages for operating system versions currently supported. When we release a new version of BIND, we evaluate the OSes we are supporting. We add packages for newly released operating system versions as promptly as we are able and remove packages for operating system versions and BIND versions that become end-of-life Why does ISC provide BIND 9 packages? For all open source users We want to ensure BIND 9 ... Mon, 23 Mar 2026 21:43:21 GMT BIND 9 https://kb.isc.org/docs/isc-packages-for-bind-9 https://kb.isc.org/docs/isc-packages-for-bind-9 Maintaining ISC's process of continuous improvement, there have been some major changes between BIND 9.18 and BIND 9.20. This article highlights the changes most likely to require changes in configuration or operator procedures. The intent is not to replace our advice that operators always pay attention to the Release Notes, but to quickly point operators to the most relevant aspects. For more information on how features are deprecated and removed, and what those terms mean, see ISC's policy for ... Mon, 23 Mar 2026 19:59:46 GMT BIND 9 > Getting Started https://kb.isc.org/docs/bind-920-changes https://kb.isc.org/docs/bind-920-changes Maintaining our process of continuous improvement, there have been some major changes in BIND between the two currently supported ESV versions - 9.16 and 9.18. This article summarises what those changes are so that you can go into this upgrade knowing which features are likely to affect your installation and what parameters you might need to adjust. Working document This article is still under construction. We will add more detail about impacts of the changes listed as we learn about them. Maj ... Wed, 11 Mar 2026 16:40:58 GMT BIND 9 > Getting Started https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-bind-916-to-918 https://kb.isc.org/docs/changes-to-be-aware-of-when-moving-from-bind-916-to-918 ISC DHCPのメモリリーク 概要:  ISC DHCPに2件のメモリリークが発見され、修正されました。いずれもDHCPv6 モードでの動作時(コマンドラインで-6オプションを指定した場合)に再現できることが確認されています。うち1件はDHCPv6モードでの動作時のみに発生することが確認されていますが、もう1件は、実装コードの分析によれば(ただし実際には再現できてはいません)理論上DHCPv4サーバでも発生する可能性があります。 CVE:  CVE-2012-3954 文書バージョン:  2.0(原文バージョン) 公開日付:  2012年7月24日 影響を受けるプログラム:  ISC DHCP 4 影響を受けるバージョン:  4.1.x, 4.2.x 深刻度:  中(Medium) 攻撃方法:  DHCPサーバにリクエストを送る許可を受けたネットワークから可能 詳細:  ISCでは、DHCPコードに2件のメモリリークを発見して修正しました。そのうちの一つはDHCPv6モードで動作するサーバにのみ影響します。もう一方は、DHCPv6モードで動作するサーバに影響することは判明しており、可 ... Thu, 05 Mar 2026 16:35:05 GMT ISC DHCP (now EOL) > Security Advisories > Translations JP https://kb.isc.org/docs/aa-00754 https://kb.isc.org/docs/aa-00754 Titel:  Speicherleck in ISC DHCP gefunden Zusammenfassung: Zwei Speicherlecks wurden in ISC DHCP gefunden und beseitigt. Beide sind reproduzierbar wenn der Server im DHCPv6 Modus betrieben wird (mit dem -6 Parameter auf der Kommandozeile). Das erste Leck betrifft nur Server, die im DHCPv6 Modus arbeiten, aber basierend auf der vorläufigen Analyse, das zweite Leck kann theoretisch auch DHCPv4 Server betreffen (allerdings ist dies bisher nicht demonstriert worden) CVE:  CVE-2012-3954 Dokument Vers ... Thu, 05 Mar 2026 16:34:11 GMT ISC DHCP (now EOL) > Security Advisories > Translations DE https://kb.isc.org/docs/aa-00738 https://kb.isc.org/docs/aa-00738 题目: ISC DHCP 内存泄露漏洞 摘要: 日前,两个内存泄露的漏洞在 ISC DHCP 程序中被发现,并且已经修复。两 处漏洞都是在运行 DHCPv6 模式的时候可能发生内存泄露的。其中一处错误被证 实只能影响那些运行 DHCPv6 模式的服务器, 而另一处错误, 根据源代码分析(尚 未经实验证实),也可能影响运行 DHCPv4 的服务器。 CVE: CVE-2012-3954 文档版本: 2.0 发布日期: 2012 年 7 月 24 日 受影响软件: ISC DHCP 4 软件版本: 4.1.x 和 4.2.x 严重程度: 中级 可利用方式: 本地,从网络发给 DHCP 服务器的请求报文。 描述: ISC 发现并修复了两个存在于 DHCP 程序代码中的可能引起内存泄露的漏洞。 其中一个漏洞只能影响运行在 DHCPv6 模式的服务器。另一个漏洞被证明可以影 响运行在 DHCPv6 模式的服务器,但是也有影响 DHCPv4 模式下服务器的潜在危险。 在上述两种场景下, 服务器都可能在处理消息的时候发生一小块内存的泄露。这 种泄露在每次迭代查询发生的时候数据规模非常小, ... Thu, 05 Mar 2026 16:23:27 GMT ISC DHCP (now EOL) > Security Advisories > Translations CN https://kb.isc.org/docs/aa-00760 https://kb.isc.org/docs/aa-00760