Initial shuffle of the DHCP section. This patch does the following:

- fixes acronym tags for DHCP, IP, and UDP
- removes superfluous headings
- shuffles existing content to organize it into a client section and a server section
- replaces deprecated dhcp.org address

Subsequent patches will clean up the white space and then move on to review and clarify the content in this section.
This commit is contained in:
Dru Lavigne 2013-10-16 19:40:27 +00:00
parent 28378719d4
commit 7f49336cd6
Notes: svn2git 2020-12-08 03:00:23 +00:00
svn path=/head/; revision=42976

View file

@ -200,7 +200,7 @@
<literal>inetd_flags</literal> is set to <literal>inetd_flags</literal> is set to
<literal>-wW -C 60</literal>, which turns on TCP wrapping for <literal>-wW -C 60</literal>, which turns on TCP wrapping for
<application>inetd</application>'s services, and prevents any <application>inetd</application>'s services, and prevents any
single IP address from requesting any service more than 60 single <acronym>IP</acronym> address from requesting any service more than 60
times in any given minute.</para> times in any given minute.</para>
<para>Although we mention rate-limiting options below, novice <para>Although we mention rate-limiting options below, novice
@ -227,7 +227,7 @@
<listitem> <listitem>
<para>Specify the default maximum number of times a <para>Specify the default maximum number of times a
service can be invoked from a single IP address in one service can be invoked from a single <acronym>IP</acronym> address in one
minute; the default is unlimited. May be overridden on minute; the default is unlimited. May be overridden on
a per-service basis with the a per-service basis with the
<option>max-connections-per-ip-per-minute</option> <option>max-connections-per-ip-per-minute</option>
@ -250,7 +250,7 @@
<listitem> <listitem>
<para>Specify the maximum number of times a service can be <para>Specify the maximum number of times a service can be
invoked from a single IP address at any one time; the invoked from a single <acronym>IP</acronym> address at any one time; the
default is unlimited. May be overridden on a default is unlimited. May be overridden on a
per-service basis with the per-service basis with the
<option>max-child-per-ip</option> parameter.</para> <option>max-child-per-ip</option> parameter.</para>
@ -347,7 +347,7 @@ server-program-arguments</programlisting>
<row> <row>
<entry>udp, udp4</entry> <entry>udp, udp4</entry>
<entry>UDP IPv4</entry> <entry><acronym>UDP</acronym> IPv4</entry>
</row> </row>
<row> <row>
@ -357,7 +357,7 @@ server-program-arguments</programlisting>
<row> <row>
<entry>udp6</entry> <entry>udp6</entry>
<entry>UDP IPv6</entry> <entry><acronym>UDP</acronym> IPv6</entry>
</row> </row>
<row> <row>
@ -367,7 +367,7 @@ server-program-arguments</programlisting>
<row> <row>
<entry>udp46</entry> <entry>udp46</entry>
<entry>Both UDP IPv4 and v6</entry> <entry>Both <acronym>UDP</acronym> IPv4 and v6</entry>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>
@ -403,12 +403,12 @@ server-program-arguments</programlisting>
options which limit the maximum connections from a options which limit the maximum connections from a
single place to a particular daemon can be enabled. single place to a particular daemon can be enabled.
<option>max-connections-per-ip-per-minute</option> <option>max-connections-per-ip-per-minute</option>
limits the number of connections from any particular IP limits the number of connections from any particular <acronym>IP</acronym>
address per minutes, e.g., a value of ten would limit address per minutes, e.g., a value of ten would limit
any particular IP address connecting to a particular any particular <acronym>IP</acronym> address connecting to a particular
service to ten attempts per minute. service to ten attempts per minute.
