os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

White space fix only. Translators can ignore.

Browse source
This commit is contained in:
Dru Lavigne 2013-10-16 20:19:56 +00:00
parent 7f49336cd6
commit 595b89c09e
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=42977
1 changed files with 238 additions and 212 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

450
en_US.ISO8859-1/books/handbook/network-servers/chapter.xml
View file

@ -200,8 +200,8 @@
<literal>inetd_flags</literal> is set to
<literal>-wW -C 60</literal>, which turns on TCP wrapping for
<application>inetd</application>'s services, and prevents any
single <acronym>IP</acronym> address from requesting any service more than 60
times in any given minute.</para>
single <acronym>IP</acronym> address from requesting any
service more than 60 times in any given minute.</para>
<para>Although we mention rate-limiting options below, novice
users may be pleased to note that these parameters usually do
@ -227,9 +227,10 @@
<listitem>
<para>Specify the default maximum number of times a
service can be invoked from a single <acronym>IP</acronym> address in one
minute; the default is unlimited. May be overridden on
a per-service basis with the
service can be invoked from a single
<acronym>IP</acronym> address in one minute; the default
is unlimited. May be overridden on a per-service basis
with the
<option>max-connections-per-ip-per-minute</option>
parameter.</para>
</listitem>
@ -250,9 +251,9 @@
<listitem>
<para>Specify the maximum number of times a service can be
invoked from a single <acronym>IP</acronym> address at any one time; the
default is unlimited. May be overridden on a
per-service basis with the
invoked from a single <acronym>IP</acronym> address at
any one time; the default is unlimited. May be
overridden on a per-service basis with the
<option>max-child-per-ip</option> parameter.</para>
</listitem>
</varlistentry>
@ -403,14 +404,15 @@ server-program-arguments</programlisting>
options which limit the maximum connections from a
single place to a particular daemon can be enabled.
<option>max-connections-per-ip-per-minute</option>
limits the number of connections from any particular <acronym>IP</acronym>
address per minutes, e.g., a value of ten would limit
any particular <acronym>IP</acronym> address connecting to a particular
service to ten attempts per minute.
<option>max-child-per-ip</option> limits the number of
children that can be started on behalf on any single <acronym>IP</acronym>
address at any moment. These options are useful to
prevent intentional or unintentional excessive resource
limits the number of connections from any particular
<acronym>IP</acronym> address per minutes, e.g., a value
of ten would limit any particular <acronym>IP</acronym>
address connecting to a particular service to ten
attempts per minute. <option>max-child-per-ip</option>
limits the number of children that can be started on
behalf on any single <acronym>IP</acronym> address at
any moment. These options are useful to prevent
intentional or unintentional excessive resource
consumption and Denial of Service (DoS) attacks to a
machine.</para>
@ -430,8 +432,8 @@ server-program-arguments</programlisting>
would read: <literal>nowait/10</literal>.</para>
<para>The same setup with a limit of twenty connections
per <acronym>IP</acronym> address per minute and a maximum total limit of
ten child daemons would read:
per <acronym>IP</acronym> address per minute and a
maximum total limit of ten child daemons would read:
<literal>nowait/10/20</literal>.</para>
<para>These options are utilized by the default
@ -723,8 +725,8 @@ mountd_flags="-r"</programlisting>
<para>The next example exports
<filename class="directory">/home</filename> to three clients
by <acronym>IP</acronym> address. This can be useful for networks without
<acronym>DNS</acronym>. Optionally,
by <acronym>IP</acronym> address. This can be useful for
networks without <acronym>DNS</acronym>. Optionally,
<filename>/etc/hosts</filename> could be configured for
internal hostnames; please review &man.hosts.5; for more
information. The <literal>-alldirs</literal> flag allows
@ -951,11 +953,11 @@ rpc_statd_enable="YES"</programlisting>
<filename class="directory">/net</filename> directories. When
a file is accessed within one of these directories,
<application>amd</application> looks up the corresponding
remote mount and automatically mounts it.
