From 49e2a7fc5120bfefe17451b329b8e06733c59c6f Mon Sep 17 00:00:00 2001 From: Warren Block Date: Sun, 3 Apr 2016 18:57:15 +0000 Subject: [PATCH] Whitespace-only fixes, translators please ignore. --- .../books/handbook/audit/chapter.xml | 4 +- .../books/handbook/boot/chapter.xml | 32 +- .../books/handbook/config/chapter.xml | 20 +- .../books/handbook/cutting-edge/chapter.xml | 38 +- .../books/handbook/desktop/chapter.xml | 40 +- .../books/handbook/disks/chapter.xml | 16 +- .../books/handbook/filesystems/chapter.xml | 4 +- .../books/handbook/introduction/chapter.xml | 18 +- .../books/handbook/mail/chapter.xml | 196 ++- .../books/handbook/multimedia/chapter.xml | 272 ++-- .../handbook/network-servers/chapter.xml | 1334 +++++++++-------- .../books/handbook/pgpkeys/chapter.xml | 2 +- .../books/handbook/security/chapter.xml | 4 +- .../books/handbook/serialcomms/chapter.xml | 43 +- .../books/handbook/virtualization/chapter.xml | 49 +- .../books/handbook/x11/chapter.xml | 58 +- 16 files changed, 1099 insertions(+), 1031 deletions(-) diff --git a/en_US.ISO8859-1/books/handbook/audit/chapter.xml b/en_US.ISO8859-1/books/handbook/audit/chapter.xml index 45a49948d0..e10a8724b3 100644 --- a/en_US.ISO8859-1/books/handbook/audit/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/audit/chapter.xml @@ -82,8 +82,8 @@ requirements. --> - Understand &unix; and &os; basics (). + Understand &unix; and &os; basics + (). diff --git a/en_US.ISO8859-1/books/handbook/boot/chapter.xml b/en_US.ISO8859-1/books/handbook/boot/chapter.xml index 8ae9da9e3a..047196660e 100644 --- a/en_US.ISO8859-1/books/handbook/boot/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/boot/chapter.xml @@ -638,27 +638,27 @@ console none unknown off insecure - + --> - Configuring Boot Time Splash Screens + Configuring Boot Time Splash Screens - - - - Joseph J. - Barbish - - Contributed by - - - + + + + Joseph J. + Barbish + + Contributed by + + + Typically when a &os; system boots, it displays its progress as a series of messages at the console. A boot splash screen @@ -895,8 +895,8 @@ bitmap_name="/boot/splash.bin" &man.reboot.8;. Refer to their manual pages and to &man.shutdown.8; for more information. - Modify group membership by referring to - . + Modify group membership by referring to + . Power management requires &man.acpi.4; to be loaded as diff --git a/en_US.ISO8859-1/books/handbook/config/chapter.xml b/en_US.ISO8859-1/books/handbook/config/chapter.xml index 66875c44a0..5a0641726a 100644 --- a/en_US.ISO8859-1/books/handbook/config/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/config/chapter.xml @@ -976,8 +976,8 @@ lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 Replace dc0 with the correct value for the system. - The line added, then, follow the instructions given in . + The line added, then, follow the instructions given in + . If the network was configured during installation, some @@ -2534,14 +2534,14 @@ device_probe_and_attach: cbb0 attach returned 12 kern.ipc.soacceptqueue - The kern.ipc.soacceptqueue &man.sysctl.8; - variable limits the size of the listen queue for accepting - new TCP connections. The default value - of 128 is typically too low for robust - handling of new connections on a heavily loaded web server. - For such environments, it is recommended to increase this - value to 1024 or higher. A service - such as &man.sendmail.8;, or + The kern.ipc.soacceptqueue + &man.sysctl.8; variable limits the size of the listen queue + for accepting new TCP connections. The + default value of 128 is typically too low + for robust handling of new connections on a heavily loaded + web server. For such environments, it is recommended to + increase this value to 1024 or higher. A + service such as &man.sendmail.8;, or Apache may itself limit the listen queue size, but will often have a directive in its configuration file to adjust the queue size. Large listen diff --git a/en_US.ISO8859-1/books/handbook/cutting-edge/chapter.xml b/en_US.ISO8859-1/books/handbook/cutting-edge/chapter.xml index bad233f022..47429b851c 100644 --- a/en_US.ISO8859-1/books/handbook/cutting-edge/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/cutting-edge/chapter.xml @@ -682,7 +682,7 @@ before running "/usr/sbin/freebsd-update install" For information on editing and submitting corrections to the documentation, refer to the &os; Documentation Project Primer for New Contributors (http://www.freebsd.org/doc/en_US.ISO8859-1/books/fdp-primer/). + xlink:href="&url.books.fdp-primer;">http://www.freebsd.org/doc/en_US.ISO8859-1/books/fdp-primer/). Updating Documentation from Source @@ -1034,8 +1034,8 @@ before running "/usr/sbin/freebsd-update install" Synchronize with the &os.current; sources. Typically, svn is used to check out the -CURRENT code from the head branch of - one of the Subversion mirror - sites listed in . + one of the Subversion mirror sites listed in + . Users with very slow or limited Internet connectivity can instead use CTM as described in , @@ -1673,24 +1673,24 @@ Script started, output file is /var/tmp/mw.out - Merging Configuration Files + Merging Configuration Files - - - - Tom - Rhodes - - Contributed by - - - + + + + Tom + Rhodes + + Contributed by + + + - - - mergemaster - - + + + mergemaster + + &os; provides the &man.mergemaster.8; Bourne script to aid in determining the differences between the configuration files diff --git a/en_US.ISO8859-1/books/handbook/desktop/chapter.xml b/en_US.ISO8859-1/books/handbook/desktop/chapter.xml index 52b465c9e0..0440f158ba 100644 --- a/en_US.ISO8859-1/books/handbook/desktop/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/desktop/chapter.xml @@ -35,9 +35,9 @@ Users who prefer to install a pre-built desktop version of FreeBSD rather than configuring one from scratch should - refer to the pcbsd.org - website. + refer to the + pcbsd.org + website. Readers of this chapter should know how to: @@ -49,8 +49,8 @@ - Install X and a window manager as described in . + Install X and a window manager as described in + . @@ -400,25 +400,25 @@ /usr/local/bin/chromium. - - Chromium and &java; Plugin + + Chromium and &java; Plugin - The installation of - Chromium does not include &java; - support. To install &java; plugin support, follow the - instructions in . + The installation of + Chromium does not include &java; + support. To install &java; plugin support, follow the + instructions in . - Once &java; support is installed, start - Chromium and enter - about:plugins in the address bar. - IcedTea-Web should be listed as one of the installed - plugins. + Once &java; support is installed, start + Chromium and enter + about:plugins in the address bar. + IcedTea-Web should be listed as one of the installed + plugins. - If Chromium does not display - the IcedTea-Web plugin, run the following commands and - restart the web browser: + If Chromium does not display + the IcedTea-Web plugin, run the following commands and + restart the web browser: - &prompt.root; mkdir -p /usr/local/share/chromium/plugins + &prompt.root; mkdir -p /usr/local/share/chromium/plugins &prompt.root; ln -s /usr/local/lib/IcedTeaPlugin.so \ /usr/local/share/chromium/plugins/ diff --git a/en_US.ISO8859-1/books/handbook/disks/chapter.xml b/en_US.ISO8859-1/books/handbook/disks/chapter.xml index 5bbe418d9d..fb3b06c4a0 100644 --- a/en_US.ISO8859-1/books/handbook/disks/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/disks/chapter.xml @@ -515,12 +515,12 @@ da0: <STECH Simple Drive 1.04> s/n WD-WXE508CAN263 detached Automounting Removable Media - &man.autofs.5; supports automatic mounting of + &man.autofs.5; supports automatic mounting of removable media starting with &os; 10.2-RELEASE. USB devices can be automatically - mounted by uncommenting this line in + mounted by uncommenting this line in /etc/auto_master: /media -media -nosuid @@ -536,18 +536,18 @@ da0: <STECH Simple Drive 1.04> s/n WD-WXE508CAN263 detached Reload the configuration if &man.autofs.5; - and &man.devd.8; are already running: + and &man.devd.8; are already running: &prompt.root; service automount reload &prompt.root; service devd restart &man.autofs.5; can be set to start at boot by adding this - line to /etc/rc.conf: + line to /etc/rc.conf: autofs_enable="YES" &man.autofs.5; requires &man.devd.8; to be enabled, as it - is by default. + is by default. Start the services immediately with: @@ -557,18 +557,18 @@ da0: <STECH Simple Drive 1.04> s/n WD-WXE508CAN263 detached &prompt.root; service devd start Each file system that can be automatically mounted appears - as a directory in /media/. The directory + as a directory in /media/. The directory is named after the file system label. If the label is missing, the directory is named after the device node. The file system is transparently mounted on the first - access, and unmounted after a period of inactivity. + access, and unmounted after a period of inactivity. Automounted drives can also be unmounted manually: &prompt.root; automount -fu This mechanism is typically used for memory cards and - USB memory