Yolinux.com

dhcpd.conf manpage

Search topic Section
Get manual page for the search topic
List all commands matching the search topic
List all topics in the manpage index

dhcpd.conf(5)							 dhcpd.conf(5)



NAME
       dhcpd.conf - dhcpd configuration file

DESCRIPTION
       The  dhcpd.conf	file contains configuration information for dhcpd, the
       Internet Systems Consortium DHCP Server.

       The dhcpd.conf file is a free-form ASCII text file.   It is  parsed  by
       the  recursive-descent  parser built into dhcpd.	  The file may contain
       extra tabs and newlines for formatting purposes.	 Keywords in the  file
       are case-insensitive.   Comments may be placed anywhere within the file
       (except within quotes).	 Comments begin with the # character  and  end
       at the end of the line.

       The  file  essentially  consists	 of a list of statements.   Statements
       fall into two broad categories - parameters and declarations.

       Parameter statements either say how to do something (e.g., how  long  a
       lease  to  offer),  whether to do something (e.g., should dhcpd provide
       addresses to unknown clients), or what parameters  to  provide  to  the
       client (e.g., use gateway 220.177.244.7).

       Declarations  are  used	to  describe  the  topology of the network, to
       describe clients on the network,	 to  provide  addresses	 that  can  be
       assigned	 to  clients,  or to apply a group of parameters to a group of
       declarations.   In any group of parameters and declarations, all param-
       eters  must  be specified before any declarations which depend on those
       parameters may be specified.

       Declarations about network topology include the shared-network and  the
       subnet  declarations.	If  clients  on	 a  subnet  are to be assigned
       addresses dynamically, a range declaration must appear within the  sub-
       net  declaration.    For clients with statically assigned addresses, or
       for installations where only known clients will be  served,  each  such
       client  must have a host declaration.   If parameters are to be applied
       to a group of declarations which are not related strictly on a per-sub-
       net basis, the group declaration can be used.

       For  every  subnet  which will be served, and for every subnet to which
       the dhcp server is connected, there must	 be  one  subnet  declaration,
       which  tells  dhcpd how to recognize that an address is on that subnet.
       A subnet declaration is required for each subnet even if	 no  addresses
       will be dynamically allocated on that subnet.

       Some  installations  have  physical  networks on which more than one IP
       subnet operates.	  For example, if there	 is  a	site-wide  requirement
       that  8-bit subnet masks be used, but a department with a single physi-
       cal ethernet network expands to the point where it has  more  than  254
       nodes,  it may be necessary to run two 8-bit subnets on the same ether-
       net until such time as a new physical network can be added.    In  this
       case,  the  subnet declarations for these two networks must be enclosed
       in a shared-network declaration.

       Some sites may have departments which have clients  on  more  than  one
       subnet, but it may be desirable to offer those clients a uniform set of
       parameters which are different than what would be  offered  to  clients
       from  other departments on the same subnet.   For clients which will be
       declared explicitly with host declarations, these declarations  can  be
       enclosed	 in  a	group  declaration along with the parameters which are
       common to that department.   For clients whose addresses will be dynam-
       ically assigned, class declarations and conditional declarations may be
       used to group parameter assignments based  on  information  the	client
       sends.

       When  a	client	is to be booted, its boot parameters are determined by
       consulting that client's host declaration (if any), and then consulting
       any  class declarations matching the client, followed by the pool, sub-
       net and shared-network declarations for the IP address assigned to  the
       client.	  Each	of  these declarations itself appears within a lexical
       scope, and all declarations at less specific lexical  scopes  are  also
       consulted for client option declarations.   Scopes are never considered
       twice, and if parameters are declared  in  more	than  one  scope,  the
       parameter  declared in the most specific scope is the one that is used.

       When dhcpd tries to find a host declaration  for	 a  client,  it	 first
       looks for a host declaration which has a fixed-address declaration that
       lists an IP address that is valid for the subnet or shared  network  on
       which  the  client  is booting.	 If it doesn't find any such entry, it
       tries to find an entry which has no fixed-address declaration.

EXAMPLES
       A typical dhcpd.conf file will look something like this:

       global parameters...

       subnet 204.254.239.0 netmask 255.255.255.224 {
	 subnet-specific parameters...
	 range 204.254.239.10 204.254.239.30;
       }

       subnet 204.254.239.32 netmask 255.255.255.224 {
	 subnet-specific parameters...
	 range 204.254.239.42 204.254.239.62;
       }

       subnet 204.254.239.64 netmask 255.255.255.224 {
	 subnet-specific parameters...
	 range 204.254.239.74 204.254.239.94;
       }

       group {
	 group-specific parameters...
	 host zappo.test.isc.org {
	   host-specific parameters...
	 }
	 host beppo.test.isc.org {
	   host-specific parameters...
	 }
	 host harpo.test.isc.org {
	   host-specific parameters...
	 }
       }

				      Figure 1


       Notice that at the beginning of the file, there's a  place  for	global
       parameters.    These  might  be	things	like the organization's domain
       name, the addresses of the name servers (if  they  are  common  to  the
       entire organization), and so on.	  So, for example:

	    option domain-name "isc.org";
	    option domain-name-servers ns1.isc.org, ns2.isc.org;

				      Figure 2

       As  you	can see in Figure 2, you can specify host addresses in parame-
       ters using their domain names rather than their numeric	IP  addresses.
       If  a given hostname resolves to more than one IP address (for example,
       if that host has two ethernet interfaces), then	where  possible,  both
       addresses are supplied to the client.

       The  most obvious reason for having subnet-specific parameters as shown
       in Figure 1 is that each subnet, of necessity, has its own router.   So
       for the first subnet, for example, there should be something like:

	    option routers 204.254.239.1;

       Note  that  the	address	 here  is specified numerically.   This is not
       required - if you have a different domain name for  each	 interface  on
       your  router, it's perfectly legitimate to use the domain name for that
       interface instead of the numeric	 address.    However,  in  many	 cases
       there  may  be only one domain name for all of a router's IP addresses,
       and it would not be appropriate to use that name here.

       In Figure 1 there is also a  group  statement,  which  provides	common
       parameters  for	a set of three hosts - zappo, beppo and harpo.	As you
       can see, these hosts are all in the test.isc.org domain,	 so  it	 might
       make  sense  for a group-specific parameter to override the domain name
       supplied to these hosts:

	    option domain-name "test.isc.org";

       Also, given the domain they're in, these are  probably  test  machines.
       If we wanted to test the DHCP leasing mechanism, we might set the lease
       timeout somewhat shorter than the default:

	    max-lease-time 120;
	    default-lease-time 120;

       You may have noticed that while some parameters start with  the	option
       keyword,	 some  do  not.	   Parameters starting with the option keyword
       correspond to actual DHCP options, while parameters that do  not	 start
       with  the option keyword either control the behavior of the DHCP server
       (e.g., how long a lease dhcpd will give out), or specify client parame-
       ters  that  are not optional in the DHCP protocol (for example, server-
       name and filename).

       In Figure 1, each host  had  host-specific  parameters.	  These	 could
       include	such  things  as  the  hostname	 option, the name of a file to
       upload (the filename parameter) and the	address	 of  the  server  from
       which to upload the file (the next-server parameter).   In general, any
       parameter can appear anywhere that parameters are allowed, and will  be
       applied according to the scope in which the parameter appears.

       Imagine	that  you  have	 a site with a lot of NCD X-Terminals.	 These
       terminals come in a variety of models, and you want to specify the boot
       files for each model.   One way to do this would be to have host decla-
       rations for each server and group them by model:

       group {
	 filename "Xncd19r";
	 next-server ncd-booter;

	 host ncd1 { hardware ethernet 0:c0:c3:49:2b:57; }
	 host ncd4 { hardware ethernet 0:c0:c3:80:fc:32; }
	 host ncd8 { hardware ethernet 0:c0:c3:22:46:81; }
       }

       group {
	 filename "Xncd19c";
	 next-server ncd-booter;

	 host ncd2 { hardware ethernet 0:c0:c3:88:2d:81; }
	 host ncd3 { hardware ethernet 0:c0:c3:00:14:11; }
       }

       group {
	 filename "XncdHMX";
	 next-server ncd-booter;

	 host ncd1 { hardware ethernet 0:c0:c3:11:90:23; }
	 host ncd4 { hardware ethernet 0:c0:c3:91:a7:8; }
	 host ncd8 { hardware ethernet 0:c0:c3:cc:a:8f; }
       }

ADDRESS POOLS
       The pool declaration can be used to specify a pool  of  addresses  that
       will be treated differently than another pool of addresses, even on the
       same network segment or subnet.	 For example, you may want to  provide
       a  large set of addresses that can be assigned to DHCP clients that are
       registered to your DHCP	server,	 while	providing  a  smaller  set  of
       addresses,  possibly  with  short  lease	 times, that are available for
       unknown clients.	  If you have a firewall, you may be able  to  arrange
       for addresses from one pool to be allowed access to the Internet, while
       addresses in another pool are not, thus encouraging users  to  register
       their  DHCP clients.   To do this, you would set up a pair of pool dec-
       larations:

       subnet 10.0.0.0 netmask 255.255.255.0 {
	 option routers 10.0.0.254;

	 # Unknown clients get this pool.
	 pool {
	   option domain-name-servers bogus.example.com;
	   max-lease-time 300;
	   range 10.0.0.200 10.0.0.253;
	   allow unknown-clients;
	 }

	 # Known clients get this pool.
	 pool {
	   option domain-name-servers ns1.example.com, ns2.example.com;
	   max-lease-time 28800;
	   range 10.0.0.5 10.0.0.199;
	   deny unknown-clients;
	 }
       }

       It is also possible to set up entirely different subnets for known  and
       unknown	clients - address pools exist at the level of shared networks,
       so address ranges within pool declarations can be on different subnets.

       As  you	can  see in the preceding example, pools can have permit lists
       that control which clients are allowed access to	 the  pool  and	 which
       aren't.	 Each  entry  in  a  pool's permit list is introduced with the
       allow or deny keyword.	If a pool has a permit list, then  only	 those
       clients that match specific entries on the permit list will be eligible
       to be assigned addresses from the pool.	 If a pool has	a  deny	 list,
       then  only those clients that do not match any entries on the deny list
       will be eligible.    If both permit and deny lists exist	 for  a	 pool,
       then  only clients that match the permit list and do not match the deny
       list will be allowed access.