<filename class="directory">/net</filename> is used to mount
an exported file system from an <acronym>IP</acronym> address, while
<filename class="directory">/host</filename> is used to mount
an export from a remote hostname.</para>
remote mount and automatically mounts it. <filename
class="directory">/net</filename> is used to mount an
exported file system from an <acronym>IP</acronym> address,
while <filename class="directory">/host</filename> is used to
mount an export from a remote hostname.</para>
<para>For instance, an attempt to access a file within
<filename class="directory">/host/foobar/usr</filename> would
@ -2617,7 +2619,8 @@ result: 0 Success
</authorgroup>
</sect1info>
-->
<title>Dynamic Host Configuration Protocol (<acronym>DHCP</acronym>)</title>
<title>Dynamic Host Configuration Protocol
(<acronym>DHCP</acronym>)</title>
<indexterm>
<primary>Dynamic Host Configuration Protocol</primary>
@ -2627,108 +2630,115 @@ result: 0 Success
<primary>Internet Systems Consortium (ISC)</primary>
</indexterm>
<para>The Dynamic Host Configuration Protocol (<acronym>DHCP</acronym>) allows
a system to connect to a network in order to be assigned
the necessary addressing information for communication on that
network. &os; includes the OpenBSD version of <command>dhclient</command>
which is used by the client to obtain the addressing information.
&os; does not install a <acronym>DHCP</acronym> server, but several
servers are available in the &os; Ports Collection.
The <acronym>DHCP</acronym> protocol is fully described in
<ulink url="http://www.freesoft.org/CIE/RFC/2131/">RFC
2131</ulink>. Informational resources are also available at
<ulink url="http://www.isc.org/downloads/dhcp/">isc.org/downloads/dhcp/</ulink>.</para>
<para>The Dynamic Host Configuration Protocol
(<acronym>DHCP</acronym>) allows a system to connect to a
network in order to be assigned the necessary addressing
information for communication on that network. &os; includes
the OpenBSD version of <command>dhclient</command> which is used
by the client to obtain the addressing information. &os; does
not install a <acronym>DHCP</acronym> server, but several
servers are available in the &os; Ports Collection. The
<acronym>DHCP</acronym> protocol is fully described in <ulink
url="http://www.freesoft.org/CIE/RFC/2131/">RFC 2131</ulink>.
Informational resources are also available at <ulink
url="http://www.isc.org/downloads/dhcp/">isc.org/downloads/dhcp/</ulink>.</para>
<para>This section describes how to use the built-in <acronym>DHCP</acronym> client.
It then describes how to install and configure a
<acronym>DHCP</acronym> server.</para>
<para>This section describes how to use the built-in
<acronym>DHCP</acronym> client. It then describes how to
install and configure a <acronym>DHCP</acronym> server.</para>
<sect2>
<title>Configuring a <acronym>DHCP</acronym> Client</title>
<sect2>
<title>Configuring a <acronym>DHCP</acronym> Client</title>
<para><acronym>DHCP</acronym> client support is included in the &os;
installer, making it easy to configure a system to automatically
receive its networking addressing information from an existing
<acronym>DHCP</acronym> server.</para>
<indexterm><primary><acronym>UDP</acronym></primary></indexterm>
<para>When <command>dhclient</command> is
executed on the client machine, it begins broadcasting
requests for configuration information. By default, these
requests use <acronym>UDP</acronym> port 68. The server replies on <acronym>UDP</acronym> port 67,
giving the client an <acronym>IP</acronym> address and other relevant network
information such as a subnet mask, default gateway, and <acronym>DNS</acronym> server addresses.
This information is in the form of a <acronym>DHCP</acronym>
<quote>lease</quote> and is valid for a configurable time. This allows
stale <acronym>IP</acronym> addresses for clients no longer connected to the
network to automatically be reused.</para>
<para><acronym>DHCP</acronym> client support is included in the
&os; installer, making it easy to configure a system to
automatically receive its networking addressing information
from an existing <acronym>DHCP</acronym> server.</para>
<para><acronym>DHCP</acronym> clients can obtain a great deal of information from
the server. An exhaustive list may be found in
&man.dhcp-options.5;.</para>
<indexterm><primary><acronym>UDP</acronym></primary></indexterm>
<para>When <command>dhclient</command> is executed on the client
machine, it begins broadcasting requests for configuration
information. By default, these requests use
<acronym>UDP</acronym> port 68. The server replies on
<acronym>UDP</acronym> port 67, giving the client an
<acronym>IP</acronym> address and other relevant network
information such as a subnet mask, default gateway, and
<acronym>DNS</acronym> server addresses. This information is
in the form of a <acronym>DHCP</acronym>
<quote>lease</quote> and is valid for a configurable time.