<option>max-child-per-ip</option> limits the number of <option>max-child-per-ip</option> limits the number of
children that can be started on behalf on any single IP children that can be started on behalf on any single <acronym>IP</acronym>
address at any moment. These options are useful to address at any moment. These options are useful to
prevent intentional or unintentional excessive resource prevent intentional or unintentional excessive resource
consumption and Denial of Service (DoS) attacks to a consumption and Denial of Service (DoS) attacks to a
@ -430,7 +430,7 @@ server-program-arguments</programlisting>
would read: <literal>nowait/10</literal>.</para> would read: <literal>nowait/10</literal>.</para>
<para>The same setup with a limit of twenty connections <para>The same setup with a limit of twenty connections
per IP address per minute and a maximum total limit of per <acronym>IP</acronym> address per minute and a maximum total limit of
ten child daemons would read: ten child daemons would read:
<literal>nowait/10/20</literal>.</para> <literal>nowait/10/20</literal>.</para>
@ -442,7 +442,7 @@ server-program-arguments</programlisting>
<para>Finally, an example of this field with a maximum of <para>Finally, an example of this field with a maximum of
100 children in total, with a maximum of 5 for any one 100 children in total, with a maximum of 5 for any one
IP address would read: <acronym>IP</acronym> address would read:
<literal>nowait/100/0/5</literal>.</para> <literal>nowait/100/0/5</literal>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -723,7 +723,7 @@ mountd_flags="-r"</programlisting>
<para>The next example exports <para>The next example exports
<filename class="directory">/home</filename> to three clients <filename class="directory">/home</filename> to three clients
by IP address. This can be useful for networks without by <acronym>IP</acronym> address. This can be useful for networks without
<acronym>DNS</acronym>. Optionally, <acronym>DNS</acronym>. Optionally,
<filename>/etc/hosts</filename> could be configured for <filename>/etc/hosts</filename> could be configured for
internal hostnames; please review &man.hosts.5; for more internal hostnames; please review &man.hosts.5; for more
@ -953,7 +953,7 @@ rpc_statd_enable="YES"</programlisting>
<application>amd</application> looks up the corresponding <application>amd</application> looks up the corresponding
remote mount and automatically mounts it. remote mount and automatically mounts it.
<filename class="directory">/net</filename> is used to mount <filename class="directory">/net</filename> is used to mount
an exported file system from an IP address, while an exported file system from an <acronym>IP</acronym> address, while
<filename class="directory">/host</filename> is used to mount <filename class="directory">/host</filename> is used to mount
an export from a remote hostname.</para> an export from a remote hostname.</para>
@ -1251,7 +1251,7 @@ Exports list on foobar:
<thead> <thead>
<row> <row>
<entry>Machine name</entry> <entry>Machine name</entry>
<entry>IP address</entry> <entry><acronym>IP</acronym> address</entry>
<entry>Machine role</entry> <entry>Machine role</entry>
</row> </row>
</thead> </thead>
@ -1768,7 +1768,7 @@ nis_client_enable="YES"</programlisting>
for providing access control instead of for providing access control instead of
<filename>securenets</filename>. While either access control <filename>securenets</filename>. While either access control
mechanism adds some security, they are both vulnerable to mechanism adds some security, they are both vulnerable to
<quote>IP spoofing</quote> attacks. All <quote><acronym>IP</acronym> spoofing</quote> attacks. All
<acronym>NIS</acronym>-related traffic should be blocked at <acronym>NIS</acronym>-related traffic should be blocked at
the firewall.</para> the firewall.</para>
@ -2617,92 +2617,55 @@ result: 0 Success
</authorgroup> </authorgroup>
</sect1info> </sect1info>
--> -->
<title>Automatic Network Configuration (DHCP)</title> <title>Dynamic Host Configuration Protocol (<acronym>DHCP</acronym>)</title>
<indexterm> <indexterm>
<primary>Dynamic Host Configuration Protocol</primary> <primary>Dynamic Host Configuration Protocol</primary>
<see>DHCP</see> <see><acronym>DHCP</acronym></see>
</indexterm> </indexterm>
<indexterm> <indexterm>
<primary>Internet Systems Consortium (ISC)</primary> <primary>Internet Systems Consortium (ISC)</primary>
</indexterm> </indexterm>
<para>DHCP, the Dynamic Host Configuration Protocol, describes <para>The Dynamic Host Configuration Protocol (<acronym>DHCP</acronym>) allows
the means by which a system can connect to a network and a system to connect to a network in order to be assigned
obtain the necessary information for communication upon that the necessary addressing information for communication on that
network. &os; uses the OpenBSD <command>dhclient</command> network. &os; includes the OpenBSD version of <command>dhclient</command>
taken from OpenBSD&nbsp;3.7. All information here regarding which is used by the client to obtain the addressing information.
<command>dhclient</command> is for use with either of the ISC &os; does not install a <acronym>DHCP</acronym> server, but several
or OpenBSD DHCP clients. The DHCP server is the one included servers are available in the &os; Ports Collection.
in the ISC distribution.</para> The <acronym>DHCP</acronym> protocol is fully described in
<ulink url="http://www.freesoft.org/CIE/RFC/2131/">RFC
2131</ulink>. Informational resources are also available at
<ulink url="http://www.isc.org/downloads/dhcp/">isc.org/downloads/dhcp/</ulink>.</para>
<para>This section describes both the client-side components of <para>This section describes how to use the built-in <acronym>DHCP</acronym> client.
