https://kb.isc.org/docs The release of the Kea 3.0 branch brings with it many changes users need to know about. Hooks libraries re-licensed and re-packaged Most Kea hook libraries have become open source and are freely available; the only exceptions are the Role-Based Access Control hook (RBAC) and the Configuration Backend hook (CB), which remain commercially licensed. The open source hook libraries will be available in the Kea source tarball and for package installation from the official ISC repositories on Cloudsmit ... Thu, 14 May 2026 21:27:41 GMT Kea DHCP > Upgrading Kea https://kb.isc.org/docs/things-to-be-aware-of-when-upgrading-to-kea-300 https://kb.isc.org/docs/things-to-be-aware-of-when-upgrading-to-kea-300 Introduction Installing Stork can seem somewhat confusing at first. The purpose of this quickstart guide is to layout the installation process in steps grouped by package manager or OS. Choose your OS/package manager from the table of contents on the right hand side to jump directly to the section that will cover the installation on your system. Stork Agent Since the Stork Agent may need to be installed more than once on disparate systems (example: to monitor BIND and Kea installations which ... Wed, 13 May 2026 11:45:16 GMT Stork https://kb.isc.org/docs/stork-quickstart-guide https://kb.isc.org/docs/stork-quickstart-guide Catalog Zones is a BIND feature allowing easy provisioning of zones to secondary servers. A "catalog zone" is a special DNS zone that contains a list of other zones to be served, along with their configuration parameters.  The zones listed in a catalog zone are called "member zones".  When a catalog zone is loaded or transferred to a secondary server that supports this functionality, the secondary server creates the member zones automatically.  When the catalog zone is updated (for example, to a ... Wed, 13 May 2026 08:12:49 GMT BIND 9 > Authoritative Configuration and Operation https://kb.isc.org/docs/aa-01401 https://kb.isc.org/docs/aa-01401 Introduction Operators should strive to implement general best practices for the servers hosting their critical infrastructure. Software is only as good as the platform it runs on. System administration is well beyond the scope and remit of ISC Support. However, we can offer a very few suggestions, based on the most common problems we see. Keep current Use an operating system which is still being maintained Keep current with security and stability updates (patches/fixes) ISC gets many report ... Tue, 12 May 2026 18:37:59 GMT About ISC https://kb.isc.org/docs/server-best-practices https://kb.isc.org/docs/server-best-practices Introduction This article introduces the Kea Application Programming Interface (API). It briefly discusses the architecture of how the Kea API is presented, through control sockets, the direct API, and the Kea Control Agent (KCA). Use of API commands is beyond the scope of this article. Consult the Kea ARM for information on API commands and their usage. Kea API Overview The Kea DHCP server consists of up to four daemons (service processes). These daemons communicate with each other, and with ... Tue, 12 May 2026 15:39:44 GMT Kea DHCP https://kb.isc.org/docs/kea-api-sockets https://kb.isc.org/docs/kea-api-sockets The purpose of this article is to help users determine how long a given ISC release is likely to be supported. This information is useful when deciding when to schedule a migration, or in some cases, to help determine which version to migrate to when updating. This is a rough guide, not a guarantee, and release dates are approximate. For the most current information on the status of any particular software version, please refer to the software status listed on the downloads page. BIND 9 (updated ... Mon, 11 May 2026 12:46:10 GMT About ISC https://kb.isc.org/docs/aa-00896 https://kb.isc.org/docs/aa-00896 Introduction This document discusses database connectivity problems, parameters that can be adjusted to make Kea compensate for those problems, and some of the implications of doing so. Scenario Symptoms Often this discussion begins with error messages like this: DATABASE_MYSQL_FATAL_ERROR Unrecoverable MySQL error occurred: unable to execute for <SELECT ...