This allows stale <acronym>IP</acronym> addresses for clients
no longer connected to the network to automatically be
reused.</para>
<para>The <devicename>bpf</devicename> device is already
part of the <filename>GENERIC</filename> kernel that is
supplied with &os;, thus there is no need to build a
custom kernel for <acronym>DHCP</acronym>. In the case of
a custom kernel configuration file, this device must be
present for <acronym>DHCP</acronym> to function
properly.</para>
<para><acronym>DHCP</acronym> clients can obtain a great deal of
information from the server. An exhaustive list may be found
in &man.dhcp-options.5;.</para>
<note>
<para>For those who are particularly security conscious,
take note that <devicename>bpf</devicename> is also the
device that allows packet sniffers to work correctly
(although they still have to be run as
<username>root</username>).
<devicename>bpf</devicename> <emphasis>is</emphasis>
required to use <acronym>DHCP</acronym>; however, the security sensitive
types should probably not add
<devicename>bpf</devicename> to the kernel in the
expectation that at some point in the future the system
will be using <acronym>DHCP</acronym>.</para>
</note>
<para>The <devicename>bpf</devicename> device is already
part of the <filename>GENERIC</filename> kernel that is
supplied with &os;, thus there is no need to build a
custom kernel for <acronym>DHCP</acronym>. In the case of
a custom kernel configuration file, this device must be
present for <acronym>DHCP</acronym> to function
properly.</para>
<para>By default, <acronym>DHCP</acronym> configuration on &os; runs in the
background, or <firstterm>asynchronously</firstterm>.
Other startup scripts continue to run while <acronym>DHCP</acronym>
completes, speeding up system startup.</para>
<note>
<para>For those who are particularly security conscious,
take note that <devicename>bpf</devicename> is also the
device that allows packet sniffers to work correctly
(although they still have to be run as
<username>root</username>).
<devicename>bpf</devicename> <emphasis>is</emphasis>
required to use <acronym>DHCP</acronym>; however, the
security sensitive types should probably not add
<devicename>bpf</devicename> to the kernel in the
expectation that at some point in the future the system
will be using <acronym>DHCP</acronym>.</para>
</note>
<para>Background <acronym>DHCP</acronym> works well when the <acronym>DHCP</acronym> server
responds quickly to requests and the <acronym>DHCP</acronym> configuration
process goes quickly. However, <acronym>DHCP</acronym> may take a long time
to complete on some systems. If network services attempt
to run before <acronym>DHCP</acronym> has completed, they will fail. Using
<acronym>DHCP</acronym> in <firstterm>synchronous</firstterm> mode prevents
the problem, pausing startup until <acronym>DHCP</acronym> configuration has
completed.</para>
<para>By default, <acronym>DHCP</acronym> configuration on &os;
runs in the background, or
<firstterm>asynchronously</firstterm>. Other startup scripts
continue to run while <acronym>DHCP</acronym> completes,
speeding up system startup.</para>
<para>To connect to a <acronym>DHCP</acronym> server in the background while
other startup continues (asynchronous mode), use the
<quote><literal>DHCP</literal></quote> value in
<filename>/etc/rc.conf</filename>:</para>
<para>Background <acronym>DHCP</acronym> works well when the
<acronym>DHCP</acronym> server responds quickly to requests
and the <acronym>DHCP</acronym> configuration process goes
quickly. However, <acronym>DHCP</acronym> may take a long
time to complete on some systems. If network services attempt
to run before <acronym>DHCP</acronym> has completed, they will
fail. Using <acronym>DHCP</acronym> in
<firstterm>synchronous</firstterm> mode prevents the problem,
pausing startup until <acronym>DHCP</acronym> configuration
has completed.</para>
<programlisting>ifconfig_<replaceable>fxp0</replaceable>="DHCP"</programlisting>
<para>To connect to a <acronym>DHCP</acronym> server in the
background while other startup continues (asynchronous mode),
use the <quote><literal>DHCP</literal></quote> value in
<filename>/etc/rc.conf</filename>:</para>
<para>To pause startup while <acronym>DHCP</acronym> completes, use
synchronous mode with the
<quote><literal>SYNCDHCP</literal></quote> value:</para>
<programlisting>ifconfig_<replaceable>fxp0</replaceable>="DHCP"</programlisting>
<programlisting>ifconfig_<replaceable>fxp0</replaceable>="SYNCDHCP"</programlisting>
<para>To pause startup while <acronym>DHCP</acronym> completes,
use synchronous mode with the
<quote><literal>SYNCDHCP</literal></quote> value:</para>
<note>
<para>Replace the <replaceable>fxp0</replaceable> shown