the ISC and OpenBSD DHCP client and server-side components of It then describes how to install and configure a
the ISC DHCP system. The client-side program, <acronym>DHCP</acronym> server.</para>
<command>dhclient</command>, comes integrated within &os;,
and the server-side portion is available from the <filename
role="package">net/isc-dhcp42-server</filename> port. Refer to
&man.dhclient.8;, &man.dhcp-options.5;, and
&man.dhclient.conf.5;, in addition to the
references below, for more information.</para>
<sect2> <sect2>
<title>How It Works</title> <title>Configuring a <acronym>DHCP</acronym> Client</title>
<indexterm><primary>UDP</primary></indexterm> <para><acronym>DHCP</acronym> client support is included in the &os;
<para>When <command>dhclient</command>, the DHCP client, is installer, making it easy to configure a system to automatically
executed on the client machine, it begins broadcasting receive its networking addressing information from an existing
requests for configuration information. By default, these <acronym>DHCP</acronym> server.</para>
requests are on UDP port 68. The server replies on UDP 67,
giving the client an IP address and other relevant network <indexterm><primary><acronym>UDP</acronym></primary></indexterm>
information such as netmask, router, and DNS servers. All of <para>When <command>dhclient</command> is
this information comes in the form of a DHCP executed on the client machine, it begins broadcasting
<quote>lease</quote> and is only valid for a certain time requests for configuration information. By default, these
(configured by the DHCP server maintainer). In this manner, requests use <acronym>UDP</acronym> port 68. The server replies on <acronym>UDP</acronym> port 67,
stale IP addresses for clients no longer connected to the giving the client an <acronym>IP</acronym> address and other relevant network
network can be automatically reclaimed.</para> information such as a subnet mask, default gateway, and <acronym>DNS</acronym> server addresses.
This information is in the form of a <acronym>DHCP</acronym>
<quote>lease</quote> and is valid for a configurable time. This allows
stale <acronym>IP</acronym> addresses for clients no longer connected to the
network to automatically be reused.</para>
<para>DHCP clients can obtain a great deal of information from <para><acronym>DHCP</acronym> clients can obtain a great deal of information from
the server. An exhaustive list may be found in the server. An exhaustive list may be found in
&man.dhcp-options.5;.</para> &man.dhcp-options.5;.</para>
</sect2>
<sect2>
<title>&os; Integration</title>
<para>&os; fully integrates the OpenBSD DHCP client,
<command>dhclient</command>. DHCP client support is provided
within both the installer and the base system, obviating the
need for detailed knowledge of network configurations on any
network that runs a DHCP server.</para>
<indexterm>
<primary><application>sysinstall</application></primary>
</indexterm>
<para>DHCP is supported by
<application>sysinstall</application>. When configuring a
network interface within
<application>sysinstall</application>, the second question
asked is: <quote>Do you want to try DHCP configuration of the
interface?</quote>. Answering affirmatively will execute
<command>dhclient</command>, and if successful, will fill in
the network configuration information automatically.</para>
<para>There are two things required to have the system use
DHCP upon startup:</para>
<indexterm>
<primary>DHCP</primary>
<secondary>requirements</secondary>
</indexterm>
<itemizedlist>
<listitem>
<para>Make sure that the <devicename>bpf</devicename> device
is compiled into the kernel. To do this, add
<literal>device bpf</literal> to the kernel configuration
file, and rebuild the kernel. For more information about
building kernels, see
<xref linkend="kernelconfig"/>.</para>
<para>The <devicename>bpf</devicename> device is already <para>The <devicename>bpf</devicename> device is already
part of the <filename>GENERIC</filename> kernel that is part of the <filename>GENERIC</filename> kernel that is
@ -2719,37 +2682,35 @@ result: 0 Success
(although they still have to be run as (although they still have to be run as
<username>root</username>). <username>root</username>).
<devicename>bpf</devicename> <emphasis>is</emphasis> <devicename>bpf</devicename> <emphasis>is</emphasis>
required to use DHCP; however, the security sensitive required to use <acronym>DHCP</acronym>; however, the security sensitive
types should probably not add types should probably not add
<devicename>bpf</devicename> to the kernel in the <devicename>bpf</devicename> to the kernel in the
expectation that at some point in the future the system expectation that at some point in the future the system
will be using DHCP.</para> will be using <acronym>DHCP</acronym>.</para>
</note> </note>
</listitem>
<listitem> <para>By default, <acronym>DHCP</acronym> configuration on &os; runs in the
<para>By default, DHCP configuration on &os; runs in the
background, or <firstterm>asynchronously</firstterm>. background, or <firstterm>asynchronously</firstterm>.