DYNAMIC ADDRESS ALLOCATION
       Address allocation is actually only done when a client is in  the  INIT
       state and has sent a DHCPDISCOVER message.  If the client thinks it has
       a valid lease and sends a DHCPREQUEST to initiate or renew that	lease,
       the server has only three choices - it can ignore the DHCPREQUEST, send
       a DHCPNAK to tell the client it should stop using the address, or  send
       a  DHCPACK,  telling  the  client to go ahead and use the address for a
       while.

       If the server finds the address the  client  is	requesting,  and  that
       address is available to the client, the server will send a DHCPACK.  If
       the address is no longer available, or the client  isn't	 permitted  to
       have  it,  the server will send a DHCPNAK.  If the server knows nothing
       about the address, it will remain silent, unless the address is	incor-
       rect  for the network segment to which the client has been attached and
       the server is authoritative for that network segment, in which case the
       server  will  send  a  DHCPNAK  even  though  it doesn't know about the
       address.

       There may be a host declaration matching the  client's  identification.
       If  that	 host  declaration  contains  a fixed-address declaration that
       lists an IP address that is valid for the network segment to which  the
       client  is  connected.	In  this  case,	 the DHCP server will never do
       dynamic address allocation.  In this case, the client  is  required  to
       take  the  address  specified  in the host declaration.	 If the client
       sends a DHCPREQUEST for some other address,  the	 server	 will  respond
       with a DHCPNAK.

       When  the  DHCP	server allocates a new address for a client (remember,
       this only happens if the client has  sent  a  DHCPDISCOVER),  it	 first
       looks  to see if the client already has a valid lease on an IP address,
       or if there is an old IP address the client had before that hasn't  yet
       been  reassigned.   In that case, the server will take that address and
       check it to see if the client is still permitted to  use	 it.   If  the
       client  is  no  longer  permitted  to use it, the lease is freed if the
       server thought it was still in use - the fact that the client has  sent
       a  DHCPDISCOVER proves to the server that the client is no longer using
       the lease.

       If no existing lease is found, or if the client is forbidden to receive
       the  existing  lease,  then the server will look in the list of address
       pools for the network segment to which the client  is  attached	for  a
       lease that is not in use and that the client is permitted to have.   It
       looks through each pool declaration in sequence (all range declarations
       that appear outside of pool declarations are grouped into a single pool
       with no permit list).   If the permit list  for	the  pool  allows  the
       client  to be allocated an address from that pool, the pool is examined
       to see if there is an address available.	  If so, then  the  client  is
       tentatively  assigned  that  address.	Otherwise,  the	 next  pool is
       tested.	 If no addresses are found that can be assigned to the client,
       no response is sent to the client.

       If  an  address is found that the client is permitted to have, and that
       has never been assigned to any client before, the  address  is  immedi-
       ately  allocated to the client.	 If the address is available for allo-
       cation but has been previously assigned	to  a  different  client,  the
       server  will keep looking in hopes of finding an address that has never
       before been assigned to a client.

       The DHCP server generates the list of available	IP  addresses  from  a
       hash  table.   This means that the addresses are not sorted in any par-
       ticular order, and so it is not possible to predict the order in	 which
       the  DHCP  server  will allocate IP addresses.	Users of previous ver-
       sions of the ISC DHCP server may have become  accustomed	 to  the  DHCP
       server  allocating  IP  addresses  in  ascending	 order, but this is no
       longer possible, and there is no way to configure  this	behavior  with
       version 3 of the ISC DHCP server.

IP ADDRESS CONFLICT PREVENTION
       The  DHCP  server  checks IP addresses to see if they are in use before
       allocating them to clients.   It does this  by  sending	an  ICMP  Echo
       request	message	 to  the IP address being allocated.   If no ICMP Echo
       reply is received within a second, the address is assumed to  be	 free.
       This  is	 only done for leases that have been specified in range state-
       ments, and only when the lease is thought by the DHCP server to be free
       -  i.e.,	 the DHCP server or its failover peer has not listed the lease
       as in use.

       If a response is received to an ICMP  Echo  request,  the  DHCP	server
       assumes	that there is a configuration error - the IP address is in use
       by some host on the network that is not a DHCP client.	It  marks  the
       address as abandoned, and will not assign it to clients.

       If  a  DHCP  client tries to get an IP address, but none are available,
       but there are abandoned IP addresses, then the DHCP server will attempt
       to  reclaim an abandoned IP address.   It marks one IP address as free,
       and then does the same ICMP Echo request	 check	described  previously.
       If there is no answer to the ICMP Echo request, the address is assigned
       to the client.

       The DHCP server does not cycle through abandoned IP  addresses  if  the
       first  IP  address it tries to reclaim is free.	 Rather, when the next
       DHCPDISCOVER comes in from the client, it will attempt a new allocation
       using  the  same method described here, and will typically try a new IP
       address.

DHCP FAILOVER
       This version of the ISC DHCP server supports the DHCP failover protocol
       as  documented in draft-ietf-dhc-failover-07.txt.   This is not a final
       protocol document, and we have not done interoperability	 testing  with
       other vendors' implementations of this protocol, so you must not assume
       that this implementation conforms to the standard.  If you wish to  use
       the  failover  protocol, make sure that both failover peers are running
       the same version of the ISC DHCP server.

       The failover protocol allows two DHCP servers (and no more than two) to
       share  a common address pool.   Each server will have about half of the
       available IP addresses in the pool at any given	time  for  allocation.
       If one server fails, the other server will continue to renew leases out
       of the pool, and will allocate new addresses out of the roughly half of
       available  addresses  that  it  had  when communications with the other
       server were lost.

       It is possible during a prolonged failure to tell the remaining	server
       that  the other server is down, in which case the remaining server will
       (over time) reclaim all the addresses the other	server	had  available
       for  allocation,	 and begin to reuse them.   This is called putting the
       server into the PARTNER-DOWN state.

       You can put the server into the PARTNER-DOWN state either by using  the
       omshell	(1)  command  or by stopping the server, editing the last peer
       state declaration in the lease file, and restarting  the	 server.    If
       you  use	 this  last  method, be sure to leave the date and time of the
       start of the state blank:

       failover peer name state {
       my state partner-down;
       peer state state at date;
       }

       When the other server comes back online, it should automatically detect
       that  it has been offline and request a complete update from the server
       that was running in the PARTNER-DOWN state, and then both servers  will
       resume processing together.

       It is possible to get into a dangerous situation: if you put one server
       into the PARTNER-DOWN state, and then *that* server goes down, and  the
       other  server  comes  back  up, the other server will not know that the
       first server was in the PARTNER-DOWN state,  and	 may  issue  addresses
       previously  issued  by the other server to different clients, resulting
       in IP address conflicts.	  Before putting a  server  into  PARTNER-DOWN
       state,  therefore,  make	 sure  that  the other server will not restart
       automatically.

       The failover protocol defines a primary server  role  and  a  secondary
       server  role.	There are some differences in how primaries and secon-
       daries act, but most of the differences simply have to do with  provid-
       ing  a  way for each peer to behave in the opposite way from the other.
       So one server must be configured as primary, and the other must be con-
       figured	as  secondary,	and  it	 doesn't  matter too much which one is
       which.

FAILOVER STARTUP
       When a server starts that has  not  previously  communicated  with  its
       failover	 peer, it must establish communications with its failover peer
       and synchronize with it before it can serve clients.   This can	happen
       either  because	you  have just configured your DHCP servers to perform
       failover for the first time, or because one of  your  failover  servers
       has failed catastrophically and lost its database.

       The  initial  recovery  process	is  designed  to  ensure that when one
       failover peer loses its database and then  resynchronizes,  any	leases
       that the failed server gave out before it failed will be honored.  When
       the failed server starts up, it notices that it has no  saved  failover
       state, and attempts to contact its peer.

       When  it	 has established contact, it asks the peer for a complete copy
       its peer's lease database.  The peer then sends its complete  database,
       and sends a message indicating that it is done.	The failed server then
       waits until MCLT has passed, and once MCLT has passed both servers make
       the transition back into normal operation.  This waiting period ensures
       that any leases the failed server may have given out while out of  con-
       tact with its partner will have expired.

       While the failed server is recovering, its partner remains in the part-
       ner-down state, which means that it is serving all clients.  The failed
       server provides no service at all to DHCP clients until it has made the
       transition into normal operation.

       In the case where both servers detect that they have never before  com-
       municated  with their partner, they both come up in this recovery state
       and follow the procedure we have just described.	   In  this  case,  no
       service will be provided to DHCP clients until MCLT has expired.

CONFIGURING FAILOVER
       In  order  to  configure failover, you need to write a peer declaration
       that configures the failover protocol, and you need to write peer  ref-
       erences	in  each  pool	declaration for which you want to do failover.
       You do not have to do failover for all pools on a  given	 network  seg-
       ment.	You must not tell one server it's doing failover on a particu-
       lar address pool and tell the other it is not.	You must not have  any
       common  address pools on which you are not doing failover.  A pool dec-
       laration that utilizes failover would look like this:

       pool {
	    failover peer "foo";
	    deny dynamic bootp clients;
	    pool specific parameters
       };

       Dynamic BOOTP leases are not compatible with failover,  and,  as	 such,
       you need to disallow BOOTP in pools that you are using failover for.

       The   server currently  does very  little  sanity checking,  so if  you
       configure it wrong, it will just	 fail in odd ways.  I would  recommend
       therefore  that you either do  failover or don't do failover, but don't
       do any mixed pools.  Also,  use the same master configuration file  for
       both   servers,	and  have  a  separate file  that  contains  the  peer
       declaration and includes the master file.  This will help you to	 avoid
       configuration   mismatches.  As our  implementation evolves,  this will
       become  less of	a  problem.  A	basic  sample dhcpd.conf  file for   a
       primary server might look like this:

       failover peer "foo" {
	 primary;
	 address anthrax.rc.vix.com;
	 port 647;
	 peer address trantor.rc.vix.com;
	 peer port 847;
	 max-response-delay 60;
	 max-unacked-updates 10;
	 mclt 3600;
	 split 128;
	 load balance max seconds 3;
       }

       include "/etc/dhcpd.master";

       The statements in the peer declaration are as follows:

       The primary and secondary statements

	  [ primary | secondary ];

	  This	determines  whether  the  server  is  primary or secondary, as
	  described earlier under DHCP FAILOVER.

