kea is up with active/standby HA, and pools and options moved;

leases imported to keep a few things consistent across the move;

ISC dhcpd disabled and dhcrelay configured on opnsense;

DHCP scopes handing out the new Adguard endpoints for DNS;

kea is registering forward & reverse DNS with knot;

unbound is configured with stubs pointing at knot for the relevant zones;

Once we've got a critical mass of some DNS internal records registered to knot from DHCP renewals, I'll cut over AdGuard to point to unbound, to basically let things flow through the new paths.

Getting there!

@hugo Kinda surprised they're deprecating ISC without this feature tbh. It's been blocking me from moving to Kea too. ISTR there was another thing too. It might have just been that it wasn't possible to run Kea on some interfaces and ISC on others simultaneously. I probably have room on the home assistant k8s box to run DNS, I guess (which is alongside the opnsense VM). I don't really have any other 'reliable' machines to put it on. I don't really *want* to though. This is like table stakes basic stuff.

Accept a dependency on my public internet DNS and put it there maybe? Hmm.

@ktims the answer seems to be that if you want DNS entries from DHCP to just use dnsmasq, with the language basically being that Kea is the option for more "advanced" deployments.

ISC isn't being totally deprecated in OPNSense yet, and they do appear to have something in place that if you upgrade from an earlier release and use ISC that the plugin is installed for you automatically. But, it does seem like the writing is on the wall.

For mixing and matching:
That might be possible? As I was switching, the ISC enablement is definitely per interface, as was dhcrelay, so I could move that an interface at a time. I'm not sure about the Kea side in OPNSense, but it does look from the docs to have a listening interface setting, as a well as an option to bypass the GUI config and just manage the config file manually.