sticks. It can be used with + USB memory sticks. It can be used with any block device, including optical drives or iSCSI LUNs. diff --git a/en_US.ISO8859-1/books/handbook/filesystems/chapter.xml b/en_US.ISO8859-1/books/handbook/filesystems/chapter.xml index 9ec13bcd32..8ac6be5c50 100644 --- a/en_US.ISO8859-1/books/handbook/filesystems/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/filesystems/chapter.xml @@ -70,8 +70,8 @@ - Understand &unix; and &os; basics. + Understand &unix; and + &os; basics. diff --git a/en_US.ISO8859-1/books/handbook/introduction/chapter.xml b/en_US.ISO8859-1/books/handbook/introduction/chapter.xml index c20b66b534..8767e45f4f 100644 --- a/en_US.ISO8859-1/books/handbook/introduction/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/introduction/chapter.xml @@ -67,9 +67,9 @@ and &itanium;), AMD64, Sun &ultrasparc; computers. Ports to other architectures are also under way. You can also read about the history of &os;, or the - current release. If you are - interested in contributing something to the Project (code, - hardware, funding), see the current release. + If you are interested in contributing something to the Project + (code, hardware, funding), see the Contributing to &os; article. @@ -733,12 +733,12 @@ xlink:href="http://www.opnsense.org/">OPNSense OPNsense - - OPNsense is an open source, easy-to-use and - easy-to-build FreeBSD based firewall and routing platform. - OPNsense includes most of the features available in expensive - commercial firewalls, and more in many cases. It brings the - rich feature set of commercial offerings with the benefits of - open and verifiable sources. + - OPNsense is an open source, easy-to-use and + easy-to-build FreeBSD based firewall and routing platform. + OPNsense includes most of the features available in + expensive commercial firewalls, and more in many cases. + It brings the rich feature set of commercial offerings + with the benefits of open and verifiable sources. diff --git a/en_US.ISO8859-1/books/handbook/mail/chapter.xml b/en_US.ISO8859-1/books/handbook/mail/chapter.xml index 11526cd2a6..b79727bc8d 100644 --- a/en_US.ISO8859-1/books/handbook/mail/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/mail/chapter.xml @@ -284,12 +284,17 @@ FreeBSD.org mail is handled by 10 mx1.FreeBSD.org - <application>Sendmail</application> Configuration - Files + <application>Sendmail</application> Configuration + Files - ChristopherShumwayContributed - by + + + Christopher + Shumway + + Contributed by + @@ -553,7 +558,7 @@ other.isp.example.net users-isp.example.org www.example.org - After creating or editing this file, restart + After creating or editing this file, restart Sendmail with service sendmail restart. @@ -569,16 +574,26 @@ www.example.org - Changing the Mail Transfer Agent + Changing the Mail Transfer Agent - AndrewBoothmanWritten - by + + + Andrew + Boothman + + Written by + + - GregoryNeil - ShapiroInformation taken - from emails written by + + + Gregory + Neil Shapiro + + Information taken from emails written by + @@ -798,65 +813,67 @@ purgestat /usr/libexec/sendmail/sendmail - - - How can I run a mail server on a dial-up PPP - host? - + + + How can I run a mail server on a dial-up PPP + host? + - - Connect to a &os; mail gateway on the LAN. The PPP - connection is non-dedicated. + + Connect to a &os; mail gateway on the LAN. The PPP + connection is non-dedicated. - One way to do this is to get a full-time Internet server - to provide secondary MX - MX record services for the - domain. In this example, the domain is example.com and the ISP - has configured example.net to provide - secondary MX services to the - domain: + One way to do this is to get a full-time Internet + server to provide secondary + MX + MX record + services for the domain. In this example, the domain is + example.com + and the ISP has configured + example.net + to provide secondary MX services to the + domain: - example.com. MX 10 example.com. + example.com. MX 10 example.com. MX 20 example.net. - Only one host should be specified as the final - recipient. For Sendmail, add - Cw example.com in - /etc/mail/sendmail.cf on example.com. + Only one host should be specified as the final + recipient. For Sendmail, add + Cw example.com in + /etc/mail/sendmail.cf on example.com. - When the sending MTA attempts - to deliver mail, it will try to connect to the system, - example.com, - over the PPP link. This will time out if the destination is - offline. The MTA will automatically - deliver it to the secondary MX site at - the Internet Service Provider (ISP), - example.net. - The secondary MX site will periodically - try to connect to the primary MX host, - example.com. + When the sending MTA attempts + to deliver mail, it will try to connect to the system, + example.com, + over the PPP link. This will time out if the destination + is offline. The MTA will automatically + deliver it to the secondary MX site at + the Internet Service Provider (ISP), + example.net. + The secondary MX site will periodically + try to connect to the primary MX host, + example.com. - Use something like this as a login script: + Use something like this as a login script: - #!/bin/sh + #!/bin/sh # Put me in /usr/local/bin/pppmyisp ( sleep 60 ; /usr/sbin/sendmail -q ) & /usr/sbin/ppp -direct pppmyisp - When creating a separate login script for users, instead - use sendmail -qRexample.com in the script - above. This will force all mail in the queue for - example.com to - be processed immediately. + When creating a separate login script for users, + instead use sendmail -qRexample.com in + the script above. This will force all mail in the queue + for + example.com + to be processed immediately. - A further refinement of the situation can be seen from - this example from the &a.isp;: + A further refinement of the situation can be seen from + this example from the &a.isp;: - > we provide the secondary MX for a customer. The customer connects to + > we provide the secondary MX for a customer. The customer connects to > our services several times a day automatically to get the mails to > his primary MX (We do not call his site when a mail for his domains > arrived). Our sendmail sends the mailqueue every 30 minutes. At the @@ -952,9 +969,9 @@ example.FreeBSD.org &prompt.root; host example.FreeBSD.org example.FreeBSD.org has address 204.216.27.XX - In this example, mail sent directly to yourlogin@example.FreeBSD.org should - work without problems, assuming + In this example, mail sent directly to + yourlogin@example.FreeBSD.org + should work without problems, assuming Sendmail is running correctly on example.FreeBSD.org. @@ -1073,11 +1090,16 @@ freefall MX 20 who.cdrom.com - Setting Up to Send Only + Setting Up to Send Only - BillMoranContributed - by + + + Bill + Moran + + Contributed by + @@ -1237,11 +1259,16 @@ define(`confDELIVERY_MODE',`deferred')dnl - SMTP Authentication + SMTP Authentication - JamesGorhamWritten - by + + + James + Gorham + + Written by + @@ -1373,11 +1400,16 @@ define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl - Mail User Agents + Mail User Agents - MarcSilverContributed - by + + + Marc + Silver + + Contributed by + @@ -1729,11 +1761,16 @@ EOT - Using <application>fetchmail</application> + Using <application>fetchmail</application> - MarcSilverContributed - by + + + Marc + Silver + + Contributed by + @@ -1789,9 +1826,9 @@ EOT The following .fetchmailrc serves as an example for downloading a single user mailbox using POP. It tells - fetchmail to connect to example.com using a - username of joesoap + fetchmail to connect to + example.com using + a username of joesoap and a password of XXX. This example assumes that the user joesoap exists on the local system. @@ -1825,11 +1862,16 @@ user "john", with password "XXXXX", is "myth" here; - Using <application>procmail</application> + Using <application>procmail</application> - MarcSilverContributed - by + + + Marc + Silver + + Contributed by + diff --git a/en_US.ISO8859-1/books/handbook/multimedia/chapter.xml b/en_US.ISO8859-1/books/handbook/multimedia/chapter.xml index 8b3b211469..1838ec2c2a 100644 --- a/en_US.ISO8859-1/books/handbook/multimedia/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/multimedia/chapter.xml @@ -13,9 +13,9 @@ - - Ross - Lippert + + Ross + Lippert Edited by @@ -96,22 +96,23 @@ - Setting Up the Sound Card + Setting Up the Sound Card - - Moses - Moore - - Contributed by + + Moses + Moore + + Contributed by + - - Marc - Fonvieille + + Marc + Fonvieille Enhanced by @@ -387,107 +388,105 @@ pcm7: <HDA Realtek ALC889 PCM #3 Digital> at cad 2 nid 1 on hdac1 /etc/sysctl.conf: hw.snd.default_unit=4 - + - - - Utilizing Multiple Sound Sources + + + Utilizing Multiple Sound Sources - - - - Munish - Chopra - - Contributed by - - - + + + + Munish + Chopra + + Contributed by + + + - It is often desirable to have multiple sources of sound that - are able to play simultaneously. &os; uses Virtual - Sound Channels to multiplex the sound card's playback - by mixing sound in the kernel. + It