       The address statement

	  address address;

	  The address statement declares the IP address or DNS name  on	 which
	  the server should listen for connections from its failover peer, and
	  also the value to use for the DHCP Failover Protocol server  identi-
	  fier.	  Because  this	 value is used as an identifier, it may not be
	  omitted.

       The peer address statement

	  peer address address;

	  The peer address statement declares the IP address or	 DNS  name  to
	  which	 the  server  should  connect  to  reach its failover peer for
	  failover messages.

       The port statement

	  port port-number;

	  The port statement declares the TCP port on which the server	should
	  listen for connections from its failover peer.

       The peer port statement

	  peer port port-number;

	  The  peer  port  statement declares the TCP port to which the server
	  should connect to reach its failover peer for failover messages. The
	  port	number	declared in the peer port statement may be the same as
	  the port number declared in the port statement.

       The max-response-delay statement

	  max-response-delay seconds;

	  The max-response-delay statement tells the DHCP server how many sec-
	  onds	may  pass  without  receiving a message from its failover peer
	  before it assumes that connection has failed.	  This	number	should
	  be  small  enough  that  a transient network failure that breaks the
	  connection will not result in the servers being out of communication
	  for  a  long time, but large enough that the server isn't constantly
	  making and breaking connections.   This parameter must be specified.

       The max-unacked-updates statement

	  max-unacked-updates count;

	  The  max-unacked-updates  statement  tells  the DHCP server how many
	  BNDUPD messages it can send before it receives  a  BNDACK  from  the
	  failover  peer.   We don't have enough operational experience to say
	  what a good value for this is, but 10 seems to work.	 This  parame-
	  ter must be specified.

       The mclt statement

	  mclt seconds;

	  The  mclt  statement defines the Maximum Client Lead Time.   It must
	  be specified on the primary, and may not be specified	 on  the  sec-
	  ondary.    This  is  the  length  of	time  for which a lease may be
	  renewed by either failover peer without contacting the other.	   The
	  longer  you set this, the longer it will take for the running server
	  to recover IP addresses after moving into PARTNER-DOWN state.	   The
	  shorter  you set it, the more load your servers will experience when
	  they are not communicating.	A value	 of  something	like  3600  is
	  probably  reasonable,	 but  again  bear in mind that we have no real
	  operational experience with this.

       The split statement

	  split index;

	  The split statement specifies the split between the primary and sec-
	  ondary for the purposes of load balancing.   Whenever a client makes
	  a DHCP request, the DHCP server runs a hash on the client  identifi-
	  cation.    If	 the  hash comes out to less than the split value, the
	  primary answers.   If it comes out to equal  to  or  more  than  the
	  split,  the  secondary  answers.   The only meaningful value is 128,
	  and can only be configured on the primary.

       The hba statement

	  hba colon-separated-hex-list;

	  The hba statement specifies the split between the primary  and  sec-
	  ondary  as a bitmap rather than a cutoff, which theoretically allows
	  for finer-grained control.   In practice, there is probably no  need
	  for such fine-grained control, however.   An example hba statement:

	    hba ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
		00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00;

	  This	is  equivalent	to a split 128; statement.  You must only have
	  split or hba defined, never both.  For most cases, the  fine-grained
	  control  that	 hba offers isn't necessary, and split should be used.
	  As such, the use of hba is deprecated.

       The load balance max seconds statement

	  load balance max seconds seconds;

	  This statement allows you to configure a  cutoff  after  which  load
	  balancing is disabled.  The cutoff is based on the number of seconds
	  since the client sent its first DHCPDISCOVER or DHCPREQUEST message,
	  and  only works with clients that correctly implement the secs field
	  - fortunately most clients do.  We recommend setting this  to	 some-
	  thing	 like  3  or  5.   The	effect	of  this is that if one of the
	  failover peers gets into a state where it is responding to  failover
	  messages  but	 not  responding  to  some  client requests, the other
	  failover peer will take over its client load	automatically  as  the
	  clients retry.

CLIENT CLASSING
       Clients	can be separated into classes, and treated differently depend-
       ing on what class they are in.	This separation	 can  be  done	either
       with  a	conditional  statement,	 or  with a match statement within the
       class declaration.   It is possible to specify a	 limit	on  the	 total
       number  of  clients within a particular class or subclass that may hold
       leases at one time, and it is possible to specify automatic subclassing
       based on the contents of the client packet.

       To  add	clients	 to  classes  based on conditional evaluation, you can
       specify a matching expression in the class statement:

       class "ras-clients" {
	 match if substring (option dhcp-client-identifier, 1, 3) = "RAS";
       }

       Note that whether you use matching expressions or  add  statements  (or
       both)  to  classify  clients, you must always write a class declaration
       for any class that you use.   If there will be no match	statement  and
       no  in-scope  statements	 for a class, the declaration should look like
       this:

       class "ras-clients" {
       }

SUBCLASSES
       In addition to classes, it is possible to declare subclasses.   A  sub-
       class is a class with the same name as a regular class, but with a spe-
       cific submatch expression which is hashed for quick matching.  This  is
       essentially  a  speed  hack  - the main difference between five classes
       with match expressions and one class with five subclasses  is  that  it
       will be quicker to find the subclasses.	 Subclasses work as follows:

       class "allocation-class-1" {
	 match pick-first-value (option dhcp-client-identifier, hardware);
       }

       class "allocation-class-2" {
	 match pick-first-value (option dhcp-client-identifier, hardware);
       }

       subclass "allocation-class-1" 1:8:0:2b:4c:39:ad;
       subclass "allocation-class-2" 1:8:0:2b:a9:cc:e3;
       subclass "allocation-class-1" 1:0:0:c4:aa:29:44;

       subnet 10.0.0.0 netmask 255.255.255.0 {
	 pool {
	   allow members of "allocation-class-1";
	   range 10.0.0.11 10.0.0.50;
	 }
	 pool {
	   allow members of "allocation-class-2";
	   range 10.0.0.51 10.0.0.100;
	 }
       }

       The data following the class name in the subclass declaration is a con-
       stant value to use in matching the  match  expression  for  the	class.
       When class matching is done, the server will evaluate the match expres-
       sion and then look the result up in the hash table.    If  it  finds  a
       match, the client is considered a member of both the class and the sub-
       class.

       Subclasses can be declared with or without scope.   In the above	 exam-
       ple,  the  sole purpose of the subclass is to allow some clients access
       to one address pool, while other clients are given access to the	 other
       pool, so these subclasses are declared without scopes.	If part of the
       purpose of the subclass were to define different parameter  values  for
       some clients, you might want to declare some subclasses with scopes.

       In  the above example, if you had a single client that needed some con-
       figuration parameters, while most didn't, you might write the following
       subclass declaration for that client:

       subclass "allocation-class-2" 1:08:00:2b:a1:11:31 {
	 option root-path "samsara:/var/diskless/alphapc";
	 filename "/tftpboot/netbsd.alphapc-diskless";
       }

       In  this	 example,  we've  used subclassing as a way to control address
       allocation on a per-client basis.  However, it's also possible  to  use
       subclassing  in ways that are not specific to clients - for example, to
       use the value of the vendor-class-identifier option to  determine  what
       values  to  send in the vendor-encapsulated-options option.  An example
       of this is shown under the VENDOR  ENCAPSULATED	OPTIONS	 head  in  the
       dhcp-options(5) manual page.

PER-CLASS LIMITS ON DYNAMIC ADDRESS ALLOCATION
       You may specify a limit to the number of clients in a class that can be
       assigned leases.	  The effect of this will be to make it difficult  for
       a  new  client in a class to get an address.   Once a class with such a
       limit has reached its limit, the only way a new client  in  that	 class
       can  get	 a  lease  is  for an existing client to relinquish its lease,
       either by letting it  expire,  or  by  sending  a  DHCPRELEASE  packet.
       Classes with lease limits are specified as follows:

       class "limited-1" {
	 lease limit 4;
       }

       This will produce a class in which a maximum of four members may hold a
       lease at one time.

SPAWNING CLASSES
       It is possible to declare a spawning class.   A	spawning  class	 is  a
       class  that  automatically produces subclasses based on what the client
       sends.	The reason that spawning classes were created was to  make  it
       possible	 to  create lease-limited classes on the fly.	The envisioned
       application is a cable-modem environment where the ISP wishes  to  pro-
       vide  clients  at  a particular site with more than one IP address, but
       does not wish to provide such clients with their own subnet,  nor  give
       them  an	 unlimited  number of IP addresses from the network segment to
       which they are connected.

       Many cable modem head-end systems can be	 configured  to	 add  a	 Relay
       Agent Information option to DHCP packets when relaying them to the DHCP
       server.	 These systems typically add a circuit ID or remote ID	option
       that  uniquely  identifies  the	customer  site.	  To take advantage of
       this, you can write a class declaration as follows:

       class "customer" {
	 spawn with option agent.circuit-id;
	 lease limit 4;
       }

       Now whenever a request comes in from a customer site,  the  circuit  ID
       option  will be checked against the class's hash table.	 If a subclass
       is found that matches the circuit ID, the client will be classified  in
       that subclass and treated accordingly.	If no subclass is found match-
       ing the circuit ID, a new  one  will  be	 created  and  logged  in  the
       dhcpd.leases file, and the client will be classified in this new class.
       Once the client has been classified, it will be	treated	 according  to
       the  rules  of the class, including, in this case, being subject to the
       per-site limit of four leases.

       The use of the subclass spawning mechanism is not restricted  to	 relay
       agent  options  - this particular example is given only because it is a
       fairly straightforward one.

COMBINING MATCH, MATCH IF AND SPAWN WITH
       In some cases, it may be useful to  use	one  expression	 to  assign  a
       client  to a particular class, and a second expression to put it into a
       subclass of that class.	 This can be done by combining	the  match  if
       and  spawn with statements, or the match if and match statements.   For
       example:

       class "jr-cable-modems" {
	 match if option dhcp-vendor-identifier = "jrcm";
	 spawn with option agent.circuit-id;
	 lease limit 4;
       }

       class "dv-dsl-modems" {
	 match if opton dhcp-vendor-identifier = "dvdsl";
	 spawn with option agent.circuit-id;
	 lease limit 16;
       }

       This allows you to have two classes that both have the same spawn  with
       expression without getting the clients in the two classes confused with
       each other.