Other startup scripts continue to run while DHCP Other startup scripts continue to run while <acronym>DHCP</acronym>
completes, speeding up system startup.</para> completes, speeding up system startup.</para>
<para>Background DHCP works well when the DHCP server <para>Background <acronym>DHCP</acronym> works well when the <acronym>DHCP</acronym> server
responds quickly to requests and the DHCP configuration responds quickly to requests and the <acronym>DHCP</acronym> configuration
process goes quickly. However, DHCP may take a long time process goes quickly. However, <acronym>DHCP</acronym> may take a long time
to complete on some systems. If network services attempt to complete on some systems. If network services attempt
to run before DHCP has completed, they will fail. Using to run before <acronym>DHCP</acronym> has completed, they will fail. Using
DHCP in <firstterm>synchronous</firstterm> mode prevents <acronym>DHCP</acronym> in <firstterm>synchronous</firstterm> mode prevents
the problem, pausing startup until DHCP configuration has the problem, pausing startup until <acronym>DHCP</acronym> configuration has
completed.</para> completed.</para>
<para>To connect to a DHCP server in the background while <para>To connect to a <acronym>DHCP</acronym> server in the background while
other startup continues (asynchronous mode), use the other startup continues (asynchronous mode), use the
<quote><literal>DHCP</literal></quote> value in <quote><literal>DHCP</literal></quote> value in
<filename>/etc/rc.conf</filename>:</para> <filename>/etc/rc.conf</filename>:</para>
<programlisting>ifconfig_<replaceable>fxp0</replaceable>="DHCP"</programlisting> <programlisting>ifconfig_<replaceable>fxp0</replaceable>="DHCP"</programlisting>
<para>To pause startup while DHCP completes, use <para>To pause startup while <acronym>DHCP</acronym> completes, use
synchronous mode with the synchronous mode with the
<quote><literal>SYNCDHCP</literal></quote> value:</para> <quote><literal>SYNCDHCP</literal></quote> value:</para>
@ -2769,27 +2730,14 @@ result: 0 Success
<programlisting>dhclient_program="/sbin/dhclient" <programlisting>dhclient_program="/sbin/dhclient"
dhclient_flags=""</programlisting> dhclient_flags=""</programlisting>
</listitem>
</itemizedlist>
<indexterm> <indexterm>
<primary>DHCP</primary> <primary><acronym>DHCP</acronym></primary>
<secondary>server</secondary>
</indexterm>
<para>The DHCP server, <application>dhcpd</application>, is
included as part of the
<filename role="package">net/isc-dhcp42-server</filename> port
in the ports collection. This port contains the ISC DHCP
server and documentation.</para>
</sect2>
<sect2>
<title>Files</title>
<indexterm>
<primary>DHCP</primary>
<secondary>configuration files</secondary> <secondary>configuration files</secondary>
</indexterm> </indexterm>
<para>The <acronym>DHCP</acronym> client uses the following files:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para><filename>/etc/dhclient.conf</filename></para> <para><filename>/etc/dhclient.conf</filename></para>
@ -2812,7 +2760,7 @@ dhclient_flags=""</programlisting>
<para><filename>/sbin/dhclient-script</filename></para> <para><filename>/sbin/dhclient-script</filename></para>
<para><command>dhclient-script</command> is the <para><command>dhclient-script</command> is the
&os;-specific DHCP client configuration script. It &os;-specific <acronym>DHCP</acronym> client configuration script. It
is described in &man.dhclient-script.8;, but should not is described in &man.dhclient-script.8;, but should not
need any user modification to function properly.</para> need any user modification to function properly.</para>
</listitem> </listitem>
@ -2820,50 +2768,47 @@ dhclient_flags=""</programlisting>
<listitem> <listitem>
<para><filename>/var/db/dhclient.leases.<replaceable>interface</replaceable></filename></para> <para><filename>/var/db/dhclient.leases.<replaceable>interface</replaceable></filename></para>
<para>The DHCP client keeps a database of valid leases in <para>The <acronym>DHCP</acronym> client keeps a database of valid leases in
this file, which is written as a log. this file, which is written as a log.