>, reason: Server has gone away (error code: 2006). DHCP6_PACKET_PROCESS_STD_EXCEPTION ... exception occurred during packet processing: fata ... Fri, 08 May 2026 21:25:34 GMT Kea DHCP > Troubleshooting Kea https://kb.isc.org/docs/kea-database-resilience https://kb.isc.org/docs/kea-database-resilience Older versions of BIND generally will not receive updates for new vulnerabilities. For more information, see ISC's Software Support Policy and Version Numbering. SECURITY WARNING Obsolete branches are all known to be vulnerable. ISC strongly recommends upgrading to a current version as soon as practical. That said, the last-published matrix for a given branch is kept available for historical reference. Each major branch is given its own page. Click the link for a given version to see the de ... Tue, 05 May 2026 20:09:40 GMT BIND 9 > Security Advisories > Obsolete Matrices https://kb.isc.org/docs/obsolete-bind-vulnerability-lists https://kb.isc.org/docs/obsolete-bind-vulnerability-lists The BIND 9 Software Vulnerability Matrix (previously know as the "BIND 9 Security Vulnerability Matrix") is a tool to help DNS operators understand the current security risk for a given version of BIND. It has two parts: The first part is a table listing all of the vulnerabilities covered by this page. The first column is a reference number for use in the tables in the second part. The second column is the CVE (Common Vulnerabilities and Exposure) number for the vulnerability, linked to its pag ... Fri, 01 May 2026 21:11:33 GMT BIND 9 > Security Advisories https://kb.isc.org/docs/aa-00913 https://kb.isc.org/docs/aa-00913 Your browser does not support PDF.click here to download Thu, 02 Apr 2026 20:15:33 GMT About ISC > Support Subscriber Newsletter https://kb.isc.org/docs/isc-support-subscriber-news-q1-2026 https://kb.isc.org/docs/isc-support-subscriber-news-q1-2026 Title: Operational Notification: Impact of Stricter Glue Checking Document Version: 1.0a Posting date: 15 December 2025 Canonical URL: https://kb.isc.org/docs/strict-glue Program impacted: BIND Versions affected: BIND 9.18.41 and later 9.20.15 and later 9.21.14 and later Description: BIND versions released in October 2025 included changes in how BIND processes referrals in delegations. BIND now only trusts glue records if, in the associated NS record, the target name (right side) is a subdoma ... Thu, 02 Apr 2026 14:59:34 GMT BIND 9 > Operational Notifications https://kb.isc.org/docs/strict-glue https://kb.isc.org/docs/strict-glue Introduction This article summarizes the TCP and UDP ports (service ports) used by the Kea DHCP server. Standard Ports These ports are specified by the various protocols Kea implements and uses. They are documented here for completeness. Changing them is generally impractical, outside of very controlled circumstances (e.g., a lab environment). Proto Port Assignment UDP 67 DHCPv4 server UDP 68 DHCPv4 client UDP 546 DHCPv6 server UDP 547 DHCPv6 client Both 53 DNS The "Proto" column gives ... Wed, 01 Apr 2026 19:12:44 GMT Kea DHCP > Configuring Kea https://kb.isc.org/docs/kea-ports https://kb.isc.org/docs/kea-ports Summary When configuring Kea to use a database for storage of leases or host reservations, use a unique database for each Kea server. Within a single Kea high availability group (HA group), the database may be shared, subject to certain considerations. Guidance Use a unique database for every Kea server. A database can be made unique by creating a different database name on the same database server, or by using different database servers. For example, if you use a central database server, creat ... Tue, 31 Mar 2026 19:56:21 GMT Kea DHCP > Configuring Kea https://kb.isc.org/docs/kea-unique-databases https://kb.isc.org/docs/kea-unique-databases BIND 9.16 introduced a new method to maintain DNSSEC on your zones. In addition to the inline-signing and auto-dnssec configuration options, there is now dnssec-policy (also see the