DYNAMIC DNS UPDATES
       The DHCP server has the ability to dynamically update the  Domain  Name
       System.	 Within	 the  configuration files, you can define how you want
       the Domain Name System to be updated.  These updates are RFC 2136  com-
       pliant  so  any DNS server supporting RFC 2136 should be able to accept
       updates from the DHCP server.

       Two DNS update  schemes	are  currently	implemented,  and  another  is
       planned.	   The	two  that  are	currently available are the ad-hoc DNS
       update mode and the interim DHCP-DNS interaction draft update mode.  If
       and  when  the  DHCP-DNS	 interaction draft and the DHCID draft make it
       through the IETF standards process, there will be a third  mode,	 which
       will  be the standard DNS update method.	  The DHCP server must be con-
       figured to use one of the two currently-supported methods, or not to do
       dns  updates.	This can be done with the ddns-update-style configura-
       tion parameter.

THE AD-HOC DNS UPDATE SCHEME
       The ad-hoc Dynamic DNS update scheme is now  deprecated	and  does  not
       work.   In future releases of the ISC DHCP server, this scheme will not
       likely be available.  The interim scheme works,	allows	for  failover,
       and  should  now	 be  used.  The following description is left here for
       informational purposes only.

       The ad-hoc Dynamic DNS update scheme implemented in this version of the
       ISC  DHCP  server is a prototype design, which does not have much to do
       with the standard update method that is being standardized in the  IETF
       DHC  working  group, but rather implements some very basic, yet useful,
       update capabilities.   This mode does not work with the failover proto-
       col  because  it	 does not account for the possibility of two different
       DHCP servers updating the same set of DNS records.

       For the ad-hoc DNS update method, the client's FQDN is derived  in  two
       parts.	 First, the hostname is determined.   Then, the domain name is
       determined, and appended to the hostname.

       The DHCP server determines the client's hostname by first looking for a
       ddns-hostname  configuration  option,  and using that if it is present.
       If no such option is present, the server looks for a valid hostname  in
       the  FQDN option sent by the client.  If one is found, it is used; oth-
       erwise, if the client sent a host-name option, that  is	used.	Other-
       wise,  if  there	 is a host declaration that applies to the client, the
       name from that declaration will be used.	 If none of these applies, the
       server will not have a hostname for the client, and will not be able to
       do a DNS update.

       The domain name is determined from  the	ddns-domainname	 configuration
       option.	The default configuration for this option is:

	 option server.ddns-domainname = config-option domain-name;

       So  if this configuration option is not configured to a different value
       (over-riding the above default), or if a	 domain-name  option  has  not
       been  configured	 for  the  client's  scope,  then  the server will not
       attempt to perform a DNS update.

       The client's fully-qualified domain name, derived as we have described,
       is  used	 as  the  name	on  which an "A" record will be stored.	 The A
       record will contain the IP address that the client was assigned in  its
       lease.	 If there is already an A record with the same name in the DNS
       server, no update of either the A or PTR records will occur - this pre-
       vents a client from claiming that its hostname is the name of some net-
       work  server.	For  example,  if  you	have   a   fileserver	called
       "fs.sneedville.edu", and the client claims its hostname is "fs", no DNS
       update will be done for that client,  and  an  error  message  will  be
       logged.

       If  the	A record update succeeds, a PTR record update for the assigned
       IP address will be done, pointing to the A  record.    This  update  is
       unconditional  - it will be done even if another PTR record of the same
       name exists.   Since the IP address  has	 been  assigned	 to  the  DHCP
       server, this should be safe.

       Please note that the current implementation assumes clients only have a
       single network interface.   A client with two network  interfaces  will
       see  unpredictable  behavior.	This  is considered a bug, and will be
       fixed in a later release.   It may be helpful to enable the  one-lease-
       per-client  parameter  so that roaming clients do not trigger this same
       behavior.

       The DHCP protocol normally involves a four-packet exchange - first  the
       client sends a DHCPDISCOVER message, then the server sends a DHCPOFFER,
       then the client sends a DHCPREQUEST, then the server sends  a  DHCPACK.
       In  the	current version of the server, the server will do a DNS update
       after it has received the DHCPREQUEST, and before it has sent the  DHC-
       PACK.	It  only  sends	 the DNS update if it has not sent one for the
       client's address before, in order to minimize the impact	 on  the  DHCP
       server.

       When the client's lease expires, the DHCP server (if it is operating at
       the time, or when next it operates) will remove the client's A and  PTR
       records	from  the  DNS database.   If the client releases its lease by
       sending a DHCPRELEASE message, the server will likewise	remove	the  A
       and PTR records.

THE INTERIM DNS UPDATE SCHEME
       The  interim  DNS  update  scheme  operates mostly according to several
       drafts that are being considered by the IETF and are expected to become
       standards,  but	are  not  yet  standards,  and may not be standardized
       exactly as currently proposed.	These are:

			draft-ietf-dhc-ddns-resolution-??.txt
			  draft-ietf-dhc-fqdn-option-??.txt
			  draft-ietf-dnsext-dhcid-rr-??.txt

       Because our implementation is slightly different than the standard,  we
       will briefly document the operation of this update style here.

       The  first  point  to understand about this style of DNS update is that
       unlike the ad-hoc style, the DHCP server does  not  necessarily	always
       update  both  the  A  and the PTR records.   The FQDN option includes a
       flag which, when sent by the client, indicates that the	client	wishes
       to  update  its own A record.   In that case, the server can be config-
       ured either to honor the client's intentions or ignore them.   This  is
       done  with  the statement allow client-updates; or the statement ignore
       client-updates;.	  By default, client updates are allowed.

       If the server is configured to allow client updates, then if the client
       sends a fully-qualified domain name in the FQDN option, the server will
       use that name the client sent in the FQDN  option  to  update  the  PTR
       record.	 For example, let us say that the client is a visitor from the
       "radish.org" domain, whose hostname is "jschmoe".   The server  is  for
       the  "example.org"  domain.    The  DHCP	 client	 indicates in the FQDN
       option that its FQDN is "jschmoe.radish.org.".	It also indicates that
       it  wants  to update its own A record.	The DHCP server therefore does
       not attempt to set up an A record for the client, but does set up a PTR
       record  for  the	 IP  address  that  it assigns the client, pointing at
       jschmoe.radish.org.   Once the DHCP client has an IP  address,  it  can
       update its own A record, assuming that the "radish.org" DNS server will
       allow it to do so.

       If the server is configured not to allow	 client	 updates,  or  if  the
       client doesn't want to do its own update, the server will simply choose
       a name for the client from either the fqdn option (if present)  or  the
       hostname	 option (if present).  It will use its own domain name for the
       client, just as in the ad-hoc update scheme.  It will then update  both
       the A and PTR record, using the name that it chose for the client.   If
       the client sends a fully-qualified domain name in the fqdn option,  the
       server  uses only the leftmost part of the domain name - in the example
       above, "jschmoe" instead of "jschmoe.radish.org".

       Also, if the use-host-decl-names configuration option is enabled,  then
       the  host  declaration's hostname will be used in place of the hostname
       option, and the same rules will apply as described above.

       The other difference between the ad-hoc scheme and the  interim	scheme
       is that with the interim scheme, a method is used that allows more than
       one DHCP server to update the DNS database without accidentally	delet-
       ing  A  records	that shouldn't be deleted nor failing to add A records
       that should be added.   The scheme works as follows:

       When the DHCP server issues a client a new lease,  it  creates  a  text
       string  that  is an MD5 hash over the DHCP client's identification (see
       draft-ietf-dnsext-dhcid-rr-??.txt for details).	 The update adds an  A
       record  with  the name the server chose and a TXT record containing the
       hashed identifier string	 (hashid).    If  this	update	succeeds,  the
       server is done.

       If  the update fails because the A record already exists, then the DHCP
       server attempts to add the A record with the  prerequisite  that	 there
       must be a TXT record in the same name as the new A record, and that TXT
       record's contents must be equal to hashid.   If this  update  succeeds,
       then  the  client  has its A record and PTR record.   If it fails, then
       the name the client has been assigned (or requested)  is	 in  use,  and
       can't  be  used by the client.	At this point the DHCP server gives up
       trying to do a DNS update for the client until the client chooses a new
       name.

       The  interim  DNS  update  scheme  is  called  interim for two reasons.
       First, it does not quite follow the drafts.   The current  versions  of
       the  drafts call for a new DHCID RRtype, but this is not yet available.
       The interim DNS update scheme uses a TXT record	instead.    Also,  the
       existing ddns-resolution draft calls for the DHCP server to put a DHCID
       RR on the PTR record, but the interim update method does not  do	 this.
       It is our position that this is not useful, and we are working with the
       author in hopes of removing it from the next version of the  draft,  or
       better understanding why it is considered useful.

       In  addition to these differences, the server also does not update very
       aggressively.  Because each DNS update involves a round trip to the DNS
       server,	there  is a cost associated with doing updates even if they do
       not actually modify the DNS  database.	 So  the  DHCP	server	tracks
       whether	or not it has updated the record in the past (this information
       is stored on the lease) and does not attempt to update records that  it
       thinks it has already updated.

       This  can  lead	to cases where the DHCP server adds a record, and then
       the record is deleted through some  other  mechanism,  but  the	server
       never  again  updates  the  DNS	because	 it thinks the data is already
       there.	In this case the data can be removed from  the	lease  through
       operator	 intervention,	and  once  this has been done, the DNS will be
       updated the next time the client renews.

DYNAMIC DNS UPDATE SECURITY
       When you set your DNS server up to allow updates from the DHCP  server,
       you  may	 be  exposing  it to unauthorized updates.  To avoid this, you
       should use TSIG signatures -  a	method	of  cryptographically  signing
       updates using a shared secret key.   As long as you protect the secrecy
       of this key, your updates should also be secure.	  Note, however,  that
       the  DHCP  protocol  itself  provides no security, and that clients can
       therefore provide information to the DHCP server which the DHCP	server
       will  then  use	in  its updates, with the constraints described previ-
       ously.