is often desirable to have multiple sources of sound + that are able to play simultaneously. &os; uses + Virtual Sound Channels to multiplex the sound + card's playback by mixing sound in the kernel. - Three &man.sysctl.8; knobs are available for configuring - virtual channels: + Three &man.sysctl.8; knobs are available for configuring + virtual channels: - &prompt.root; sysctl dev.pcm.0.play.vchans=4 + &prompt.root; sysctl dev.pcm.0.play.vchans=4 &prompt.root; sysctl dev.pcm.0.rec.vchans=4 &prompt.root; sysctl hw.snd.maxautovchans=4 - This example allocates four virtual channels, which is a - practical number for everyday use. Both - dev.pcm.0.play.vchans=4 and - dev.pcm.0.rec.vchans=4 are configurable after - a device has been attached and represent the number of virtual - channels pcm0 has for playback and - recording. Since the pcm module can be - loaded independently of the hardware drivers, - hw.snd.maxautovchans indicates how many - virtual channels will be given to an audio device when it is - attached. Refer to &man.pcm.4; for more information. + This example allocates four virtual channels, which is a + practical number for everyday use. Both + dev.pcm.0.play.vchans=4 and + dev.pcm.0.rec.vchans=4 are configurable + after a device has been attached and represent the number of + virtual channels pcm0 has for playback + and recording. Since the pcm module can + be loaded independently of the hardware drivers, + hw.snd.maxautovchans indicates how many + virtual channels will be given to an audio device when it is + attached. Refer to &man.pcm.4; for more information. - - The number of virtual channels for a device cannot be - changed while it is in use. First, close any programs using - the device, such as music players or sound daemons. - + + The number of virtual channels for a device cannot be + changed while it is in use. First, close any programs using + the device, such as music players or sound daemons. + - - The correct pcm device will - automatically be allocated transparently to a program that - requests /dev/dsp0. - + The correct pcm device will + automatically be allocated transparently to a program that + requests /dev/dsp0. + - + + + Setting Default Values for Mixer Channels + + + + + Josef + El-Rayes + + Contributed by + + + + + The default values for the different mixer channels are + hardcoded in the source code of the &man.pcm.4; driver. While + sound card mixer levels can be changed using &man.mixer.8; or + third-party applications and daemons, this is not a permanent + solution. To instead set default mixer values at the driver + level, define the appropriate values in + /boot/device.hints, as seen in this + example: + + hint.pcm.0.vol="50" + + This will set the volume channel to a default value of + 50 when the &man.pcm.4; module is + loaded. + + + + - Setting Default Values for Mixer Channels + MP3 Audio - - Josef - El-Rayes - - Contributed by + + Chern + Lee + + Contributed by - - The default values for the different mixer channels are - hardcoded in the source code of the &man.pcm.4; driver. While - sound card mixer levels can be changed using &man.mixer.8; or - third-party applications and daemons, this is not a permanent - solution. To instead set default mixer values at the driver - level, define the appropriate values in - /boot/device.hints, as seen in this - example: - - hint.pcm.0.vol="50" - - This will set the volume channel to a default value of - 50 when the &man.pcm.4; module is - loaded. - - - - - - MP3 Audio - - - - - Chern - Lee - - Contributed by - - - - This section describes some MP3 players available for &os;, how to rip audio CD tracks, and how to encode and decode @@ -540,16 +539,16 @@ MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo CDs. With the audio CD in the drive, the - following command can be issued as root to rip an entire - CD into individual, per track, + following command can be issued as + root to rip an + entire CD into individual, per track, WAV files: &prompt.root; cdda2wav -D 0,1,0 -B - In this example, the indicates the - SCSI device 0,1,0 + In this example, the + indicates + the SCSI device 0,1,0 containing the CD to rip. Use cdrecord -scanbus to determine the correct device parameters for the system. @@ -580,8 +579,7 @@ MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo Encoding and Decoding MP3s - - Lame is a popular + Lame is a popular MP3 encoder which can be installed from the audio/lame port. Due to patent issues, a package is not available. @@ -598,12 +596,13 @@ MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo MP3 bitrate while the 160 and 192 bitrates provide higher quality. The higher the bitrate, the larger the size of the resulting MP3. The - turns on the higher quality but a - little slower mode. The options beginning with - indicate ID3 tags, - which usually contain song information, to be embedded within - the MP3 file. Additional encoding options - can be found in the lame manual + turns on the + higher quality but a little slower + mode. The options beginning with + indicate ID3 tags, which usually contain + song information, to be embedded within the + MP3 file. Additional encoding options can + be found in the lame manual page. In order to burn an audio CD from @@ -695,13 +694,13 @@ MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo - Video Playback + Video Playback - - Ross - Lippert + + Ross + Lippert Contributed by @@ -1152,27 +1151,28 @@ zoom=yes - TV Cards + TV Cards - - - - Josef - El-Rayes - - Original contribution by - - - - - - Marc - Fonvieille - - Enhanced and adapted by - - - + + + + Josef + El-Rayes + + Original contribution by + + + + + + + Marc + Fonvieille + + Enhanced and adapted by + + + TV cards @@ -1360,13 +1360,13 @@ bktr0: Pinnacle/Miro TV, Philips SECAM tuner. - Image Scanners + Image Scanners - - Marc - Fonvieille + + Marc + Fonvieille Written by diff --git a/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml b/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml index 13726050a0..ddf404eab3 100644 --- a/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml @@ -480,18 +480,19 @@ server-program-arguments - Tom - Rhodes - + Tom + Rhodes + Reorganized and enhanced by + - Bill - Swingle - + Bill + Swingle + Written by @@ -799,22 +800,23 @@ rpc_statd_enable="YES" - Automating Mounts with &man.amd.8; + Automating Mounts with &man.amd.8; - Wylie - Stilwell - + Wylie + Stilwell + Contributed by + - Chern - Lee + Chern + Lee Rewritten by @@ -1003,8 +1005,8 @@ Exports list on foobar: OS X document. Consult the &man.automount.8;, &man.automountd.8;, - &man.autounmountd.8;, and &man.auto.master.5; manual pages for - more information. + &man.autounmountd.8;, and &man.auto.master.5; manual pages for + more information. @@ -1253,28 +1255,28 @@ Exports list on foobar: ellington 10.0.0.2 + class="ipaddress">10.0.0.2 NIS master coltrane 10.0.0.3 + class="ipaddress">10.0.0.3 NIS slave basie 10.0.0.4 + class="ipaddress">10.0.0.4 Faculty workstation bird 10.0.0.5 + class="ipaddress">10.0.0.5 Client machine @@ -1453,10 +1455,11 @@ nis_client_flags="-S NIS domain,serverroot and any other administrative accounts. - Ensure that the - /var/yp/master.passwd is neither group - or world readable by setting its permissions to - 600. + + Ensure that the + /var/yp/master.passwd is neither + group or world readable by setting its permissions to + 600. After completing this task, initialize the @@ -2236,15 +2239,15 @@ TWO (,hotel,test-domain) - Lightweight Directory Access Protocol - (<acronym>LDAP</acronym>) + Lightweight Directory Access Protocol + (<acronym>LDAP</acronym>) - - Tom - Rhodes - + + Tom + Rhodes + Written by @@ -3279,62 +3282,60 @@ freebsd.org. (A) information that will be given out by the name server in response to queries. - - Starting BIND + + Starting BIND - - BIND - starting - + + BIND + starting + - Since BIND is installed by default, configuring it is - relatively simple. + Since BIND is installed by default, configuring it is + relatively simple. - The default named configuration - is that of a basic resolving name server, running in a - &man.chroot.8; environment, and restricted to listening on the - local IPv4 loopback address (127.0.0.1). To start the server - one time with this configuration, use the following - command: + The default named + configuration is that of a basic resolving name server, + running in a &man.chroot.8; environment, and restricted to + listening on the local IPv4 loopback address (127.0.0.1). + To start the server one time with this configuration, use + the following command: - &prompt.root; service named onestart + &prompt.root; service named onestart - To ensure the named daemon is - started at boot each time, put the following line into the - /etc/rc.conf: + To ensure the named daemon is + started at boot each time, put the following line into the + /etc/rc.conf: - named_enable="YES" + named_enable="YES" - There are many configuration options for - /etc/namedb/named.conf that are beyond - the scope of this