configuration reference in the ARM). dnssec-policy replaces auto-dnssec auto-dnssec has been removed since the 9.19.16 development release in favour of the newer, more flexible dnssec-policy. With dnssec-policy, you can specify a Key And Signing Policy (KASP) and group all KASP-related configurations together, maki ... Tue, 31 Mar 2026 15:25:47 GMT BIND 9 https://kb.isc.org/docs/dnssec-key-and-signing-policy https://kb.isc.org/docs/dnssec-key-and-signing-policy Summary Stork 2.4 with Kea 3.0 may have issues due to default permissions of the Kea control sockets. The underlying issue is corrected in Kea 3.0.3; upgrading Kea is the recommended solution. Workarounds are possible for earlier version of Kea. Environment Stork 2.4.0 or later Kea 3.0.0 or later Symptoms The Stork agent (stork-agent) running on a Kea server will fail to connect to the Kea API offered by the Kea daemons. The Stork server web UI will show messages about daemon communication p ... Tue, 31 Mar 2026 15:12:26 GMT Stork https://kb.isc.org/docs/stork-kea-socket-perms https://kb.isc.org/docs/stork-kea-socket-perms CVE: CVE-2026-3591 Title: A stack use-after-return flaw in SIG(0) handling code may enable ACL bypass Document version: 2.0 Posting date: 25 March 2026 Program impacted: BIND 9 Versions affected: BIND 9.20.0 -> 9.20.20 9.21.0 -> 9.21.19 BIND Supported Preview Edition 9.20.9-S1 -> 9.20.20-S1 Versions NOT affected: BIND 9.18.0 -> 9.18.46 BIND Supported Preview Edition 9.18.11-S1 -> 9.18.46-S1 Severity: Medium Exploitable: Remotely Description: A use-after-return vulnerability exists in the ... Wed, 25 Mar 2026 12:50:01 GMT BIND 9 > Security Advisories https://kb.isc.org/docs/cve-2026-3591 https://kb.isc.org/docs/cve-2026-3591 CVE: CVE-2026-3119 Title: Authenticated query containing a TKEY record may cause named to terminate unexpectedly Document version: 2.0 Posting date: 25 March 2026 Program impacted: BIND 9 Versions affected: BIND 9.20.0 -> 9.20.20 9.21.0 -> 9.21.19 BIND Supported Preview Edition 9.20.9-S1 -> 9.20.20-S1 Versions NOT affected: BIND 9.18.0 -> 9.18.46 BIND Supported Preview Edition 9.18.11-S1 -> 9.18.46-S1 Severity: Medium Exploitable: Remotely Description: Under certain conditions, named may ... Wed, 25 Mar 2026 12:48:27 GMT BIND 9 > Security Advisories https://kb.isc.org/docs/cve-2026-3119 https://kb.isc.org/docs/cve-2026-3119 CVE: CVE-2026-3104 Title: Memory leak in code preparing DNSSEC proofs of non-existence Document version: 2.0 Posting date: 25 March 2026 Program impacted: BIND 9 Versions affected: BIND 9.20.0 -> 9.20.20 9.21.0 -> 9.21.19 BIND Supported Preview Edition 9.20.9-S1 -> 9.20.20-S1 Versions NOT affected: BIND 9.18.0 -> 9.18.46 BIND Supported Preview Edition 9.18.11-S1 -> 9.18.46-S1 Severity: High Exploitable: Remotely Description: A specially crafted domain can be used to cause a memory leak i ... Wed, 25 Mar 2026 12:45:36 GMT BIND 9 > Security Advisories https://kb.isc.org/docs/cve-2026-3104 https://kb.isc.org/docs/cve-2026-3104 CVE: CVE-2026-1519 Title: Excessive NSEC3 iterations cause high CPU load during insecure delegation validation Document version: 2.0 Posting date: 25 March 2026 Program impacted: BIND 9 Versions affected: BIND 9.11.0 -> 9.16.50 9.18.0 -> 9.18.46 9.20.0 -> 9.20.20 9.21.0 -> 9.21.19 BIND Supported Preview Edition 9.11.3-S1 -> 9.16.50-S1 9.18.11-S1 -> 9.18.46-S1 9.20.9-S1 -> 9.20.20-S1 (Versions prior to 9.11.0 were not assessed.) Severity: High Exploitable: Remotely Description: If a BIND reso ... Wed, 25 Mar 2026 12:42:21 GMT BIND 9 > Security Advisories https://kb.isc.org/docs/cve-2026-1519 https://kb.isc.org/docs/cve-2026-1519 CVE: CVE-2026-3608 Title: Stack overflow in Kea daemons Document version: 2.0 Posting date: 25 March 2026 Program impacted: Kea Versions affected: Kea 2.6.0 -> 2.6.4 3.0.0 -> 3.0.2 Severity: High Exploitable: Remotely Description: Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error. Impact: Loss of DHCP services CVSS Score: 7.5 ... Wed, 25 Mar 2026 08:14:07 GMT Kea DHCP > Security Advisories https://kb.isc.org/docs/cve-2026-3608 https://kb.isc.org/docs/cve-2026-3608