       The DNS server must be configured to allow updates for  any  zone  that
       the DHCP server will be updating.  For example, let us say that clients
       in  the	sneedville.edu	domain	will  be  assigned  addresses  on  the
       10.10.17.0/24  subnet.	In  that case, you will need a key declaration
       for the TSIG key you will be using, and also two	 zone  declarations  -
       one  for the zone containing A records that will be updates and one for
       the zone containing PTR records - for ISC BIND, something like this:

       key DHCP_UPDATER {
	 algorithm hmac-md5;
	 secret pRP5FapFoJ95JEL06sv4PQ==;
       };

       zone "example.org" {
	    type master;
	    file "example.org.db";
	    allow-update { key DHCP_UPDATER; };
       };

       zone "17.10.10.in-addr.arpa" {
	    type master;
	    file "10.10.17.db";
	    allow-update { key DHCP_UPDATER; };
       };

       You will also have to configure your DHCP server to do updates to these
       zones.	 To  do	 so,  you  need	 to  add  something  like this to your
       dhcpd.conf file:

       key DHCP_UPDATER {
	 algorithm hmac-md5;
	 secret pRP5FapFoJ95JEL06sv4PQ==;
       };

       zone EXAMPLE.ORG. {
	 primary 127.0.0.1;
	 key DHCP_UPDATER;
       }

       zone 17.127.10.in-addr.arpa. {
	 primary 127.0.0.1;
	 key DHCP_UPDATER;
       }

       The primary statement specifies the IP address of the name server whose
       zone information is to be updated.

       Note that the zone declarations have to correspond to authority records
       in your name server - in the above example, there must be an SOA record
       for  "example.org." and for "17.10.10.in-addr.arpa.".   For example, if
       there were a subdomain "foo.example.org"	 with  no  separate  SOA,  you
       could not write a zone declaration for "foo.example.org."  Also keep in
       mind that zone names in your DHCP configuration should end  in  a  ".";
       this  is	 the  preferred syntax.	 If you do not end your zone name in a
       ".", the DHCP server will figure it out.	 Also note that	 in  the  DHCP
       configuration,  zone  names  are not encapsulated in quotes where there
       are in the DNS configuration.

       You should choose your own secret key, of course.  The ISC BIND 8 and 9
       distributions  come  with  a  program for generating secret keys called
       dnssec-keygen.  The version that comes with BIND 9 is likely to produce
       a  substantially more random key, so we recommend you use that one even
       if you are not using BIND 9 as your DNS server.	If you are using  BIND
       9's dnssec-keygen, the above key would be created as follows:

	    dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER

       If  you	are  using the BIND 8 dnskeygen program, the following command
       will generate a key as seen above:

	    dnskeygen -H 128 -u -c -n DHCP_UPDATER

       You may wish to enable logging of DNS updates on your DNS  server.   To
       do so, you might write a logging statement like the following:

       logging {
	    channel update_debug {
		 file "/var/log/update-debug.log";
		 severity  debug 3;
		 print-category yes;
		 print-severity yes;
		 print-time	yes;
	    };
	    channel security_info    {
		 file "/var/log/named-auth.info";
		 severity  info;
		 print-category yes;
		 print-severity yes;
		 print-time	yes;
	    };

	    category update { update_debug; };
	    category security { security_info; };
       };

       You  must  create  the  /var/log/named-auth.info	 and  /var/log/update-
       debug.log files before starting the name server.	  For more information
       on configuring ISC BIND, consult the documentation that accompanies it.

REFERENCE: EVENTS
       There are three kinds of events that can happen regarding a lease,  and
       it  is  possible	 to  declare  statements  that occur when any of these
       events happen.	These events are the commit event, when the server has
       made  a	commitment  of a certain lease to a client, the release event,
       when the client has released the server from its	 commitment,  and  the
       expiry event, when the commitment expires.

       To  declare  a  set of statements to execute when an event happens, you
       must use the on statement, followed by the name of the event,  followed
       by  a  series of statements to execute when the event happens, enclosed
       in braces.   Events are used to implement DNS updates,  so  you	should
       not  define  your  own event handlers if you are using the built-in DNS
       update mechanism.

       The built-in version of the DNS update mechanism is in  a  text	string
       towards	the  top  of  server/dhcpd.c.	 If you want to use events for
       things other than DNS updates, and you also want DNS updates, you  will
       have  to	 start	out by copying this code into your dhcpd.conf file and
       modifying it.

REFERENCE: DECLARATIONS
       The include statement

	include "filename";

       The include statement is used to read in a named file, and process  the
       contents of that file as though it were entered in place of the include
       statement.

       The shared-network statement

	shared-network name {
	  [ parameters ]
	  [ declarations ]
	}

       The shared-network statement is used to inform  the  DHCP  server  that
       some  IP subnets actually share the same physical network.  Any subnets
       in a shared network should be declared within a	shared-network	state-
       ment.   Parameters  specified  in  the shared-network statement will be
       used when booting clients on those subnets unless  parameters  provided
       at  the	subnet or host level override them.  If any subnet in a shared
       network has addresses available for dynamic allocation, those addresses
       are  collected  into a common pool for that shared network and assigned
       to clients as needed.  There is no way to distinguish on	 which	subnet
       of a shared network a client should boot.

       Name should be the name of the shared network.	This name is used when
       printing debugging messages, so it should be descriptive for the shared
       network.	   The	name  may  have	 the  syntax  of  a  valid domain name
       (although it will never be used as such), or it may  be	any  arbitrary
       name, enclosed in quotes.

       The subnet statement

	subnet subnet-number netmask netmask {
	  [ parameters ]
	  [ declarations ]
	}

       The  subnet  statement is used to provide dhcpd with enough information
       to tell whether or not an IP address is on that subnet.	It may also be
       used   to  provide  subnet-specific  parameters	and  to	 specify  what
       addresses may be dynamically allocated to clients booting on that  sub-
       net.   Such addresses are specified using the range declaration.

       The subnet-number should be an IP address or domain name which resolves
       to the subnet number of	the  subnet  being  described.	  The  netmask
       should  be  an  IP  address or domain name which resolves to the subnet
       mask of the subnet being described.   The subnet number, together  with
       the  netmask,  are sufficient to determine whether any given IP address
       is on the specified subnet.

       Although a netmask must be given with every subnet declaration,	it  is
       recommended  that if there is any variance in subnet masks at a site, a
       subnet-mask option statement be used in each subnet declaration to  set
       the  desired  subnet  mask, since any subnet-mask option statement will
       override the subnet mask declared in the subnet statement.

       The range statement

       range [ dynamic-bootp ] low-address [ high-address];

       For any subnet on which addresses will be assigned  dynamically,	 there
       must  be	 at least one range statement.	 The range statement gives the
       lowest and highest IP addresses in a range.   All IP addresses  in  the
       range should be in the subnet in which the range statement is declared.
       The dynamic-bootp flag may be specified if addresses in	the  specified
       range  may  be  dynamically  assigned  to BOOTP clients as well as DHCP
       clients.	  When specifying a single address, high-address can be	 omit-
       ted.

       The host statement

	host hostname {
	  [ parameters ]
	  [ declarations ]
	}

       The host declaration provides a scope in which to provide configuration
       information about a specific client, and also provides a way to	assign
       a  client a fixed address.  The host declaration provides a way for the
       DHCP server to identify a DHCP or BOOTP	client,	 and  also  a  way  to
       assign the client a static IP address.

       If  it  is  desirable to be able to boot a DHCP or BOOTP client on more
       than one subnet with fixed addresses, more  than	 one  address  may  be
       specified  in  the  fixed-address  declaration,	or  more than one host
       statement may be specified matching the same client.

       If client-specific boot parameters must change based on the network  to
       which the client is attached, then multiple host declarations should be
       used.  The host declarations will only match a client if one  of	 their
       fixed-address  statements  is  viable on the subnet (or shared network)
       where the client is attached.  Conversely, for a	 host  declaration  to
       match  a client being allocated a dynamic address, it must not have any
       fixed-address statements.  You may therefore need  a  mixture  of  host
       declarations  for  any  given client...some having fixed-address state-
       ments, others without.

       hostname should be a name identifying the host.	If a  hostname	option
       is not specified for the host, hostname is used.

       Host declarations are matched to actual DHCP or BOOTP clients by match-
       ing the dhcp-client-identifier option specified in the host declaration
       to  the	one supplied by the client, or, if the host declaration or the
       client does not provide a dhcp-client-identifier	 option,  by  matching
       the  hardware parameter in the host declaration to the network hardware
       address supplied by the client.	 BOOTP clients do not normally provide
       a  dhcp-client-identifier, so the hardware address must be used for all
       clients that may boot using the BOOTP protocol.

       Please be aware that only the  dhcp-client-identifier  option  and  the
       hardware	 address  can be used to match a host declaration.   For exam-
       ple, it is not possible to match a  host	 declaration  to  a  host-name
       option.	  This is because the host-name option cannot be guaranteed to
       be unique for any given client, whereas both the hardware  address  and
       dhcp-client-identifier  option are at least theoretically guaranteed to
       be unique to a given client.

       The group statement

	group {
	  [ parameters ]
	  [ declarations ]
	}

       The group statement is used simply to apply one or more parameters to a
       group  of  declarations.	   It  can be used to group hosts, shared net-
       works, subnets, or even other groups.

REFERENCE: ALLOW AND DENY
       The allow and deny statements can be used to control  the  response  of
       the  DHCP server to various sorts of requests.  The allow and deny key-
       words actually have different meanings depending on the context.	 In  a
       pool  context,  these  keywords	can be used to set up access lists for
       address allocation pools.  In other contexts, the keywords simply  con-
       trol  general  server  behavior with respect to clients based on scope.
       In a non-pool context, the ignore keyword can be used in place  of  the
       deny keyword to prevent logging of denied requests.


ALLOW DENY AND IGNORE IN SCOPE
       The following usages of allow and deny will work in any scope, although
       it is not recommended that they be used in pool declarations.

       The unknown-clients keyword

	allow unknown-clients;
	deny unknown-clients;
	ignore unknown-clients;

       The unknown-clients flag is used to tell dhcpd whether or not to dynam-
       ically  assign  addresses to unknown clients.   Dynamic address assign-
       ment to unknown clients is allowed by default.  An  unknown  client  is
       simply a client that has no host declaration.