document. Other startup options - for named on &os; can be found in - the named_* - flags in /etc/defaults/rc.conf and in - &man.rc.conf.5;. The - section is also a good - read. - + There are many configuration options for + /etc/namedb/named.conf that are beyond + the scope of this document. Other startup options for + named on &os; can be found in the + named_* flags + in /etc/defaults/rc.conf and in + &man.rc.conf.5;. The + section is also a good read. + - - Configuration Files + + Configuration Files - - BIND - configuration files - + + BIND + configuration files + - Configuration files for named - currently reside in - /etc/namedb directory - and will need modification before use unless all that is - needed is a simple resolver. This is where most of the - configuration will be performed. + Configuration files for named + currently reside in /etc/namedb + directory and will need modification before use unless all + that is needed is a simple resolver. This is where most of + the configuration will be performed. - - <filename>/etc/namedb/named.conf</filename> + + <filename>/etc/namedb/named.conf</filename> - // $FreeBSD$ + // $FreeBSD$ // // Refer to the named.conf(5) and named(8) man pages, and the documentation // in /usr/share/doc/bind9 for more details. @@ -3390,24 +3391,25 @@ options { // named_auto_forward_only (the effect of which is described above). // include "/etc/namedb/auto_forward.conf"; - Just as the comment says, to benefit from an uplink's - cache, forwarders can be enabled here. - Under normal circumstances, a name server will recursively - query the Internet looking at certain name servers until it - finds the answer it is looking for. Having this enabled - will have it query the uplink's name server (or name server - provided) first, taking advantage of its cache. If the - uplink name server in question is a heavily trafficked, fast - name server, enabling this may be worthwhile. + Just as the comment says, to benefit from an uplink's + cache, forwarders can be enabled here. + Under normal circumstances, a name server will recursively + query the Internet looking at certain name servers until + it finds the answer it is looking for. Having this + enabled will have it query the uplink's name server (or + name server provided) first, taking advantage of its + cache. If the uplink name server in question is a heavily + trafficked, fast name server, enabling this may be + worthwhile. - - 127.0.0.1 - will not work here. Change this - IP address to a name server at the - uplink. - + + 127.0.0.1 + will not work here. Change this + IP address to a name server at the + uplink. + - /* + /* Modern versions of BIND use a random UDP port for each outgoing query by default in order to dramatically reduce the possibility of cache poisoning. All users are strongly encouraged to utilize @@ -3646,54 +3648,55 @@ zone "1.168.192.in-addr.arpa" { }; */ - In named.conf, these are examples - of slave entries for a forward and reverse zone. + In named.conf, these are examples + of slave entries for a forward and reverse zone. - For each new zone served, a new zone entry must be added - to named.conf. + For each new zone served, a new zone entry must be + added to named.conf. - For example, the simplest zone entry for - example.org - can look like: + For example, the simplest zone entry for + example.org + can look like: - zone "example.org" { + zone "example.org" { type master; file "master/example.org"; }; - The zone is a master, as indicated by the - statement, holding its zone - information in - /etc/namedb/master/example.org - indicated by the statement. + The zone is a master, as indicated by the + statement, holding its zone + information in + /etc/namedb/master/example.org + indicated by the statement. - zone "example.org" { + zone "example.org" { type slave; file "slave/example.org"; }; - In the slave case, the zone information is transferred - from the master name server for the particular zone, and - saved in the file specified. If and when the master server - dies or is unreachable, the slave name server will have the - transferred zone information and will be able to serve - it. - + In the slave case, the zone information is transferred + from the master name server for the particular zone, and + saved in the file specified. If and when the master + server dies or is unreachable, the slave name server will + have the transferred zone information and will be able to + serve it. + - - Zone Files + + Zone Files - - BIND - zone files - + + BIND + zone files + - An example master zone file for example.org (existing - within /etc/namedb/master/example.org) - is as follows: + An example master zone file for + example.org + (existing within + /etc/namedb/master/example.org) is as + follows: - $TTL 3600 ; 1 hour default TTL + $TTL 3600 ; 1 hour default TTL example.org. IN SOA ns1.example.org. admin.example.org. ( 2006051501 ; Serial 10800 ; Refresh @@ -3722,186 +3725,194 @@ mail IN A 192.168.1.5 ; Aliases www IN CNAME example.org. - Note that every hostname ending in a . is - an exact hostname, whereas everything without a trailing - . is relative to the origin. For example, - ns1 is translated into - ns1.example.org. + Note that every hostname ending in a . + is an exact hostname, whereas everything without a + trailing . is relative to the origin. For + example, ns1 is translated into + ns1.example.org. - The format of a zone file follows: + The format of a zone file follows: - recordname IN recordtype value + recordname IN recordtype value - - DNS - records - + + DNS + records + - The most commonly used DNS - records: + The most commonly used DNS + records: - - - SOA + + + SOA - start of zone authority - + + start of zone authority + + - - NS + + NS - - an authoritative name server - + + an authoritative name server + + - - A + + A - a host address - + + a host address + + - - CNAME + + CNAME - the canonical name for an - alias - + + the canonical name for an alias + + - - MX + + MX - mail exchanger - + + mail exchanger + + - - PTR + + PTR - - a domain name pointer (used in reverse - DNS) - - - + + a domain name pointer (used in reverse + DNS) + + + - example.org. IN SOA ns1.example.org. admin.example.org. ( + example.org. IN SOA ns1.example.org. admin.example.org. ( 2006051501 ; Serial 10800 ; Refresh after 3 hours 3600 ; Retry after 1 hour 604800 ; Expire after 1 week 300 ) ; Negative Response TTL - - - example.org. + + + example.org. - - the domain name, also the origin for this - zone file. - - + + the domain name, also the origin for this + zone file. + + - - ns1.example.org. + + ns1.example.org. - - the primary/authoritative name server for this - zone. - - + + the primary/authoritative name server for this + zone. + + - - admin.example.org. + + admin.example.org. - - the responsible person for this zone, - email address with @ - replaced. (admin@example.org becomes - admin.example.org) - - + + the responsible person for this zone, + email address with @ + replaced. (admin@example.org becomes + admin.example.org) + + - - 2006051501 + + 2006051501 - - the serial number of the file. This must be - incremented each time the zone file is modified. - Nowadays, many admins prefer a - yyyymmddrr format for the serial - number. 2006051501 would mean last - modified 05/15/2006, the latter 01 - being the first time the zone file has been modified - this day. The serial number is important as it alerts - slave name servers for a zone when it is - updated. - - - + + the serial number of the file. This must be + incremented each time the zone file is modified. + Nowadays, many admins prefer a + yyyymmddrr format for the serial + number. 2006051501 would mean + last modified 05/15/2006, the latter + 01 being the first time the zone + file has been modified this day. The serial number + is important as it alerts slave name servers for a + zone when it is updated. + + + - IN NS ns1.example.org. + IN NS ns1.example.org. - This is an NS entry. Every name server that is going to - reply authoritatively for the zone must have one of these - entries. + This is an NS entry. Every name server that is going + to reply authoritatively for the zone must have one of + these entries. - localhost IN A 127.0.0.1 + localhost IN A 127.0.0.1 ns1 IN A 192.168.1.2 ns2 IN A 192.168.1.3 mx IN A 192.168.1.4 mail IN A 192.168.1.5 - The A record indicates machine names. As seen above, - ns1.example.org would - resolve to 192.168.1.2. + The A record indicates machine names. As seen above, + ns1.example.org would + resolve to 192.168.1.2. - IN A 192.168.1.1 + IN A 192.168.1.1 - This line assigns IP address - 192.168.1.1 to - the current origin, in this case example.org. + This line assigns IP address + 192.168.1.1 to + the current origin, in this case example.org. - www IN CNAME @ + www IN CNAME @ - The canonical name record is usually used for giving - aliases to a machine. In the example, - www is aliased to the - master machine whose name happens to be the - same as the domain name example.org - (192.168.1.1). - CNAMEs