in these examples with the name of the interface to be
dynamically configured, as described in
<xref linkend="config-network-setup"/>.</para>
</note>
<programlisting>ifconfig_<replaceable>fxp0</replaceable>="SYNCDHCP"</programlisting>
<para>When using a different file system location for
<command>dhclient</command>, or if additional flags must
be passed to <command>dhclient</command>, include (editing
as necessary):</para>
<note>
<para>Replace the <replaceable>fxp0</replaceable> shown
in these examples with the name of the interface to be
dynamically configured, as described in
<xref linkend="config-network-setup"/>.</para>
</note>
<programlisting>dhclient_program="/sbin/dhclient"
<para>When using a different file system location for
<command>dhclient</command>, or if additional flags must
be passed to <command>dhclient</command>, include (editing
as necessary):</para>
<programlisting>dhclient_program="/sbin/dhclient"
dhclient_flags=""</programlisting>
<indexterm>
@ -2736,7 +2746,8 @@ dhclient_flags=""</programlisting>
<secondary>configuration files</secondary>
</indexterm>
<para>The <acronym>DHCP</acronym> client uses the following files:</para>
<para>The <acronym>DHCP</acronym> client uses the following
files:</para>
<itemizedlist>
<listitem>
@ -2760,86 +2771,90 @@ dhclient_flags=""</programlisting>
<para><filename>/sbin/dhclient-script</filename></para>
<para><command>dhclient-script</command> is the
&os;-specific <acronym>DHCP</acronym> client configuration script. It
is described in &man.dhclient-script.8;, but should not
need any user modification to function properly.</para>
&os;-specific <acronym>DHCP</acronym> client configuration
script. It is described in &man.dhclient-script.8;, but
should not need any user modification to function
properly.</para>
</listitem>
<listitem>
<para><filename>/var/db/dhclient.leases.<replaceable>interface</replaceable></filename></para>
<para>The <acronym>DHCP</acronym> client keeps a database of valid leases in
this file, which is written as a log.
<para>The <acronym>DHCP</acronym> client keeps a database of
valid leases in this file, which is written as a log.
&man.dhclient.leases.5; gives a slightly longer
description. Refer to
&man.dhclient.8;, &man.dhcp-options.5;, and
&man.dhclient.conf.5;, in addition to the
references below, for more information.</para>
description. Refer to &man.dhclient.8;,
&man.dhcp-options.5;, and &man.dhclient.conf.5;, in
addition to the references below, for more
information.</para>
</listitem>
</itemizedlist>
</sect2>
<sect2 id="network-dhcp-server">
<title>Installing and Configuring a <acronym>DHCP</acronym> Server</title>
<title>Installing and Configuring a <acronym>DHCP</acronym>
Server</title>
<para>This section provides information on how to configure a
&os; system to act as a <acronym>DHCP</acronym> server using the ISC
(Internet Systems Consortium) implementation of the <acronym>DHCP</acronym>
server.</para>
<para>This section provides information on how to configure a
&os; system to act as a <acronym>DHCP</acronym> server using
the ISC (Internet Systems Consortium) implementation of the
<acronym>DHCP</acronym> server.</para>
<indexterm>
<primary><acronym>DHCP</acronym></primary>
<secondary>server</secondary>
</indexterm>
<para>The <acronym>DHCP</acronym> server, <application>dhcpd</application>, is
included as part of the
<para>The <acronym>DHCP</acronym> server,
<application>dhcpd</application>, is included as part of the
<filename role="package">net/isc-dhcp42-server</filename> port
in the ports collection. This port contains the ISC <acronym>DHCP</acronym>
server and documentation.</para>
<para>The server is not provided as part of &os;, and so the
<filename role="package">net/isc-dhcp42-server</filename>
port must be installed to provide this service. See
<xref linkend="ports"/> for more information on using the
Ports Collection.</para>
in the ports collection. This port contains the ISC
<acronym>DHCP</acronym> server and documentation.</para>
<indexterm>
<primary><acronym>DHCP</acronym></primary>
<para>The server is not provided as part of &os;, and so the
<filename role="package">net/isc-dhcp42-server</filename>
port must be installed to provide this service. See
<xref linkend="ports"/> for more information on using the
Ports Collection.</para>
<indexterm>
<primary><acronym>DHCP</acronym></primary>
<secondary>installation</secondary>
</indexterm>
</indexterm>
<para>In order to configure the &os; system as a <acronym>DHCP</acronym> server,
first ensure that the &man.bpf.4; device is compiled into
the kernel. To do this, add <literal>device bpf</literal>
to the kernel configuration file, and rebuild the kernel.