       The  use	 of  this  option  is  now  deprecated.	  If you are trying to
       restrict access on your network to known clients, you should  use  deny
       unknown-clients;	 inside	 of  your address pool, as described under the
       heading ALLOW AND DENY WITHIN POOL DECLARAIONS.

       The bootp keyword

	allow bootp;
	deny bootp;
	ignore bootp;

       The bootp flag is used to tell dhcpd whether or not to respond to bootp
       queries.	 Bootp queries are allowed by default.

       This  option  does  not	satisfy	 the requirement of failover peers for
       denying dynamic bootp clients.  The deny dynamic bootp clients;	option
       should be used instead. See the ALLOW AND DENY WITHIN POOL DECLARATIONS
       section of this man page for more details.

       The booting keyword

	allow booting;
	deny booting;
	ignore booting;

       The booting flag is used to tell dhcpd whether or  not  to  respond  to
       queries	from  a particular client.  This keyword only has meaning when
       it appears in a host declaration.   By default, booting is allowed, but
       if it is disabled for a particular client, then that client will not be
       able to get an address from the DHCP server.

       The duplicates keyword

	allow duplicates;
	deny duplicates;

       Host declarations can match client messages based on  the  DHCP	Client
       Identifer option or based on the client's network hardware type and MAC
       address.	  If the MAC address is used, the host declaration will	 match
       any  client  with that MAC address - even clients with different client
       identifiers.   This doesn't normally happen, but is possible  when  one
       computer has more than one operating system installed on it - for exam-
       ple, Microsoft Windows and NetBSD or Linux.

       The duplicates flag tells the DHCP server that if a request is received
       from  a	client that matches the MAC address of a host declaration, any
       other leases matching that MAC  address	should	be  discarded  by  the
       server,	even  if the UID is not the same.   This is a violation of the
       DHCP protocol, but can prevent clients whose client identifiers	change
       regularly  from	holding	 many  leases  at  the same time.  By default,
       duplicates are allowed.

       The declines keyword

	allow declines;
	deny declines;
	ignore declines;

       The DHCPDECLINE message is used by DHCP clients to  indicate  that  the
       lease the server has offered is not valid.   When the server receives a
       DHCPDECLINE  for	 a  particular	address,  it  normally	abandons  that
       address,	 assuming that some unauthorized system is using it.  Unfortu-
       nately, a malicious or buggy client can,	 using	DHCPDECLINE  messages,
       completely exhaust the DHCP server's allocation pool.   The server will
       reclaim these leases, but while the client is running through the pool,
       it  may	cause serious thrashing in the DNS, and it will also cause the
       DHCP server to forget old DHCP client address allocations.

       The declines flag tells the DHCP server whether or not to honor DHCPDE-
       CLINE messages.	 If it is set to deny or ignore in a particular scope,
       the DHCP server will not respond to DHCPDECLINE messages.

       The client-updates keyword

	allow client-updates;
	deny client-updates;

       The client-updates flag tells the DHCP server whether or not  to	 honor
       the  client's  intention to do its own update of its A record.  This is
       only relevant when doing interim DNS updates.   See  the	 documentation
       under the heading THE INTERIM DNS UPDATE SCHEME for details.

ALLOW AND DENY WITHIN POOL DECLARATIONS
       The  uses  of the allow and deny keywords shown in the previous section
       work pretty much the same way whether the client is sending a  DHCPDIS-
       COVER  or  a  DHCPREQUEST message - an address will be allocated to the
       client (either the old address it's requesting, or a new	 address)  and
       then  that address will be tested to see if it's okay to let the client
       have it.	  If the client requested it, and it's not  okay,  the	server
       will  send  a  DHCPNAK message.	 Otherwise, the server will simply not
       respond to the client.	If it is okay  to  give	 the  address  to  the
       client, the server will send a DHCPACK message.

       The  primary  motivation	 behind	 pool  declarations is to have address
       allocation pools whose allocation policies are  different.    A	client
       may be denied access to one pool, but allowed access to another pool on
       the same network segment.   In order for this to work,  access  control
       has  to be done during address allocation, not after address allocation
       is done.

       When a DHCPREQUEST message is processed, address allocation simply con-
       sists  of looking up the address the client is requesting and seeing if
       it's still available for the client.  If it is, then  the  DHCP	server
       checks  both  the  address  pool permit lists and the relevant in-scope
       allow and deny statements to see if it's okay to give the lease to  the
       client.	 In the case of a DHCPDISCOVER message, the allocation process
       is done as described previously in the ADDRESS ALLOCATION section.

       When declaring permit lists for address allocation pools, the following
       syntaxes are recognized following the allow or deny keywords:

	known-clients;

       If  specified, this statement either allows or prevents allocation from
       this pool to any client that has a host declaration (i.e.,  is  known).
       A  client  is known if it has a host declaration in any scope, not just
       the current scope.

	unknown-clients;

       If specified, this statement either allows or prevents allocation  from
       this  pool  to  any  client  that has no host declaration (i.e., is not
       known).

	members of "class";

       If specified, this statement either allows or prevents allocation  from
       this pool to any client that is a member of the named class.

	dynamic bootp clients;

       If  specified, this statement either allows or prevents allocation from
       this pool to any bootp client.

	authenticated clients;

       If specified, this statement either allows or prevents allocation  from
       this  pool  to  any  client  that has been authenticated using the DHCP
       authentication protocol.	  This is not yet supported.

	unauthenticated clients;

       If specified, this statement either allows or prevents allocation  from
       this  pool to any client that has not been authenticated using the DHCP
       authentication protocol.	  This is not yet supported.

	all clients;

       If specified, this statement either allows or prevents allocation  from
       this  pool  to all clients.   This can be used when you want to write a
       pool declaration for some reason, but hold it in reserve, or  when  you
       want  to	 renumber  your	 network  quickly, and thus want the server to
       force all clients that have been allocated addresses from this pool  to
       obtain new addresses immediately when they next renew.

REFERENCE: PARAMETERS
       The always-broadcast statement

	  always-broadcast flag;

	  The  DHCP and BOOTP protocols both require DHCP and BOOTP clients to
	  set the broadcast bit in  the	 flags	field  of  the	BOOTP  message
	  header.   Unfortunately, some DHCP and BOOTP clients do not do this,
	  and therefore may not receive responses from the DHCP server.	   The
	  DHCP server can be made to always broadcast its responses to clients
	  by setting this flag to 'on' for the relevant scope; relevant scopes
	  would be inside a conditional statement, as a parameter for a class,
	  or as a parameter for a host declaration.   To avoid creating excess
	  broadcast  traffic  on  your network, we recommend that you restrict
	  the use of this option to as few clients as possible.	  For example,
	  the  Microsoft DHCP client is known not to have this problem, as are
	  the OpenTransport and ISC DHCP clients.

       The always-reply-rfc1048 statement

	  always-reply-rfc1048 flag;

	  Some BOOTP clients expect RFC1048-style responses, but do not follow
	  RFC1048 when sending their requests.	 You can tell that a client is
	  having this problem if it is not getting the options you  have  con-
	  figured  for	it and if you see in the server log the message "(non-
	  rfc1048)" printed with each BOOTREQUEST that is logged.

	  If you want to send rfc1048 options to such a client,	 you  can  set
	  the  always-reply-rfc1048  option in that client's host declaration,
	  and the DHCP server  will  respond  with  an	RFC-1048-style	vendor
	  options  field.   This flag can be set in any scope, and will affect
	  all clients covered by that scope.

       The authoritative statement

	  authoritative;

	  not authoritative;

	  The DHCP server will normally assume that the configuration informa-
	  tion about a given network segment is not known to be correct and is
	  not authoritative.  This is so that if a naive user installs a  DHCP
	  server not fully understanding how to configure it, it does not send
	  spurious DHCPNAK messages to clients that  have  obtained  addresses
	  from a legitimate DHCP server on the network.

	  Network  administrators  setting  up	authoritative DHCP servers for
	  their networks should always write  authoritative;  at  the  top  of
	  their	 configuration	file  to  indicate that the DHCP server should
	  send DHCPNAK messages to misconfigured clients.    If	 this  is  not
	  done,	 clients  will	be  unable  to	get a correct IP address after
	  changing subnets until their old lease has expired, which could take
	  quite a long time.

	  Usually,  writing authoritative; at the top level of the file should
	  be sufficient.   However, if a DHCP server is to be set up  so  that
	  it  is aware of some networks for which it is authoritative and some
	  networks for which it is not, it may be more appropriate to  declare
	  authority on a per-network-segment basis.

	  Note that the most specific scope for which the concept of authority
	  makes any sense is the physical network segment - either  a  shared-
	  network statement or a subnet statement that is not contained within
	  a shared-network statement.  It is not meaningful  to	 specify  that
	  the  server  is  authoritative for some subnets within a shared net-
	  work, but not authoritative for others,  nor	is  it	meaningful  to
	  specify  that the server is authoritative for some host declarations
	  and not others.

       The boot-unknown-clients statement

	  boot-unknown-clients flag;

	  If the boot-unknown-clients statement is present and has a value  of
	  false	 or  off,  then clients for which there is no host declaration
	  will not be allowed to obtain IP addresses.	If this	 statement  is
	  not  present or has a value of true or on, then clients without host
	  declarations will be allowed to obtain  IP  addresses,  as  long  as
	  those	 addresses  are	 not  restricted  by allow and deny statements
	  within their pool declarations.

       The ddns-hostname statement

	  ddns-hostname name;

	  The name parameter should be the hostname that will be used in  set-
	  ting	up  the	 client's  A and PTR records.	If no ddns-hostname is
	  specified in scope, then the server will derive the  hostname	 auto-
	  matically,  using an algorithm that varies for each of the different
	  update methods.

       The ddns-domainname statement

	  ddns-domainname name;

	  The name parameter should be the domain name that will  be  appended
	  to  the  client's  hostname  to  form	 a fully-qualified domain-name
	  (FQDN).

       The ddns-rev-domainname statement

	  ddns-rev-domainname name; The name parameter should  be  the	domain
	  name	that  will  be appended to the client's reversed IP address to
	  produce a name for use in the client's  PTR  record.	  By  default,
	  this is "in-addr.arpa.", but the default can be overridden here.

	  The  reversed	 IP  address  to which this domain name is appended is
	  always the IP address	 of  the  client,  in  dotted  quad  notation,
	  reversed  - for example, if the IP address assigned to the client is
	  10.17.92.74, then the reversed IP address  is	 74.92.17.10.	 So  a
	  client with that IP address would, by default, be given a PTR record
	  of 10.17.92.74.in-addr.arpa.