&man.dhclient.leases.5; gives a slightly longer &man.dhclient.leases.5; gives a slightly longer
description.</para> description. Refer to
&man.dhclient.8;, &man.dhcp-options.5;, and
&man.dhclient.conf.5;, in addition to the
references below, for more information.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</sect2> </sect2>
<sect2>
<title>Further Reading</title>
<para>The DHCP protocol is fully described in
<ulink url="http://www.freesoft.org/CIE/RFC/2131/">RFC
2131</ulink>. An informational resource has also been set
up at <ulink url="http://www.dhcp.org/"></ulink>.</para>
</sect2>
<sect2 id="network-dhcp-server"> <sect2 id="network-dhcp-server">
<title>Installing and Configuring a DHCP Server</title> <title>Installing and Configuring a <acronym>DHCP</acronym> Server</title>
<sect3>
<title>What This Section Covers</title>
<para>This section provides information on how to configure a <para>This section provides information on how to configure a
&os; system to act as a DHCP server using the ISC &os; system to act as a <acronym>DHCP</acronym> server using the ISC
(Internet Systems Consortium) implementation of the DHCP (Internet Systems Consortium) implementation of the <acronym>DHCP</acronym>
server.</para> server.</para>
<indexterm>
<primary><acronym>DHCP</acronym></primary>
<secondary>server</secondary>
</indexterm>
<para>The <acronym>DHCP</acronym> server, <application>dhcpd</application>, is
included as part of the
<filename role="package">net/isc-dhcp42-server</filename> port
in the ports collection. This port contains the ISC <acronym>DHCP</acronym>
server and documentation.</para>
<para>The server is not provided as part of &os;, and so the <para>The server is not provided as part of &os;, and so the
<filename role="package">net/isc-dhcp42-server</filename> <filename role="package">net/isc-dhcp42-server</filename>
port must be installed to provide this service. See port must be installed to provide this service. See
<xref linkend="ports"/> for more information on using the <xref linkend="ports"/> for more information on using the
Ports Collection.</para> Ports Collection.</para>
</sect3>
<sect3>
<title>DHCP Server Installation</title>
<indexterm> <indexterm>
<primary>DHCP</primary> <primary><acronym>DHCP</acronym></primary>
<secondary>installation</secondary> <secondary>installation</secondary>
</indexterm> </indexterm>
<para>In order to configure the &os; system as a DHCP server, <para>In order to configure the &os; system as a <acronym>DHCP</acronym> server,
first ensure that the &man.bpf.4; device is compiled into first ensure that the &man.bpf.4; device is compiled into
the kernel. To do this, add <literal>device bpf</literal> the kernel. To do this, add <literal>device bpf</literal>
to the kernel configuration file, and rebuild the kernel. to the kernel configuration file, and rebuild the kernel.
@ -2881,7 +2826,7 @@ dhclient_flags=""</programlisting>
that allows packet sniffers to function correctly that allows packet sniffers to function correctly
(although such programs still need privileged access). (although such programs still need privileged access).
The <devicename>bpf</devicename> device The <devicename>bpf</devicename> device
<emphasis>is</emphasis> required to use DHCP, but if the <emphasis>is</emphasis> required to use <acronym>DHCP</acronym>, but if the
sensitivity of the system's security is high, this device sensitivity of the system's security is high, this device
should not be included in the kernel purely because the should not be included in the kernel purely because the
use of <acronym>DHCP</acronym> may, at some point in the use of <acronym>DHCP</acronym> may, at some point in the
@ -2895,13 +2840,12 @@ dhclient_flags=""</programlisting>
to the actual configuration file, to the actual configuration file,
<filename>/usr/local/etc/dhcpd.conf</filename>. Edits <filename>/usr/local/etc/dhcpd.conf</filename>. Edits
will be made to this new file.</para> will be made to this new file.</para>
</sect3>
<sect3> <sect3>
<title>Configuring the DHCP Server</title> <title>Configuring the <acronym>DHCP</acronym> Server</title>
<indexterm> <indexterm>
<primary>DHCP</primary> <primary><acronym>DHCP</acronym></primary>
<secondary>dhcpd.conf</secondary> <secondary>dhcpd.conf</secondary>
</indexterm> </indexterm>
<para><filename>dhcpd.conf</filename> is comprised of <para><filename>dhcpd.conf</filename> is comprised of
@ -2936,7 +2880,7 @@ host mailhost {
<callout arearefs="domain-name-servers"> <callout arearefs="domain-name-servers">
<para>This option specifies a comma separated list of <para>This option specifies a comma separated list of
DNS servers that the client should use.</para> <acronym>DNS</acronym> servers that the client should use.</para>
</callout> </callout>
<callout arearefs="subnet-mask"> <callout arearefs="subnet-mask">
@ -2960,15 +2904,15 @@ host mailhost {
</callout> </callout>
<callout arearefs="ddns-update-style"> <callout arearefs="ddns-update-style">
<para>This option specifies whether the DHCP server <para>This option specifies whether the <acronym>DHCP</acronym> server
should attempt to update DNS when a lease is accepted should attempt to update <acronym>DNS</acronym> when a lease is accepted
or released. In the ISC implementation, this option or released. In the ISC implementation, this option
is <emphasis>required</emphasis>.</para> is <emphasis>required</emphasis>.</para>
</callout> </callout>
<callout arearefs="range"> <callout arearefs="range">
<para>This denotes which IP addresses should be used in <para>This denotes which <acronym>IP</acronym> addresses should be used in