For more information about building kernels, see
<xref linkend="kernelconfig"/>.</para>
<para>In order to configure the &os; system as a
<acronym>DHCP</acronym> server, first ensure that the
&man.bpf.4; device is compiled into the kernel. To do this,
add <literal>device bpf</literal> to the kernel configuration
file, and rebuild the kernel. For more information about
building kernels, see <xref linkend="kernelconfig"/>.</para>
<para>The <devicename>bpf</devicename> device is already part
of the <filename>GENERIC</filename> kernel that is supplied
with &os;, so there is no need to create a custom kernel in
order to get <acronym>DHCP</acronym> working.</para>
<para>The <devicename>bpf</devicename> device is already part
of the <filename>GENERIC</filename> kernel that is supplied
with &os;, so there is no need to create a custom kernel in
order to get <acronym>DHCP</acronym> working.</para>
<note>
<para>Those who are particularly security conscious should
note that <devicename>bpf</devicename> is also the device
that allows packet sniffers to function correctly
(although such programs still need privileged access).
The <devicename>bpf</devicename> device
<emphasis>is</emphasis> required to use <acronym>DHCP</acronym>, but if the
sensitivity of the system's security is high, this device
should not be included in the kernel purely because the
use of <acronym>DHCP</acronym> may, at some point in the
future, be desired.</para>
</note>
<note>
<para>Those who are particularly security conscious should
note that <devicename>bpf</devicename> is also the device
that allows packet sniffers to function correctly
(although such programs still need privileged access).
The <devicename>bpf</devicename> device
<emphasis>is</emphasis> required to use
<acronym>DHCP</acronym>, but if the sensitivity of the
system's security is high, this device should not be
included in the kernel purely because the use of
<acronym>DHCP</acronym> may, at some point in the future, be
desired.</para>
</note>
<para>An example configuration file is installed by the
<filename role="package">net/isc-dhcp42-server</filename>
port. Copy the example
<filename>/usr/local/etc/dhcpd.conf.example</filename>
to the actual configuration file,
<filename>/usr/local/etc/dhcpd.conf</filename>. Edits
will be made to this new file.</para>
<para>An example configuration file is installed by the
<filename role="package">net/isc-dhcp42-server</filename>
port. Copy the example
<filename>/usr/local/etc/dhcpd.conf.example</filename>
to the actual configuration file,
<filename>/usr/local/etc/dhcpd.conf</filename>. Edits
will be made to this new file.</para>
<sect3>
<title>Configuring the <acronym>DHCP</acronym> Server</title>
@ -2880,7 +2895,8 @@ host mailhost {
<callout arearefs="domain-name-servers">
<para>This option specifies a comma separated list of
<acronym>DNS</acronym> servers that the client should use.</para>
<acronym>DNS</acronym> servers that the client should
use.</para>
</callout>
<callout arearefs="subnet-mask">
@ -2904,17 +2920,19 @@ host mailhost {
</callout>
<callout arearefs="ddns-update-style">
<para>This option specifies whether the <acronym>DHCP</acronym> server