can never be used together with another kind of - record for the same hostname. + The canonical name record is usually used for giving + aliases to a machine. In the example, + www is aliased to the + master machine whose name happens to be the + same as the domain name + example.org + (192.168.1.1). + CNAMEs can never be used together with another kind of + record for the same hostname. - - MX record - + + MX record + - IN MX 10 mail.example.org. + IN MX 10 mail.example.org. - The MX record indicates which mail servers are - responsible for handling incoming mail for the zone. - mail.example.org is the - hostname of a mail server, and 10 is the priority of that - mail server. + The MX record indicates which mail servers are + responsible for handling incoming mail for the zone. + mail.example.org is + the hostname of a mail server, and 10 is the priority of + that mail server. - One can have several mail servers, with priorities of - 10, 20 and so on. A mail server attempting to deliver to - example.org - would first try the highest priority MX (the record with the - lowest priority number), then the second highest, etc, until - the mail can be properly delivered. + One can have several mail servers, with priorities of + 10, 20 and so on. A mail server attempting to deliver to + example.org + would first try the highest priority MX (the record with + the lowest priority number), then the second highest, etc, + until the mail can be properly delivered. - For in-addr.arpa zone files (reverse - DNS), the same format is used, except - with PTR entries instead of A or CNAME. + For in-addr.arpa zone files (reverse + DNS), the same format is used, except + with PTR entries instead of A or CNAME. - $TTL 3600 + $TTL 3600 1.168.192.in-addr.arpa. IN SOA ns1.example.org. admin.example.org. ( 2006051501 ; Serial @@ -3919,99 +3930,106 @@ mail IN A 192.168.1.5 4 IN PTR mx.example.org. 5 IN PTR mail.example.org. - This file gives the proper IP address - to hostname mappings for the above fictitious domain. + This file gives the proper IP + address to hostname mappings for the above fictitious + domain. - It is worth noting that all names on the right side - of a PTR record need to be fully qualified (i.e., end in - a .). - - + It is worth noting that all names on the right side + of a PTR record need to be fully qualified (i.e., end in + a .). + + - - Caching Name Server + + Caching Name Server - - BIND - caching name server - + + BIND + caching name server + - A caching name server is a name server whose primary role - is to resolve recursive queries. It simply asks queries of - its own, and remembers the answers for later use. - + A caching name server is a name server whose primary + role is to resolve recursive queries. It simply asks + queries of its own, and remembers the answers for later + use. + - - <acronym role="Domain Name Security - Extensions">DNSSEC</acronym> + + <acronym role="Domain Name Security + Extensions">DNSSEC</acronym> - - BIND - DNS security - extensions - + + BIND + DNS security + extensions + - Domain Name System Security Extensions, or DNSSEC for - short, is a suite of specifications to protect resolving name - servers from forged DNS data, such as - spoofed DNS records. By using digital - signatures, a resolver can verify the integrity of the record. - Note that DNSSEC only provides integrity via - digitally signing the Resource Records (RRs). It provides neither - confidentiality nor protection against false end-user - assumptions. This means that it cannot protect against people - going to example.net instead of - example.com. - The only thing DNSSEC does is authenticate - that the data has not been compromised in transit. The - security of DNS is an important step in - securing the Internet in general. For more in-depth details - of how DNSSEC works, the relevant - RFCs are a good place to start. See the - list in . + Domain Name System Security Extensions, or DNSSEC + for short, is a suite of specifications to protect resolving + name servers from forged DNS data, such + as spoofed DNS records. By using digital + signatures, a resolver can verify the integrity of the + record. Note that DNSSEC only provides integrity via + digitally signing the Resource Records (RRs). It provides + neither confidentiality nor protection against false + end-user assumptions. This means that it cannot protect + against people going to + example.net + instead of + example.com. + The only thing DNSSEC does is + authenticate that the data has not been compromised in + transit. The security of DNS is an + important step in securing the Internet in general. For + more in-depth details of how DNSSEC + works, the relevant RFCs are a good place + to start. See the list in + . - The following sections will demonstrate how to enable - DNSSEC for an authoritative - DNS server and a recursive (or caching) - DNS server running BIND - 9. While all versions of BIND 9 support - DNSSEC, it is necessary to have at least - version 9.6.2 in order to be able to use the signed root zone - when validating DNS queries. This is - because earlier versions lack the required algorithms to - enable validation using the root zone key. It is strongly - recommended to use the latest version of - BIND 9.7 or later to take advantage of - automatic key updating for the root key, as well as other - features to automatically keep zones signed and signatures up - to date. Where configurations differ between 9.6.2 and 9.7 - and later, differences will be pointed out. + The following sections will demonstrate how to enable + DNSSEC for an authoritative + DNS server and a recursive (or caching) + DNS server running + BIND 9. While all versions of + BIND 9 support DNSSEC, + it is necessary to have at least version 9.6.2 in order to + be able to use the signed root zone when validating + DNS queries. This is because earlier + versions lack the required algorithms to enable validation + using the root zone key. It is strongly recommended to use + the latest version of BIND 9.7 or later + to take advantage of automatic key updating for the root + key, as well as other features to automatically keep zones + signed and signatures up to date. Where configurations + differ between 9.6.2 and 9.7 and later, differences will be + pointed out. - - Recursive <acronym>DNS</acronym> Server - Configuration + + Recursive <acronym>DNS</acronym> Server + Configuration - Enabling DNSSEC validation of queries - performed by a recursive DNS server - requires a few changes to named.conf. - Before making these changes the root zone key, or trust - anchor, must be acquired. Currently the root zone key is - not available in a file format BIND - understands, so it has to be manually converted into the - proper format. The key itself can be obtained by querying - the root zone for it using dig. - By running + Enabling DNSSEC validation of + queries performed by a recursive DNS + server requires a few changes to + named.conf. Before making these + changes the root zone key, or trust anchor, must be + acquired. Currently the root zone key is not available in + a file format BIND understands, so it + has to be manually converted into the proper format. The + key itself can be obtained by querying the root zone for + it using dig. By + running - &prompt.user; dig +multi +noall +answer DNSKEY . > root.dnskey + &prompt.user; dig +multi +noall +answer DNSKEY . > root.dnskey - the key will end up in root.dnskey. - The contents should look something like this: + the key will end up in + root.dnskey. The contents should + look something like this: - . 93910 IN DNSKEY 257 3 8 ( + . 93910 IN DNSKEY 257 3 8 ( AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA @@ -4028,59 +4046,60 @@ mail IN A 192.168.1.5 EGJ/1h6dNaiXuRHwR+7oWh7DnzkIJChcTqlFrXDW3tjt ) ; key id = 34525 - Do not be alarmed if the obtained keys differ from this - example. They might have changed since these instructions - were last updated. This output actually contains two keys. - The first key in the listing, with the value 257 after the - DNSKEY record type, is the one needed. This value indicates - that this is a Secure Entry Point - (SEP), commonly - known as a Key Signing Key - (KSK). The second - key, with value 256, is a subordinate key, commonly called a - Zone Signing Key - (ZSK). More on - the different key types later in - . + Do not be alarmed if the obtained keys differ from + this example. They might have changed since these + instructions were last updated. This output actually + contains two keys. The first key in the listing, with the + value 257 after the DNSKEY record type, is the one needed. + This value indicates that this is a Secure Entry Point + (SEP), + commonly known as a Key Signing Key + (KSK). The + second key, with value 256, is a subordinate key, commonly + called a Zone Signing Key + (ZSK). More on + the different key types later in + . - Now the key must be verified and formatted so that - BIND can use it. To verify the key, - generate a DS - RR set. Create