the pool reserved for allocating to clients. IP the pool reserved for allocating to clients. <acronym>IP</acronym>
addresses between, and including, the ones stated are addresses between, and including, the ones stated are
handed out to clients.</para> handed out to clients.</para>
</callout> </callout>
@ -2980,14 +2924,14 @@ host mailhost {
<callout arearefs="hardware"> <callout arearefs="hardware">
<para>The hardware MAC address of a host (so that the <para>The hardware MAC address of a host (so that the
DHCP server can recognize a host when it makes a <acronym>DHCP</acronym> server can recognize a host when it makes a
request).</para> request).</para>
</callout> </callout>
<callout arearefs="fixed-address"> <callout arearefs="fixed-address">
<para>Specifies that the host should always be given the <para>Specifies that the host should always be given the
same IP address. Note that using a hostname is same <acronym>IP</acronym> address. Note that using a hostname is
correct here, since the DHCP server will resolve the correct here, since the <acronym>DHCP</acronym> server will resolve the
hostname itself before returning the lease hostname itself before returning the lease
information.</para> information.</para>
</callout> </callout>
@ -2995,7 +2939,7 @@ host mailhost {
<para>Once the configuration of <para>Once the configuration of
<filename>dhcpd.conf</filename> has been completed, <filename>dhcpd.conf</filename> has been completed,
enable the DHCP server in enable the <acronym>DHCP</acronym> server in
<filename>/etc/rc.conf</filename>, i.e., by adding:</para> <filename>/etc/rc.conf</filename>, i.e., by adding:</para>
<programlisting>dhcpd_enable="YES" <programlisting>dhcpd_enable="YES"
@ -3003,7 +2947,7 @@ dhcpd_ifaces="dc0"</programlisting>
<para>Replace the <literal>dc0</literal> interface name with <para>Replace the <literal>dc0</literal> interface name with
the interface (or interfaces, separated by whitespace) the interface (or interfaces, separated by whitespace)
that the DHCP server should listen on for DHCP client that the <acronym>DHCP</acronym> server should listen on for <acronym>DHCP</acronym> client
requests.</para> requests.</para>
<para>Proceed to start the server by issuing <para>Proceed to start the server by issuing
@ -3023,7 +2967,7 @@ dhcpd_ifaces="dc0"</programlisting>
<title>Files</title> <title>Files</title>
<indexterm> <indexterm>
<primary>DHCP</primary> <primary><acronym>DHCP</acronym></primary>
<secondary>configuration files</secondary> <secondary>configuration files</secondary>
</indexterm> </indexterm>
<itemizedlist> <itemizedlist>
@ -3056,7 +3000,7 @@ dhcpd_ifaces="dc0"</programlisting>
<listitem> <listitem>
<para><filename>/var/db/dhcpd.leases</filename></para> <para><filename>/var/db/dhcpd.leases</filename></para>
<para>The DHCP server keeps a database of leases it has <para>The <acronym>DHCP</acronym> server keeps a database of leases it has
issued in this file, which is written as a log. The issued in this file, which is written as a log. The
port installs &man.dhcpd.leases.5;, which gives a port installs &man.dhcpd.leases.5;, which gives a
slightly longer description.</para> slightly longer description.</para>
@ -3066,8 +3010,8 @@ dhcpd_ifaces="dc0"</programlisting>
<para><filename>/usr/local/sbin/dhcrelay</filename></para> <para><filename>/usr/local/sbin/dhcrelay</filename></para>
<para><application>dhcrelay</application> is used in <para><application>dhcrelay</application> is used in
advanced environments where one DHCP server forwards a advanced environments where one <acronym>DHCP</acronym> server forwards a
request from a client to another DHCP server on a request from a client to another <acronym>DHCP</acronym> server on a
separate network. If this functionality is required, separate network. If this functionality is required,
then install the then install the
<filename role="package">net/isc-dhcp42-relay</filename> <filename role="package">net/isc-dhcp42-relay</filename>
@ -3150,7 +3094,7 @@ dhcpd_ifaces="dc0"</programlisting>
<acronym>DNS</acronym> must be understood.</para> <acronym>DNS</acronym> must be understood.</para>
<indexterm><primary>resolver</primary></indexterm> <indexterm><primary>resolver</primary></indexterm>
<indexterm><primary>reverse DNS</primary></indexterm> <indexterm><primary>reverse <acronym>DNS</acronym></primary></indexterm>
<indexterm><primary>root zone</primary></indexterm> <indexterm><primary>root zone</primary></indexterm>
<informaltable frame="none" pgwide="1"> <informaltable frame="none" pgwide="1">
@ -3168,7 +3112,7 @@ dhcpd_ifaces="dc0"</programlisting>
<tbody> <tbody>
<row> <row>
<entry>Forward <acronym>DNS</acronym></entry> <entry>Forward <acronym>DNS</acronym></entry>
<entry>Mapping of hostnames to IP addresses.</entry> <entry>Mapping of hostnames to <acronym>IP</acronym> addresses.</entry>
</row> </row>
<row> <row>
@ -3492,7 +3436,7 @@ options {
</warning> </warning>
<programlisting> /* <programlisting> /*
Modern versions of BIND use a random UDP port for each outgoing Modern versions of BIND use a random <acronym>UDP</acronym> port for each outgoing
query by default in order to dramatically reduce the possibility query by default in order to dramatically reduce the possibility
of cache poisoning. All users are strongly encouraged to utilize of cache poisoning. All users are strongly encouraged to utilize
this feature, and to configure their firewalls to accommodate it. this feature, and to configure their firewalls to accommodate it.