should attempt to update <acronym>DNS</acronym> when a lease is accepted
or released. In the ISC implementation, this option
is <emphasis>required</emphasis>.</para>
<para>This option specifies whether the
<acronym>DHCP</acronym> server should attempt to update
<acronym>DNS</acronym> when a lease is accepted or
released. In the ISC implementation, this option is
<emphasis>required</emphasis>.</para>
</callout>
<callout arearefs="range">
<para>This denotes which <acronym>IP</acronym> addresses should be used in
the pool reserved for allocating to clients. <acronym>IP</acronym>
addresses between, and including, the ones stated are
handed out to clients.</para>
<para>This denotes which <acronym>IP</acronym> addresses
should be used in the pool reserved for allocating to
clients. <acronym>IP</acronym> addresses between, and
including, the ones stated are handed out to
clients.</para>
</callout>
<callout arearefs="routers">
@ -2924,14 +2942,15 @@ host mailhost {
<callout arearefs="hardware">
<para>The hardware MAC address of a host (so that the
<acronym>DHCP</acronym> server can recognize a host when it makes a
request).</para>
<acronym>DHCP</acronym> server can recognize a host when
it makes a request).</para>
</callout>
<callout arearefs="fixed-address">
<para>Specifies that the host should always be given the
same <acronym>IP</acronym> address. Note that using a hostname is
correct here, since the <acronym>DHCP</acronym> server will resolve the
same <acronym>IP</acronym> address. Note that using a
hostname is correct here, since the
<acronym>DHCP</acronym> server will resolve the
hostname itself before returning the lease
information.</para>
</callout>
@ -2947,8 +2966,8 @@ dhcpd_ifaces="dc0"</programlisting>
<para>Replace the <literal>dc0</literal> interface name with
the interface (or interfaces, separated by whitespace)
that the <acronym>DHCP</acronym> server should listen on for <acronym>DHCP</acronym> client
requests.</para>
that the <acronym>DHCP</acronym> server should listen on for
<acronym>DHCP</acronym> client requests.</para>
<para>Proceed to start the server by issuing
the following command:</para>
@ -3000,20 +3019,20 @@ dhcpd_ifaces="dc0"</programlisting>
<listitem>
<para><filename>/var/db/dhcpd.leases</filename></para>
<para>The <acronym>DHCP</acronym> server keeps a database of leases it has
issued in this file, which is written as a log. The
port installs &man.dhcpd.leases.5;, which gives a
slightly longer description.</para>
<para>The <acronym>DHCP</acronym> server keeps a database
of leases it has issued in this file, which is written
as a log. The port installs &man.dhcpd.leases.5;, which
gives a slightly longer description.</para>
</listitem>
<listitem>
<para><filename>/usr/local/sbin/dhcrelay</filename></para>
<para><application>dhcrelay</application> is used in
advanced environments where one <acronym>DHCP</acronym> server forwards a
request from a client to another <acronym>DHCP</acronym> server on a
separate network. If this functionality is required,
then install the
advanced environments where one <acronym>DHCP</acronym>
server forwards a request from a client to another
<acronym>DHCP</acronym> server on a separate network.