a - file containing these - RRs with + Now the key must be verified and formatted so that + BIND can use it. To verify the key, + generate a DS + RR set. Create + a file containing these + RRs with - &prompt.user; dnssec-dsfromkey -f root.dnskey . > root.ds + &prompt.user; dnssec-dsfromkey -f root.dnskey . > root.ds - These records use SHA-1 and SHA-256 respectively, and - should look similar to the following example, where the - longer is using SHA-256. + These records use SHA-1 and SHA-256 respectively, and + should look similar to the following example, where the + longer is using SHA-256. - . IN DS 19036 8 1 + . IN DS 19036 8 1 B256BD09DC8DD59F0E0F0D8541B8328DD986DF6E . IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 - The SHA-256 RR can now be compared to - the digest in https://data.iana.org/root-anchors/root-anchors.xml. - To be absolutely sure that the key has not been tampered - with the data in the XML file can be - verified using the PGP signature in - https://data.iana.org/root-anchors/root-anchors.asc. + The SHA-256 RR can now be compared + to the digest in https://data.iana.org/root-anchors/root-anchors.xml. + To be absolutely sure that the key has not been tampered + with the data in the XML file can be + verified using the PGP signature in + https://data.iana.org/root-anchors/root-anchors.asc. - Next, the key must be formatted properly. This differs - a little between BIND versions 9.6.2 and - 9.7 and later. In version 9.7 support was added to - automatically track changes to the key and update it as - necessary. This is done using - managed-keys as seen in the example - below. When using the older version, the key is added using - a trusted-keys statement and updates must - be done manually. For BIND 9.6.2 the - format should look like: + Next, the key must be formatted properly. This + differs a little between BIND versions + 9.6.2 and 9.7 and later. In version 9.7 support was added + to automatically track changes to the key and update it as + necessary. This is done using + managed-keys as seen in the example + below. When using the older version, the key is added + using a trusted-keys statement and + updates must be done manually. For + BIND 9.6.2 the format should look + like: - trusted-keys { + trusted-keys { "." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX @@ -4091,9 +4110,9 @@ mail IN A 192.168.1.5 QxA+Uk1ihz0="; }; - For 9.7 the format will instead be: + For 9.7 the format will instead be: - managed-keys { + managed-keys { "." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX @@ -4104,193 +4123,196 @@ mail IN A 192.168.1.5 QxA+Uk1ihz0="; }; - The root key can now be added to - named.conf either directly or by - including a file containing the key. After these steps, - configure BIND to do - DNSSEC validation on queries by editing - named.conf and adding the following to - the options directive: + The root key can now be added to + named.conf either directly or by + including a file containing the key. After these steps, + configure BIND to do + DNSSEC validation on queries by editing + named.conf and adding the following + to the options directive: - dnssec-enable yes; + dnssec-enable yes; dnssec-validation yes; - To verify that it is actually working use - dig to make a query for a signed - zone using the resolver just configured. A successful reply - will contain the AD flag to indicate the - data was authenticated. Running a query such as + To verify that it is actually working use + dig to make a query for a + signed zone using the resolver just configured. A + successful reply will contain the AD + flag to indicate the data was authenticated. Running a + query such as - &prompt.user; dig @resolver +dnssec se ds + &prompt.user; dig @resolver +dnssec se ds - should return the DS - RR for the .se zone. - In the flags: section the - AD flag should be set, as seen - in: + should return the DS + RR for the .se zone. + In the flags: section the + AD flag should be set, as seen + in: - ... + ... ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ... - The resolver is now capable of authenticating - DNS queries. - + The resolver is now capable of authenticating + DNS queries. + - - Authoritative <acronym>DNS</acronym> Server - Configuration + + Authoritative <acronym>DNS</acronym> Server + Configuration - In order to get an authoritative name server to serve a - DNSSEC signed zone a little more work is - required. A zone is signed using cryptographic keys which - must be generated. It is possible to use only one key for - this. The preferred method however is to have a strong - well-protected Key Signing Key - (KSK) that is - not rotated very often and a Zone Signing Key - (ZSK) that is - rotated more frequently. Information on recommended - operational practices can be found in RFC - 4641: DNSSEC Operational - Practices. Practices regarding the root zone can - be found in DNSSEC - Practice Statement for the Root Zone - KSK operator and DNSSEC - Practice Statement for the Root Zone - ZSK operator. The - KSK is used to - build a chain of authority to the data in need of validation - and as such is also called a Secure Entry Point - (SEP) key. A - message digest of this key, called a Delegation Signer - (DS) record, - must be published in the parent zone to establish the trust - chain. How this is accomplished depends on the parent zone - owner. The ZSK - is used to sign the zone, and only needs to be published - there. + In order to get an authoritative name server to serve + a DNSSEC signed zone a little more work + is required. A zone is signed using cryptographic keys + which must be generated. It is possible to use only one + key for this. The preferred method however is to have a + strong well-protected Key Signing Key + (KSK) that is + not rotated very often and a Zone Signing Key + (ZSK) that is + rotated more frequently. Information on recommended + operational practices can be found in RFC + 4641: DNSSEC Operational + Practices. Practices regarding the root zone can + be found in DNSSEC + Practice Statement for the Root Zone + KSK operator and DNSSEC + Practice Statement for the Root Zone + ZSK operator. The + KSK is used to + build a chain of authority to the data in need of + validation and as such is also called a Secure Entry Point + (SEP) key. A + message digest of this key, called a Delegation Signer + (DS) record, + must be published in the parent zone to establish the + trust chain. How this is accomplished depends on the + parent zone owner. The + ZSK is used to + sign the zone, and only needs to be published + there. - To enable DNSSEC for the example.com zone - depicted in previous examples, the first step is to use - dnssec-keygen to generate the - KSK and ZSK key pair. - This key pair can utilize different cryptographic - algorithms. It is recommended to use RSA/SHA256 for the - keys and 2048 bits key length should be enough. To generate - the KSK for example.com, run + To enable DNSSEC for the + example.com + zone depicted in previous examples, the first step is to + use dnssec-keygen to generate + the KSK and ZSK key + pair. This key pair can utilize different cryptographic + algorithms. It is recommended to use RSA/SHA256 for the + keys and 2048 bits key length should be enough. To + generate the KSK for + example.com, + run - &prompt.user; dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE example.com + &prompt.user; dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE example.com - and to generate the ZSK, run + and to generate the ZSK, run - &prompt.user; dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com + &prompt.user; dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com - dnssec-keygen outputs two - files, the public and the private keys in files named - similar to Kexample.com.+005+nnnnn.key - (public) and - Kexample.com.+005+nnnnn.private - (private). The nnnnn part of the file - name is a five digit key ID. Keep track of which key ID - belongs to which key. This is especially important when - having more than one key in a zone. It is also possible to - rename the keys. For each KSK file - do: + dnssec-keygen outputs two + files, the public and the private keys in files named + similar to + Kexample.com.+005+nnnnn.key (public) + and Kexample.com.+005+nnnnn.private + (private). The nnnnn part of the file + name is a five digit key ID. Keep track of which key ID + belongs to which key. This is especially important when + having more than one key in a zone. It is also possible + to rename the keys. For each KSK file + do: - &prompt.user; mv Kexample.com.+005+nnnnn.key Kexample.com.+005+nnnnn.KSK.key + &prompt.user; mv Kexample.com.+005+nnnnn.key Kexample.com.+005+nnnnn.KSK.key &prompt.user; mv Kexample.com.+005+nnnnn.private Kexample.com.+005+nnnnn.KSK.private - For the ZSK files, substitute - KSK for ZSK as - necessary. The files can now be included in the zone file, - using the $include statement. It should - look something like this: + For the ZSK files, substitute + KSK for ZSK as + necessary. The files can now be included in the zone + file, using the $include statement. It + should look something like this: - $include Kexample.com.