@ -3817,11 +3761,11 @@ www IN CNAME example.org.</programlisting>
<programlisting>recordname IN recordtype value</programlisting> <programlisting>recordname IN recordtype value</programlisting>
<indexterm> <indexterm>
<primary>DNS</primary> <primary><acronym>DNS</acronym></primary>
<secondary>records</secondary> <secondary>records</secondary>
</indexterm> </indexterm>
<para>The most commonly used DNS records:</para> <para>The most commonly used <acronym>DNS</acronym> records:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
@ -3861,7 +3805,7 @@ www IN CNAME example.org.</programlisting>
<listitem> <listitem>
<para>a domain name pointer (used in reverse <para>a domain name pointer (used in reverse
DNS)</para> <acronym>DNS</acronym>)</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
@ -3940,7 +3884,7 @@ mail IN A 192.168.1.5</programlisting>
<programlisting> IN A 192.168.1.1</programlisting> <programlisting> IN A 192.168.1.1</programlisting>
<para>This line assigns IP address <para>This line assigns <acronym>IP</acronym> address
<hostid role="ipaddr">192.168.1.1</hostid> to the current <hostid role="ipaddr">192.168.1.1</hostid> to the current
origin, in this case origin, in this case
<hostid role="domainname">example.org</hostid>.</para> <hostid role="domainname">example.org</hostid>.</para>
@ -3975,7 +3919,7 @@ mail IN A 192.168.1.5</programlisting>
priority number), then the second highest, etc, until the priority number), then the second highest, etc, until the
mail can be properly delivered.</para> mail can be properly delivered.</para>
<para>For in-addr.arpa zone files (reverse DNS), the same <para>For in-addr.arpa zone files (reverse <acronym>DNS</acronym>), the same
format is used, except with PTR entries instead of A or format is used, except with PTR entries instead of A or