       The ddns-update-style parameter

	  ddns-update-style style;

	  The style parameter must be one of ad-hoc,  interim  or  none.   The
	  ddns-update-style  statement is only meaningful in the outer scope -
	  it is evaluated once after reading the dhcpd.conf file, rather  than
	  each	time a client is assigned an IP address, so there is no way to
	  use different DNS update styles for different clients.

       The ddns-updates statement

	   ddns-updates flag;

	  The ddns-updates parameter controls whether or not the  server  will
	  attempt  to do a DNS update when a lease is confirmed.   Set this to
	  off if the server should not attempt to do updates within a  certain
	  scope.   The	ddns-updates  parameter is on by default.   To disable
	  DNS updates in all scopes, it is preferable to use the  ddns-update-
	  style statement, setting the style to none.

       The default-lease-time statement

	  default-lease-time time;

	  Time	should	be  the	 length	 in seconds that will be assigned to a
	  lease if the client requesting the lease does not ask for a specific
	  expiration time.

       The do-forward-updates statement

	  do-forward-updates flag;

	  The  do-forward-updates  statement  instructs	 the DHCP server as to
	  whether it should attempt to update a DHCP client's  A  record  when
	  the  client  acquires	 or  renews  a	lease.	 This statement has no
	  effect unless DNS updates are enabled and ddns-update-style  is  set
	  to  interim.	  Forward  updates  are	 enabled by default.   If this
	  statement is used to disable forward updates, the DHCP  server  will
	  never	 attempt  to  update the client's A record, and will only ever
	  attempt to update the client's PTR record if the client supplies  an
	  FQDN	that should be placed in the PTR record using the fqdn option.
	  If forward updates are enabled, the DHCP server will still honor the
	  setting of the client-updates flag.

       The dynamic-bootp-lease-cutoff statement

	  dynamic-bootp-lease-cutoff date;

	  The  dynamic-bootp-lease-cutoff  statement  sets the ending time for
	  all leases assigned dynamically to  BOOTP  clients.	Because	 BOOTP
	  clients  do not have any way of renewing leases, and don't know that
	  their leases could expire, by default dhcpd assignes infinite leases
	  to all BOOTP clients.	 However, it may make sense in some situations
	  to set a cutoff date for all BOOTP leases - for example, the end  of
	  a  school  term,  or the time at night when a facility is closed and
	  all machines are required to be powered off.

	  Date should be the date on which all assigned BOOTP leases will end.
	  The date is specified in the form:

				 W YYYY/MM/DD HH:MM:SS

	  W is the day of the week expressed as a number from zero (Sunday) to
	  six (Saturday).  YYYY is the year, including the century.  MM is the
	  month	 expressed  as	a  number  from 1 to 12.  DD is the day of the
	  month, counting from 1.  HH is the hour, from zero to 23.  MM is the
	  minute and SS is the second.	The time is always in Coordinated Uni-
	  versal Time (UTC), not local time.

       The dynamic-bootp-lease-length statement

	  dynamic-bootp-lease-length length;

	  The dynamic-bootp-lease-length statement is used to set  the	length
	  of leases dynamically assigned to BOOTP clients.   At some sites, it
	  may be possible to assume that a lease is no longer in  use  if  its
	  holder  has  not used BOOTP or DHCP to get its address within a cer-
	  tain time period.   The period is specified in length as a number of
	  seconds.    If  a  client  reboots  using  BOOTP  during the timeout
	  period, the lease duration is reset to length,  so  a	 BOOTP	client
	  that boots frequently enough will never lose its lease.  Needless to
	  say, this parameter should be adjusted with extreme caution.

       The filename statement

	  filename "filename";

	  The filename statement can be used to specify the name of  the  ini-
	  tial	boot  file  which  is  to be loaded by a client.  The filename
	  should be a filename recognizable to whatever file transfer protocol
	  the client can be expected to use to load the file.

       The fixed-address declaration

	  fixed-address address [, address ... ];

	  The fixed-address declaration is used to assign one or more fixed IP
	  addresses to a client.  It should only appear in a host declaration.
	  If more than one address is supplied, then when the client boots, it
	  will be assigned the address that  corresponds  to  the  network  on
	  which	 it is booting.	 If none of the addresses in the fixed-address
	  statement are valid for the network to  which	 the  client  is  con-
	  nected,  that	 client will not match the host declaration containing
	  that fixed-address declaration.  Each address in  the	 fixed-address
	  declaration  should  be  either  an IP address or a domain name that
	  resolves to one or more IP addresses.

       The get-lease-hostnames statement

	  get-lease-hostnames flag;

	  The get-lease-hostnames statement is used to tell dhcpd  whether  or
	  not  to  look	 up the domain name corresponding to the IP address of
	  each address in the lease pool and use that  address	for  the  DHCP
	  hostname  option.  If flag is true, then this lookup is done for all
	  addresses in the current scope.   By default, or if flag  is	false,
	  no lookups are done.

       The hardware statement

	  hardware hardware-type hardware-address;

	  In  order  for a BOOTP client to be recognized, its network hardware
	  address must be declared using a hardware clause in the host	state-
	  ment.	  hardware-type must be the name of a physical hardware inter-
	  face type.   Currently, only the ethernet and token-ring  types  are
	  recognized,  although	 support for a fddi hardware type (and others)
	  would also be desirable.  The hardware-address should be  a  set  of
	  hexadecimal  octets (numbers from 0 through ff) separated by colons.
	  The hardware statement may also be used for DHCP clients.

       The lease-file-name statement

	  lease-file-name name;

	  Name should be the name  of  the  DHCP  server's  lease  file.    By
	  default,  this is /var/lib/dhcpd/dhcpd.leases.   This statement must
	  appear in the outer scope of the configuration file - if it  appears
	  in some other scope, it will have no effect.

       The local-port statement

	  local-port port;

	  This statement causes the DHCP server to listen for DHCP requests on
	  the UDP port specified in port, rather than on port 67.

       The local-address statement

	  local-address address;

	  This statement causes the DHCP server to listen  for	DHCP  requests
	  sent	to  the	 specified  address,  rather than requests sent to all
	  addresses.  Since serving directly  attached	DHCP  clients  implies
	  that	the  server  must  respond to requests sent to the all-ones IP
	  address, this option cannot be  used	if  clients  are  on  directly
	  attached  networks...it  is  only  realistically useful for a server
	  whose only clients are reached via unicasts, such as via DHCP	 relay
	  agents.

	  Note:	  This	statement is only effective if the server was compiled
	  using the USE_SOCKETS #define statement, which is default on a small
	  number  of  operating systems, and must be explicitly chosen at com-
	  pile-time for all others.  You can be sure if your  server  is  com-
	  piled with USE_SOCKETS if you see lines of this format at startup:

	   Listening on Socket/eth0

	  Note	also that since this bind()s all DHCP sockets to the specified
	  address, that only one address may be supported in  a	 daemon	 at  a
	  given time.

       The log-facility statement

	  log-facility facility;

	  This	statement  causes  the DHCP server to do all of its logging on
	  the specified log facility once the dhcpd.conf file has  been	 read.
	  By  default  the DHCP server logs to the daemon facility.   Possible
	  log facilities include auth, authpriv, cron, daemon, ftp, kern, lpr,
	  mail,	 mark,	news,  ntp,  security,	syslog, user, uucp, and local0
	  through local7.   Not all of these facilities are available  on  all
	  systems,  and	 there may be other facilities available on other sys-
	  tems.

	  In addition to setting this value, you may need to modify your  sys-
	  log.conf  file  to configure logging of the DHCP server.   For exam-
	  ple, you might add a line like this:

	       local7.debug /var/log/dhcpd.log

	  The syntax of the syslog.conf file may be different on some  operat-
	  ing  systems	-  consult the syslog.conf manual page to be sure.  To
	  get syslog to start logging to the new file, you must	 first	create
	  the  file  with correct ownership and permissions (usually, the same
	  owner and permissions of your /var/log/messages or /usr/adm/messages
	  file	should	be  fine)  and send a SIGHUP to syslogd.  Some systems
	  support log rollover using a shell script or program called  newsys-
	  log  or  logrotate, and you may be able to configure this as well so
	  that your log file doesn't grow uncontrollably.

	  Because the log-facility setting is  controlled  by  the  dhcpd.conf
	  file,	 log  messages	printed	 while	parsing the dhcpd.conf file or
	  before parsing it are logged to the default log facility.   To  pre-
	  vent	this,  see  the	 README	 file included with this distribution,
	  which describes how to change the default log facility.   When  this
	  parameter is used, the DHCP server prints its startup message a sec-
	  ond time after parsing the configuration file, so that the log  will
	  be as complete as possible.

       The max-lease-time statement

	  max-lease-time time;

	  Time	should	be the maximum length in seconds that will be assigned
	  to a lease.	The only exception to this is that Dynamic BOOTP lease
	  lengths,  which  are not specified by the client, are not limited by
	  this maximum.

       The min-lease-time statement

	  min-lease-time time;

	  Time should be the minimum length in seconds that will  be  assigned
	  to a lease.

       The min-secs statement

	  min-secs seconds;

	  Seconds should be the minimum number of seconds since a client began
	  trying to acquire a new lease before the DHCP server will respond to
	  its  request.	  The  number  of  seconds is based on what the client
	  reports, and the maximum value that the client  can  report  is  255
	  seconds.    Generally,  setting  this to one will result in the DHCP
	  server not responding to the	client's  first	 request,  but	always
	  responding to its second request.

	  This	can  be	 used  to  set	up a secondary DHCP server which never
	  offers an address to a client until  the  primary  server  has  been
	  given a chance to do so.   If the primary server is down, the client
	  will bind to the secondary  server,  but  otherwise  clients	should
	  always  bind	to  the primary.   Note that this does not, by itself,
	  permit a primary server and a secondary server to share  a  pool  of
	  dynamically-allocatable addresses.

       The next-server statement

	  next-server server-name;

	  The next-server statement is used to specify the host address of the
	  server from which the initial boot file (specified in	 the  filename
	  statement)  is  to  be  loaded.   Server-name should be a numeric IP
	  address or a domain name.