+005+nnnnn.KSK.key ; KSK + $include Kexample.com.+005+nnnnn.KSK.key ; KSK $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK - Finally, sign the zone and tell BIND - to use the signed zone file. To sign a zone - dnssec-signzone is used. The - command to sign the zone example.com, located in - example.com.db would look similar - to + Finally, sign the zone and tell + BIND to use the signed zone file. To + sign a zone dnssec-signzone is + used. The command to sign the zone + example.com, + located in example.com.db would look + similar to - &prompt.user; dnssec-signzone -o + &prompt.user; dnssec-signzone -o example.com -k Kexample.com.+005+nnnnn.KSK example.com.db Kexample.com.+005+nnnnn.ZSK.key - The key supplied to the argument is - the KSK and the other key file is the - ZSK that should be used in the signing. - It is possible to supply more than one - KSK and ZSK, which - will result in the zone being signed with all supplied keys. - This can be needed to supply zone data signed using more - than one algorithm. The output of - dnssec-signzone is a zone file - with all RRs signed. This output will - end up in a file with the extension - .signed, such as - example.com.db.signed. The - DS records will - also be written to a separate file - dsset-example.com. To use this signed - zone just modify the zone directive in - named.conf to use - example.com.db.signed. By default, the - signatures are only valid 30 days, meaning that the zone - needs to be resigned in about 15 days to be sure that - resolvers are not caching records with stale signatures. It - is possible to make a script and a cron job to do this. See - relevant manuals for details. + The key supplied to the argument + is the KSK and the other key file is + the ZSK that should be used in the + signing. It is possible to supply more than one + KSK and ZSK, which + will result in the zone being signed with all supplied + keys. This can be needed to supply zone data signed using + more than one algorithm. The output of + dnssec-signzone is a zone file + with all RRs signed. This output will + end up in a file with the extension + .signed, such as + example.com.db.signed. The + DS records + will also be written to a separate file + dsset-example.com. To use this + signed zone just modify the zone directive in + named.conf to use + example.com.db.signed. By default, + the signatures are only valid 30 days, meaning that the + zone needs to be resigned in about 15 days to be sure + that resolvers are not caching records with stale + signatures. It is possible to make a script and a cron + job to do this. See relevant manuals for details. - Be sure to keep private keys confidential, as with all - cryptographic keys. When changing a key it is best to - include the new key into the zone, while still signing with - the old one, and then move over to using the new key to - sign. After these steps are done the old key can be removed - from the zone. Failure to do this might render the - DNS data unavailable for a time, until - the new key has propagated through the - DNS hierarchy. For more information on - key rollovers and other DNSSEC - operational issues, see RFC - 4641: DNSSEC Operational - practices. - + Be sure to keep private keys confidential, as with all + cryptographic keys. When changing a key it is best to + include the new key into the zone, while still signing + with the old one, and then move over to using the new key + to sign. After these steps are done the old key can be + removed from the zone. Failure to do this might render + the DNS data unavailable for a time, + until the new key has propagated through the + DNS hierarchy. For more information on + key rollovers and other DNSSEC + operational issues, see RFC + 4641: DNSSEC Operational + practices. + - - Automation Using <acronym>BIND</acronym> 9.7 or - Later + + Automation Using <acronym>BIND</acronym> 9.7 or + Later - Beginning with BIND version 9.7 a new - feature called Smart Signing was - introduced. This feature aims to make the key management - and signing process simpler by automating parts of the task. - By putting the keys into a directory called a - key repository, and using the new - option auto-dnssec, it is possible to - create a dynamic zone which will be resigned as needed. To - update this zone use nsupdate - with the new option . - rndc has also grown the ability - to sign zones with keys in the key repository, using the - option . To tell - BIND to use this automatic signing and - zone updating for example.com, add the - following to named.conf: + Beginning with BIND version 9.7 a + new feature called Smart Signing was + introduced. This feature aims to make the key management + and signing process simpler by automating parts of the + task. By putting the keys into a directory called a + key repository, and using the new + option auto-dnssec, it is possible to + create a dynamic zone which will be resigned as needed. + To update this zone use + nsupdate with the new option + . rndc has + also grown the ability to sign zones with keys in the key + repository, using the option . To + tell BIND to use this automatic signing + and zone updating for example.com, add the + following to named.conf: - zone example.com { + zone example.com { type master; key-directory "/etc/named/keys"; update-policy local; @@ -4298,147 +4320,149 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK file "/etc/named/dynamic/example.com.zone"; }; - After making these changes, generate keys for the zone - as explained in , put those - keys in the key repository given as the argument to the - key-directory in the zone configuration - and the zone will be signed automatically. Updates to a - zone configured this way must be done using - nsupdate, which will take care of - re-signing the zone with the new data added. For further - details, see and the - BIND documentation. - - + After making these changes, generate keys for the zone + as explained in , put + those keys in the key repository given as the argument to + the key-directory in the zone + configuration and the zone will be signed automatically. + Updates to a zone configured this way must be done using + nsupdate, which will take care + of re-signing the zone with the new data added. For + further details, see and the + BIND documentation. + + - - Security + + Security - Although BIND is the most common implementation of - DNS, there is always the issue of security. - Possible and exploitable security holes are sometimes - found. + Although BIND is the most common implementation of + DNS, there is always the issue of + security. Possible and exploitable security holes are + sometimes found. - While &os; automatically drops - named into a &man.chroot.8; - environment; there are several other security mechanisms in - place which could help to lure off possible - DNS service attacks. + While &os; automatically drops + named into a &man.chroot.8; + environment; there are several other security mechanisms in + place which could help to lure off possible + DNS service attacks. - It is always good idea to read - CERT's security - advisories and to subscribe to the &a.security-notifications; - to stay up to date with the current Internet and &os; security - issues. + It is always good idea to read + CERT's + security advisories and to subscribe to the + &a.security-notifications; to stay up to date with the + current Internet and &os; security issues. - - If a problem arises, keeping sources up to date and - having a fresh build of named - may help. - - + + If a problem arises, keeping sources up to date and + having a fresh build of named + may help. + + - - Further Reading + + Further Reading - BIND/named manual pages: - &man.rndc.8; &man.named.8; &man.named.conf.5; &man.nsupdate.1; - &man.dnssec-signzone.8; &man.dnssec-keygen.8; + BIND/named manual pages: + &man.rndc.8; &man.named.8; &man.named.conf.5; + &man.nsupdate.1; &man.dnssec-signzone.8; + &man.dnssec-keygen.8; - - - Official - ISC BIND Page - + + + Official + ISC BIND Page + - - Official - ISC BIND Forum - + + Official + ISC BIND Forum + - - O'Reilly - DNS and BIND 5th - Edition - + + O'Reilly + DNS and BIND 5th + Edition + - - Root - DNSSEC - + + Root + DNSSEC + - - DNSSEC - Trust Anchor Publication for the Root - Zone - + + DNSSEC + Trust Anchor Publication for the Root + Zone + - - RFC1034 - - Domain Names - Concepts and Facilities - + + RFC1034 + - Domain Names - Concepts and Facilities + - - RFC1035 - - Domain Names - Implementation and - Specification - + + RFC1035 + - Domain Names - Implementation and + Specification + - - RFC4033 - - DNS Security Introduction and - Requirements - + + RFC4033 + - DNS Security Introduction and + Requirements + - - RFC4034 - - Resource Records for the DNS - Security Extensions - + + RFC4034 + - Resource Records for the DNS + Security Extensions + - - RFC4035 - - Protocol