CNAME.</para> CNAME.</para>
@ -3997,7 +3941,7 @@ mail IN A 192.168.1.5</programlisting>
4 IN PTR mx.example.org. 4 IN PTR mx.example.org.
5 IN PTR mail.example.org.</programlisting> 5 IN PTR mail.example.org.</programlisting>
<para>This file gives the proper IP address to hostname <para>This file gives the proper <acronym>IP</acronym> address to hostname
mappings for the above fictitious domain.</para> mappings for the above fictitious domain.</para>
<para>It is worth noting that all names on the right side <para>It is worth noting that all names on the right side
@ -4026,7 +3970,7 @@ mail IN A 192.168.1.5</programlisting>
<indexterm> <indexterm>
<primary>BIND</primary> <primary>BIND</primary>
<secondary>DNS security extensions</secondary> <secondary><acronym>DNS</acronym> security extensions</secondary>
</indexterm> </indexterm>
<para>Domain Name System Security Extensions, or <acronym <para>Domain Name System Security Extensions, or <acronym
@ -4391,7 +4335,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
<sect2> <sect2>
<title>Security</title> <title>Security</title>
<para>Although BIND is the most common implementation of DNS, <para>Although BIND is the most common implementation of <acronym>DNS</acronym>,
there is always the issue of security. Possible and there is always the issue of security. Possible and
exploitable security holes are sometimes found.</para> exploitable security holes are sometimes found.</para>
@ -4437,7 +4381,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
<listitem> <listitem>
<para><ulink <para><ulink
url="http://www.oreilly.com/catalog/dns5/">O'Reilly url="http://www.oreilly.com/catalog/dns5/">O'Reilly
DNS and BIND 5th Edition</ulink></para> <acronym>DNS</acronym> and BIND 5th Edition</ulink></para>
</listitem> </listitem>
<listitem> <listitem>
@ -4469,21 +4413,21 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
<listitem> <listitem>
<para><ulink <para><ulink
url="http://tools.ietf.org/html/rfc4033">RFC4033 url="http://tools.ietf.org/html/rfc4033">RFC4033
- DNS Security Introduction and - <acronym>DNS</acronym> Security Introduction and
Requirements</ulink></para> Requirements</ulink></para>
</listitem> </listitem>
<listitem> <listitem>
<para><ulink <para><ulink
url="http://tools.ietf.org/html/rfc4034">RFC4034 url="http://tools.ietf.org/html/rfc4034">RFC4034
- Resource Records for the DNS Security - Resource Records for the <acronym>DNS</acronym> Security
Extensions</ulink></para> Extensions</ulink></para>
</listitem> </listitem>
<listitem> <listitem>
<para><ulink <para><ulink
url="http://tools.ietf.org/html/rfc4035">RFC4035 url="http://tools.ietf.org/html/rfc4035">RFC4035
- Protocol Modifications for the DNS Security - Protocol Modifications for the <acronym>DNS</acronym> Security
Extensions</ulink></para> Extensions</ulink></para>
</listitem> </listitem>
@ -4496,7 +4440,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
<listitem> <listitem>
<para><ulink <para><ulink
url="http://tools.ietf.org/html/rfc5011">RFC 5011 url="http://tools.ietf.org/html/rfc5011">RFC 5011
- Automated Updates of DNS Security - Automated Updates of <acronym>DNS</acronym> Security
(<acronym>DNSSEC</acronym> (<acronym>DNSSEC</acronym>
Trust Anchors</ulink></para> Trust Anchors</ulink></para>
</listitem> </listitem>
@ -4686,7 +4630,7 @@ $include Kexample.com.+005+nnnnn.ZSK.key ; ZSK</programlisting>
types of Virtual Hosting. The first method is Name-based types of Virtual Hosting. The first method is Name-based
Virtual Hosting. Name-based virtual hosting uses the clients Virtual Hosting. Name-based virtual hosting uses the clients
HTTP/1.1 headers to figure out the hostname. This allows many HTTP/1.1 headers to figure out the hostname. This allows many
different domains to share the same IP address.</para> different domains to share the same <acronym>IP</acronym> address.</para>
<para>To setup <application>Apache</application> to use <para>To setup <application>Apache</application> to use
Name-based Virtual Hosting add an entry like the following to Name-based Virtual Hosting add an entry like the following to
@ -5252,7 +5196,7 @@ DocumentRoot /www/someotherdomain.tld
<para>This sets the NetBIOS name by which a <para>This sets the NetBIOS name by which a
<application>Samba</application> server is known. <application>Samba</application> server is known.
By default it is the same as the first component of By default it is the same as the first component of
the host's DNS name.</para> the host's <acronym>DNS</acronym> name.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -5580,7 +5524,7 @@ driftfile /var/db/ntp.drift</programlisting>
<programlisting>restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap</programlisting> <programlisting>restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap</programlisting>
<para>instead, where <para>instead, where
<hostid role="ipaddr">192.168.1.0</hostid> is an IP address <hostid role="ipaddr">192.168.1.0</hostid> is an <acronym>IP</acronym> address
on the network and on the network and
<hostid role="netmask">255.255.255.0</hostid> is the <hostid role="netmask">255.255.255.0</hostid> is the
network's netmask.</para> network's netmask.</para>
@ -6207,7 +6151,7 @@ iqn.2012-06.com.example:target0 10.10.10.10 Connected: da0</
iqn.2012-06.com.example:target0 10.10.10.10 Waiting for iscsid(8)</programlisting> iqn.2012-06.com.example:target0 10.10.10.10 Waiting for iscsid(8)</programlisting>
<para>The following suggests network-level problem, such as <para>The following suggests network-level problem, such as
wrong IP address or port:</para> wrong <acronym>IP</acronym> address or port:</para>
<programlisting>Target name Target addr State <programlisting>Target name Target addr State
iqn.2012-06.com.example:target0 10.10.10.11 Connection refused</programlisting> iqn.2012-06.com.example:target0 10.10.10.11 Connection refused</programlisting>