       The omapi-port statement

	  omapi-port port;

	  The omapi-port statement causes the DHCP server to listen for	 OMAPI
	  connections  on  the specified port.	 This statement is required to
	  enable the OMAPI protocol, which is used to examine and  modify  the
	  state of the DHCP server as it is running.

       The one-lease-per-client statement

	  one-lease-per-client flag;

	  If this flag is enabled, whenever a client sends a DHCPREQUEST for a
	  particular lease, the	 server	 will  automatically  free  any	 other
	  leases  the client holds.   This presumes that when the client sends
	  a DHCPREQUEST, it has forgotten  any	lease  not  mentioned  in  the
	  DHCPREQUEST  -  i.e., the client has only a single network interface
	  and it does not remember leases it's holding on networks to which it
	  is  not currently attached.	Neither of these assumptions are guar-
	  anteed or provable, so we urge caution in the use of this statement.

       The pid-file-name statement

	  pid-file-name name;

	  Name should be the name of the DHCP server's process ID file.	  This
	  is the file in which the DHCP server's process ID is stored when the
	  server  starts.   By default, this is /var/run/dhcpd.pid.   Like the
	  lease-file-name statement, this statement must appear in  the	 outer
	  scope of the configuration file.

       The ping-check statement

	  ping-check flag;

	  When	the  DHCP  server  is considering dynamically allocating an IP
	  address to a client, it first sends an ICMP Echo request (a ping) to
	  the  address being assigned.	 It waits for a second, and if no ICMP
	  Echo response has  been  heard,  it  assigns	the  address.	 If  a
	  response  is	heard, the lease is abandoned, and the server does not
	  respond to the client.

	  This ping check introduces a default one-second delay in  responding
	  to  DHCPDISCOVER  messages, which can be a problem for some clients.
	  The default delay of one second may be configured  using  the	 ping-
	  timeout  parameter.	The  ping-check configuration parameter can be
	  used to control checking - if its value is false, no ping  check  is
	  done.

       The ping-timeout statement

	  ping-timeout seconds;

	  If the DHCP server determined it should send an ICMP echo request (a
	  ping) because the ping-check statement is true, ping-timeout	allows
	  you to configure how many seconds the DHCP server should wait for an
	  ICMP Echo response to be heard, if no ICMP Echo  response  has  been
	  received  before  the timeout expires, it assigns the address.  If a
	  response is heard, the lease is abandoned, and the server  does  not
	  respond to the client.  If no value is set, ping-timeout defaults to
	  1 second.

       The remote-port statement

	  remote-port port;

	  This statement causes the DHCP server to transmit DHCP responses  to
	  DHCP	clients	 upon  the  UDP port specified in port, rather than on
	  port 68.  In the event that the UDP response	is  transmitted	 to  a
	  DHCP	Relay,	the server generally uses the local-port configuration
	  value.  Should the DHCP Relay happen to be addressed	as  127.0.0.1,
	  however,  the	 DHCP Server transmits its response to the remote-port
	  configuration value.	This is generally only useful for testing pur-
	  poses, and this configuratoin value should generally not be used.

       The server-identifier statement

	  server-identifier hostname;

	  The server-identifier statement can be used to define the value that
	  is sent in the DHCP Server Identifier	 option	 for  a	 given	scope.
	  The  value  specified must be an IP address for the DHCP server, and
	  must be reachable by all clients served by a particular scope.

	  The use of the server-identifier statement is not recommended -  the
	  only	reason	to  use	 it is to force a value other than the default
	  value to be sent on occasions	 where	the  default  value  would  be
	  incorrect.	The  default  value is the first IP address associated
	  with the physical network interface on which the request arrived.

	  The usual case where the server-identifier  statement	 needs	to  be
	  sent	is when a physical interface has more than one IP address, and
	  the one being sent by default isn't  appropriate  for	 some  or  all
	  clients  served  by  that interface.	Another common case is when an
	  alias is defined for the purpose of having a consistent  IP  address
	  for  the DHCP server, and it is desired that the clients use this IP
	  address when contacting the server.

	  Supplying a value for the dhcp-server-identifier option  is  equiva-
	  lent to using the server-identifier statement.

       The server-name statement

	  server-name name ;

	  The  server-name  statement  can be used to inform the client of the
	  name of the server from which it is booting.	 Name  should  be  the
	  name that will be provided to the client.

       The site-option-space statement

	  site-option-space name ;

	  The  site-option-space  statement can be used to determine from what
	  option space site-local options will be taken.   This can be used in
	  much	the same way as the vendor-option-space statement.  Site-local
	  options in DHCP are those options whose numeric  codes  are  greater
	  than	128.	These options are intended for site-specific uses, but
	  are frequently used by vendors of embedded  hardware	that  contains
	  DHCP clients.	  Because site-specific options are allocated on an ad
	  hoc basis, it is quite possible that one vendor's DHCP client	 might
	  use the same option code that another vendor's client uses, for dif-
	  ferent purposes.   The  site-option-space  option  can  be  used  to
	  assign  a  different set of site-specific options for each such ven-
	  dor, using conditional evaluation (see dhcp-eval (5) for details).

       The stash-agent-options statement

	  stash-agent-options flag;

	  If the stash-agent-options parameter is true for a given client, the
	  server  will	record the relay agent information options sent during
	  the client's initial DHCPREQUEST message when the client was in  the
	  SELECTING  state  and behave as if those options are included in all
	  subsequent DHCPREQUEST messages sent in the RENEWING	state.	  This
	  works	 around	 a problem with relay agent information options, which
	  is that they usually not appear in DHCPREQUEST messages sent by  the
	  client  in  the  RENEWING  state,  because such messages are unicast
	  directly to the server and not sent through a relay agent.

       The update-optimization statement

	  update-optimization flag;

	  If the update-optimization parameter is false for  a	given  client,
	  the  server  will attempt a DNS update for that client each time the
	  client renews its lease, rather than only attempting an update  when
	  it  appears  to be necessary.	  This will allow the DNS to heal from
	  database inconsistencies more easily, but the cost is that the  DHCP
	  server  must	do  many more DNS updates.   We recommend leaving this
	  option enabled, which is the default.	 This option only affects  the
	  behavior  of the interim DNS update scheme, and has no effect on the
	  ad-hoc DNS update scheme.   If this parameter is not	specified,  or
	  is  true,  the DHCP server will only update when the client informa-
	  tion changes, the client gets a different  lease,  or	 the  client's
	  lease expires.

       The update-static-leases statement

	  update-static-leases flag;

	  The update-static-leases flag, if enabled, causes the DHCP server to
	  do DNS updates for clients even if those clients are being  assigned
	  their	 IP  address  using  a	fixed-address statement - that is, the
	  client is being given a static assignment.   This can only work with
	  the  interim	DNS update scheme.   It is not recommended because the
	  DHCP server has no way to tell that the update has  been  done,  and
	  therefore  will not delete the record when it is not in use.	 Also,
	  the server must attempt the update each time the client  renews  its
	  lease, which could have a significant performance impact in environ-
	  ments that place heavy demands on the DHCP server.

       The use-host-decl-names statement

	  use-host-decl-names flag;

	  If the use-host-decl-names parameter is true in a given scope,  then
	  for  every host declaration within that scope, the name provided for
	  the host declaration will be supplied to the client as its hostname.
	  So, for example,

	      group {
		use-host-decl-names on;

		host joe {
		  hardware ethernet 08:00:2b:4c:29:32;
		  fixed-address joe.fugue.com;
		}
	      }

	  is equivalent to

		host joe {
		  hardware ethernet 08:00:2b:4c:29:32;
		  fixed-address joe.fugue.com;
		  option host-name "joe";
		}

	  An  option  host-name statement within a host declaration will over-
	  ride the use of the name in the host declaration.

	  It should be noted here that most DHCP clients completely ignore the
	  host-name  option  sent  by  the DHCP server, and there is no way to
	  configure them not to do this.   So you generally have a  choice  of
	  either not having any hostname to client IP address mapping that the
	  client will recognize, or doing DNS  updates.	   It  is  beyond  the
	  scope of this document to describe how to make this determination.

       The use-lease-addr-for-default-route statement

	  use-lease-addr-for-default-route flag;

	  If the use-lease-addr-for-default-route parameter is true in a given
	  scope, then instead of sending the value specified  in  the  routers
	  option  (or  sending	no  value at all), the IP address of the lease
	  being assigned is sent to the client.	  This supposedly causes Win95
	  machines  to	ARP for all IP addresses, which can be helpful if your
	  router is configured for proxy ARP.	The use of this feature is not
	  recommended, because it won't work for many DHCP clients.

       The vendor-option-space statement

	  vendor-option-space string;

	  The  vendor-option-space parameter determines from what option space
	  vendor options are taken.   The use of this configuration  parameter
	  is  illustrated  in  the  dhcp-options(5) manual page, in the VENDOR
	  ENCAPSULATED OPTIONS section.

SETTING PARAMETER VALUES USING EXPRESSIONS
       Sometimes it's helpful to be able to set the value  of  a  DHCP	server
       parameter  based	 on some value that the client has sent.   To do this,
       you can use  expression	evaluation.    The  dhcp-eval(5)  manual  page
       describes how to write expressions.   To assign the result of an evalu-
       ation to an option, define the option as follows:

	 my-parameter = expression ;

       For example:

	 ddns-hostname = binary-to-ascii (16, 8, "-",
					  substring (hardware, 1, 6));

REFERENCE: OPTION STATEMENTS
       DHCP option statements are documented  in  the  dhcp-options(5)	manual
       page.

REFERENCE: EXPRESSIONS
       Expressions used in DHCP option statements and elsewhere are documented
       in the dhcp-eval(5) manual page.

SEE ALSO
       dhcpd(8),  dhcpd.leases(5),  dhcp-options(5),  dhcp-eval(5),   RFC2132,
       RFC2131.

AUTHOR
       dhcpd.conf(5)  was  written  by	Ted  Lemon under a contract with Vixie
       Labs.   Funding for this project was provided by Internet Systems  Con-
       sortium.	 Information about Internet Systems Consortium can be found at
       http://www.isc.org.



								 dhcpd.conf(5)
YoLinux.com Home Page
YoLinux Tutorial Index
Privacy Policy | Advertise with us | Feedback Form |
Unauthorized copying or redistribution prohibited.
    Bookmark and Share