Modifications for the DNS - Security Extensions - + + RFC4035 + - Protocol Modifications for the + DNS Security + Extensions + - - RFC4641 - - DNSSEC Operational Practices - + + RFC4641 + - DNSSEC Operational Practices + - - RFC 5011 - - Automated Updates of DNS Security - (DNSSEC - Trust Anchors - - - + + RFC + 5011 - Automated Updates of DNS + Security (DNSSEC + Trust Anchors + + + - Apache HTTP Server + Apache HTTP Server - - Murray - Stokely + + Murray + Stokely Contributed by @@ -4701,14 +4725,14 @@ DocumentRoot /www/someotherdomain.tld - <filename>mod_php</filename> + <filename>mod_php</filename> - - Tom - Rhodes - + + Tom + Rhodes + Written by @@ -4835,7 +4859,7 @@ AddModule mod_php5.c httpd.conf, specifying the full path to the project directory: - <Location "/"> + <Location "/"> SetHandler python-program PythonPath "['/dir/to/the/django/packages/'] + sys.path" PythonHandler django.core.handlers.modpython diff --git a/en_US.ISO8859-1/books/handbook/pgpkeys/chapter.xml b/en_US.ISO8859-1/books/handbook/pgpkeys/chapter.xml index 0131512f3a..47a6ebd468 100644 --- a/en_US.ISO8859-1/books/handbook/pgpkeys/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/pgpkeys/chapter.xml @@ -29,7 +29,7 @@ PGP Keys article. The complete keyring can be downloaded at https://www.FreeBSD.org/doc/pgpkeyring.txt. + xlink:href="https://www.FreeBSD.org/doc/pgpkeyring.txt">https://www.FreeBSD.org/doc/pgpkeyring.txt. Officers diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.xml b/en_US.ISO8859-1/books/handbook/security/chapter.xml index 9079f1b41c..a6defdbb80 100644 --- a/en_US.ISO8859-1/books/handbook/security/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/security/chapter.xml @@ -2863,10 +2863,10 @@ user@unfirewalled-system.example.org's password: *******< other SSH clients. To see if sshd is operating, - use the &man.service.8; command: + use the &man.service.8; command: &prompt.root; service sshd status - + If the service is not running, add the following line to /etc/rc.conf. diff --git a/en_US.ISO8859-1/books/handbook/serialcomms/chapter.xml b/en_US.ISO8859-1/books/handbook/serialcomms/chapter.xml index 8598dded7b..46f5c7c33d 100644 --- a/en_US.ISO8859-1/books/handbook/serialcomms/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/serialcomms/chapter.xml @@ -633,16 +633,15 @@ - Terminals + Terminals - - Sean - Kelly - - Contributed by - + + Sean + Kelly + + Contributed by @@ -967,22 +966,23 @@ ttyu5 "/usr/libexec/getty std.19200" vt100 on insecure - Dial-in Service + Dial-in Service - - Guy - Helmer + + Guy + Helmer Contributed by + - - Sean - Kelly + + Sean + Kelly Additions by @@ -1734,22 +1734,23 @@ raisechar=^^ - Setting Up the Serial Console + Setting Up the Serial Console - - Kazutaka - YOKOTA + + Kazutaka + YOKOTA Contributed by + - - Bill - Paul + + Bill + Paul Based on a document by diff --git a/en_US.ISO8859-1/books/handbook/virtualization/chapter.xml b/en_US.ISO8859-1/books/handbook/virtualization/chapter.xml index 5db8ea28ca..1a1bc17b39 100644 --- a/en_US.ISO8859-1/books/handbook/virtualization/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/virtualization/chapter.xml @@ -988,31 +988,30 @@ perm pass* 0660 &os; as a Host with <application>bhyve</application> - The - bhyve BSD-licensed - hypervisor became part of the base system with &os; 10.0-RELEASE. This hypervisor supports - a number of guests, including &os;, OpenBSD, and many &linux; + The bhyve + BSD-licensed hypervisor became part of the + base system with &os; 10.0-RELEASE. This hypervisor supports a + number of guests, including &os;, OpenBSD, and many &linux; distributions. Currently, bhyve only supports a serial console and does not emulate a graphical - console. - Virtualization offload features of newer - CPUs are used to avoid the legacy methods of translating instructions and - manually managing memory mappings. + console. Virtualization offload features of newer + CPUs are used to avoid the legacy methods of + translating instructions and manually managing memory + mappings. - The bhyve design - requires a processor that supports &intel; - Extended Page Tables (EPT) or &amd; Rapid - Virtualization Indexing (RVI) or - Nested Page Tables (NPT). Hosting - &linux; guests or &os; guests with more than one - vCPU requires VMX unrestricted - mode support (UG). Most - newer processors, specifically the &intel;  &core; - i3/i5/i7 and &intel;  &xeon; E3/E5/E7, support these - features. UG support was introduced with - Intel's Westmere micro-architecture. For a complete list of - &intel; processors that support EPT, refer - to The bhyve design requires a + processor that supports &intel; Extended Page Tables + (EPT) or &amd; Rapid Virtualization Indexing + (RVI) or Nested Page Tables + (NPT). Hosting &linux; guests or &os; guests + with more than one vCPU requires + VMX unrestricted mode support + (UG). Most newer processors, specifically + the &intel; &core; i3/i5/i7 and &intel; &xeon; + E3/E5/E7, support these features. UG support + was introduced with Intel's Westmere micro-architecture. For a + complete list of &intel; processors that support + EPT, refer to . RVI is found on the third generation and later of the &amd.opteron; (Barcelona) processors. The easiest @@ -1021,9 +1020,9 @@ perm pass* 0660 dmesg or look in /var/run/dmesg.boot for the POPCNT processor feature flag on the - Features2 line for &amd; processors or EPT and - UG on the VT-x - line for &intel; processors. + Features2 line for &amd; processors or + EPT and UG on the + VT-x line for &intel; processors. Preparing the Host diff --git a/en_US.ISO8859-1/books/handbook/x11/chapter.xml b/en_US.ISO8859-1/books/handbook/x11/chapter.xml index 66ad91e440..3f4684e9e4 100644 --- a/en_US.ISO8859-1/books/handbook/x11/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/x11/chapter.xml @@ -416,7 +416,7 @@ Driver name: intel For reference, see . + xlink:href="https://en.wikipedia.org/wiki/List_of_Intel_graphics_processing_units"/>. @@ -430,7 +430,7 @@ Driver name: radeon For reference, see . + xlink:href="https://en.wikipedia.org/wiki/List_of_AMD_graphics_processing_units"/>. @@ -444,7 +444,7 @@ card. For reference, see . + xlink:href="https://en.wikipedia.org/wiki/List_of_Nvidia_graphics_processing_units"/>. @@ -968,21 +968,23 @@ EndSection Load "freetype" Now make a directory for the &truetype; fonts (for - example, - /usr/local/share/fonts/TrueType) and - copy all of the &truetype; fonts into this directory. Keep in - mind that &truetype; fonts cannot be directly taken from an - &apple; &mac;; they must be in &unix;/&ms-dos;/&windows; - format for use by &xorg;. Once the - files have been copied into this directory, use + example, /usr/local/share/fonts/TrueType) + and copy all of the &truetype; fonts into this directory. + Keep in mind that &truetype; fonts cannot be directly taken + from an &apple; &mac;; they must be in + &unix;/&ms-dos;/&windows; format for use by + &xorg;. Once the files have been + copied into this directory, use mkfontdir to create a fonts.dir, so that the X font renderer knows that these new files have been installed. - mkfontdir can be installed as a package: + mkfontdir can be installed as a + package: &prompt.root; pkg install mkfontdir - Then create an index of X font files in a directory: + Then create an index of X font files in a + directory: &prompt.root; cd /usr/local/share/fonts/TrueType &prompt.root; mkfontdir @@ -998,12 +1000,12 @@ EndSection xorg.conf. Now Gimp, - Apache OpenOffice, and all of the other X - applications should now recognize the installed &truetype; - fonts. Extremely small fonts (as with text in a high - resolution display on a web page) and extremely large fonts - (within &staroffice;) will look - much better now. + Apache OpenOffice, and all of the + other X applications should now recognize the installed + &truetype; fonts. Extremely small fonts (as with text in a + high resolution display on a web page) and extremely large + fonts (within &staroffice;) will + look much better now. @@ -1427,11 +1429,11 @@ DisplayManager.requestPort: 0 GNOME uses D-Bus and - HAL for a - message bus and hardware abstraction. These applications are automatically - installed as dependencies of GNOME. - Enable them in /etc/rc.conf so - they will be started when the system boots: + HAL for a message bus and hardware + abstraction. These applications are automatically installed + as dependencies of GNOME. Enable + them in /etc/rc.conf so they will be + started when the system boots: dbus_enable="YES" hald_enable="YES" @@ -1520,11 +1522,11 @@ hald_enable="YES" KDE uses D-Bus and - HAL for a - message bus and hardware abstraction. These applications are automatically - installed as dependencies of KDE. - Enable them in /etc/rc.conf so - they will be started when the system boots: + HAL for a message bus and hardware + abstraction. These applications are automatically installed + as dependencies of KDE. Enable + them in /etc/rc.conf so they will be + started when the system boots: dbus_enable="YES" hald_enable="YES"