If this functionality is required, then install the
<filename role="package">net/isc-dhcp42-relay</filename>
port. The port installs &man.dhcrelay.8;, which
provides more detail.</para>
@ -3094,7 +3113,8 @@ dhcpd_ifaces="dc0"</programlisting>
<acronym>DNS</acronym> must be understood.</para>
<indexterm><primary>resolver</primary></indexterm>
<indexterm><primary>reverse <acronym>DNS</acronym></primary></indexterm>
<indexterm><primary>reverse
<acronym>DNS</acronym></primary></indexterm>
<indexterm><primary>root zone</primary></indexterm>
<informaltable frame="none" pgwide="1">
@ -3112,7 +3132,8 @@ dhcpd_ifaces="dc0"</programlisting>
<tbody>
<row>
<entry>Forward <acronym>DNS</acronym></entry>
<entry>Mapping of hostnames to <acronym>IP</acronym> addresses.</entry>
<entry>Mapping of hostnames to <acronym>IP</acronym>
addresses.</entry>
</row>
<row>
@ -3765,7 +3786,8 @@ www IN CNAME example.org.</programlisting>
<secondary>records</secondary>
</indexterm>
<para>The most commonly used <acronym>DNS</acronym> records:</para>
<para>The most commonly used <acronym>DNS</acronym>
records:</para>
<variablelist>
<varlistentry>
@ -3919,9 +3941,9 @@ mail IN A 192.168.1.5</programlisting>
priority number), then the second highest, etc, until the
mail can be properly delivered.</para>
<para>For in-addr.arpa zone files (reverse <acronym>DNS</acronym>), the same
format is used, except with PTR entries instead of A or
CNAME.</para>
<para>For in-addr.arpa zone files (reverse
<acronym>DNS</acronym>), the same format is used, except
with PTR entries instead of A or CNAME.</para>
<programlisting>$TTL 3600
@ -3941,8 +3963,8 @@ mail IN A 192.168.1.5</programlisting>
4 IN PTR mx.example.org.
5 IN PTR mail.example.org.</programlisting>
<para>This file gives the proper <acronym>IP</acronym> address to hostname
mappings for the above fictitious domain.</para>
<para>This file gives the proper <acronym>IP</acronym> address
to hostname mappings for the above fictitious domain.</para>
<para>It is worth noting that all names on the right side
of a PTR record need to be fully qualified (i.e., end in
@ -3970,7 +3992,8 @@ mail IN A 192.168.1.5</programlisting>
<indexterm>
<primary>BIND</primary>
<secondary><acronym>DNS</acronym> security extensions</secondary>
<secondary><acronym>DNS</acronym> security
extensions</secondary>
</indexterm>
<para>Domain Name System Security Extensions, or <acronym
@ -4335,9 +4358,10 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
<sect2>
<title>Security</title>
<para>Although BIND is the most common implementation of <acronym>DNS</acronym>,
there is always the issue of security. Possible and
exploitable security holes are sometimes found.</para>
<para>Although BIND is the most common implementation of
<acronym>DNS</acronym>, there is always the issue of security.
Possible and exploitable security holes are sometimes
found.</para>
<para>While &os; automatically drops
<application>named</application> into a &man.chroot.8;
@ -4381,7 +4405,8 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
<listitem>
<para><ulink
url="http://www.oreilly.com/catalog/dns5/">O'Reilly
<acronym>DNS</acronym> and BIND 5th Edition</ulink></para>
<acronym>DNS</acronym> and BIND 5th
Edition</ulink></para>
</listitem>
<listitem>
@ -4420,15 +4445,15 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
<listitem>
<para><ulink
url="http://tools.ietf.org/html/rfc4034">RFC4034
- Resource Records for the <acronym>DNS</acronym> Security
Extensions</ulink></para>
- Resource Records for the <acronym>DNS</acronym>
Security Extensions</ulink></para>
</listitem>
<listitem>
<para><ulink
url="http://tools.ietf.org/html/rfc4035">RFC4035
- Protocol Modifications for the <acronym>DNS</acronym> Security
Extensions</ulink></para>
- Protocol Modifications for the <acronym>DNS</acronym>
Security Extensions</ulink></para>
</listitem>
<listitem>
@ -4630,7 +4655,8 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
types of Virtual Hosting. The first method is Name-based
Virtual Hosting. Name-based virtual hosting uses the clients
HTTP/1.1 headers to figure out the hostname. This allows many
different domains to share the same <acronym>IP</acronym> address.</para>
different domains to share the same <acronym>IP</acronym>
address.</para>
<para>To setup <application>Apache</application> to use
Name-based Virtual Hosting add an entry like the following to
@ -5524,8 +5550,8 @@ driftfile /var/db/ntp.drift</programlisting>
<programlisting>restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap</programlisting>
<para>instead, where
<hostid role="ipaddr">192.168.1.0</hostid> is an <acronym>IP</acronym> address
on the network and
<hostid role="ipaddr">192.168.1.0</hostid> is an
<acronym>IP</acronym> address on the network and
<hostid role="netmask">255.255.255.0</hostid> is the
network's netmask.</para>