1dhcpd.conf(5) File Formats Manual dhcpd.conf(5)
2
6 dhcpd.conf - dhcpd configuration file
7
9 The dhcpd.conf file contains configuration information for dhcpd, the
10 Internet Systems Consortium DHCP Server.
11 The dhcpd.conf file is a free-form ASCII text file. It is parsed by
13 the recursive-descent parser built into dhcpd. The file may contain
14 extra tabs and newlines for formatting purposes. Keywords in the file
15 are case-insensitive. Comments may be placed anywhere within the file
16 (except within quotes). Comments begin with the # character and end
17 at the end of the line.
18 The file essentially consists of a list of statements. Statements
20 fall into two broad categories - parameters and declarations.
21 Parameter statements either say how to do something (e.g., how long a
23 lease to offer), whether to do something (e.g., should dhcpd provide
24 addresses to unknown clients), or what parameters to provide to the
25 client (e.g., use gateway 220.177.244.7).
26 Declarations are used to describe the topology of the network, to
28 describe clients on the network, to provide addresses that can be
29 assigned to clients, or to apply a group of parameters to a group of
30 declarations. In any group of parameters and declarations, all param‐
31 eters must be specified before any declarations which depend on those
32 parameters may be specified.
33 Declarations about network topology include the shared-network and the
35 subnet declarations. If clients on a subnet are to be assigned
36 addresses dynamically, a range declaration must appear within the sub‐
37 net declaration. For clients with statically assigned addresses, or
38 for installations where only known clients will be served, each such
39 client must have a host declaration. If parameters are to be applied
40 to a group of declarations which are not related strictly on a per-sub‐
41 net basis, the group declaration can be used.
42 For every subnet which will be served, and for every subnet to which
44 the dhcp server is connected, there must be one subnet declaration,
45 which tells dhcpd how to recognize that an address is on that subnet.
46 A subnet declaration is required for each subnet even if no addresses
47 will be dynamically allocated on that subnet.
48 Some installations have physical networks on which more than one IP
50 subnet operates. For example, if there is a site-wide requirement
51 that 8-bit subnet masks be used, but a department with a single physi‐
52 cal ethernet network expands to the point where it has more than 254
53 nodes, it may be necessary to run two 8-bit subnets on the same ether‐
54 net until such time as a new physical network can be added. In this
55 case, the subnet declarations for these two networks must be enclosed
56 in a shared-network declaration.
57 Some sites may have departments which have clients on more than one
59 subnet, but it may be desirable to offer those clients a uniform set of
60 parameters which are different than what would be offered to clients
61 from other departments on the same subnet. For clients which will be
62 declared explicitly with host declarations, these declarations can be
63 enclosed in a group declaration along with the parameters which are
64 common to that department. For clients whose addresses will be dynam‐
65 ically assigned, class declarations and conditional declarations may be
66 used to group parameter assignments based on information the client
67 sends.
68 When a client is to be booted, its boot parameters are determined by
70 consulting that client's host declaration (if any), and then consulting
71 any class declarations matching the client, followed by the pool, sub‐
72 net and shared-network declarations for the IP address assigned to the
73 client. Each of these declarations itself appears within a lexical
74 scope, and all declarations at less specific lexical scopes are also
75 consulted for client option declarations. Scopes are never considered
76 twice, and if parameters are declared in more than one scope, the
77 parameter declared in the most specific scope is the one that is used.
78 When dhcpd tries to find a host declaration for a client, it first
80 looks for a host declaration which has a fixed-address declaration that
81 lists an IP address that is valid for the subnet or shared network on
82 which the client is booting. If it doesn't find any such entry, it
83 tries to find an entry which has no fixed-address declaration.
84
86 A typical dhcpd.conf file will look something like this:
87 global parameters...
89 subnet 204.254.239.0 netmask 255.255.255.224 {
91 subnet-specific parameters...
92 range 204.254.239.10 204.254.239.30;
93 }
94 subnet 204.254.239.32 netmask 255.255.255.224 {
96 subnet-specific parameters...
97 range 204.254.239.42 204.254.239.62;
98 }
99 subnet 204.254.239.64 netmask 255.255.255.224 {
101 subnet-specific parameters...
102 range 204.254.239.74 204.254.239.94;
103 }
104 group {
106 group-specific parameters...
107 host zappo.test.isc.org {
108 host-specific parameters...
109 }
110 host beppo.test.isc.org {
111 host-specific parameters...
112 }
113 host harpo.test.isc.org {
114 host-specific parameters...
115 }
116 }
117 Figure 1
119 Notice that at the beginning of the file, there's a place for global
122 parameters. These might be things like the organization's domain
123 name, the addresses of the name servers (if they are common to the
124 entire organization), and so on. So, for example:
125 option domain-name "isc.org";
127 option domain-name-servers ns1.isc.org, ns2.isc.org;
128 Figure 2
130 As you can see in Figure 2, you can specify host addresses in parame‐
132 ters using their domain names rather than their numeric IP addresses.
133 If a given hostname resolves to more than one IP address (for example,
134 if that host has two ethernet interfaces), then where possible, both
135 addresses are supplied to the client.
136 The most obvious reason for having subnet-specific parameters as shown
138 in Figure 1 is that each subnet, of necessity, has its own router. So
139 for the first subnet, for example, there should be something like:
140 option routers 204.254.239.1;
142 Note that the address here is specified numerically. This is not
144 required - if you have a different domain name for each interface on
145 your router, it's perfectly legitimate to use the domain name for that
146 interface instead of the numeric address. However, in many cases
147 there may be only one domain name for all of a router's IP addresses,
148 and it would not be appropriate to use that name here.
149 In Figure 1 there is also a group statement, which provides common
151 parameters for a set of three hosts - zappo, beppo and harpo. As you
152 can see, these hosts are all in the test.isc.org domain, so it might
153 make sense for a group-specific parameter to override the domain name
154 supplied to these hosts:
155 option domain-name "test.isc.org";
157 Also, given the domain they're in, these are probably test machines.
159 If we wanted to test the DHCP leasing mechanism, we might set the lease
160 timeout somewhat shorter than the default:
161 max-lease-time 120;
163 default-lease-time 120;
164 You may have noticed that while some parameters start with the option
166 keyword, some do not. Parameters starting with the option keyword
167 correspond to actual DHCP options, while parameters that do not start
168 with the option keyword either control the behavior of the DHCP server
169 (e.g., how long a lease dhcpd will give out), or specify client parame‐
170 ters that are not optional in the DHCP protocol (for example, server-
171 name and filename).
172 In Figure 1, each host had host-specific parameters. These could
174 include such things as the hostname option, the name of a file to
175 upload (the filename parameter) and the address of the server from
176 which to upload the file (the next-server parameter). In general, any
177 parameter can appear anywhere that parameters are allowed, and will be
178 applied according to the scope in which the parameter appears.
179 Imagine that you have a site with a lot of NCD X-Terminals. These
181 terminals come in a variety of models, and you want to specify the boot
182 files for each model. One way to do this would be to have host decla‐
183 rations for each server and group them by model:
184 group {
186 filename "Xncd19r";
187 next-server ncd-booter;
188 host ncd1 { hardware ethernet 0:c0:c3:49:2b:57; }
190 host ncd4 { hardware ethernet 0:c0:c3:80:fc:32; }
191 host ncd8 { hardware ethernet 0:c0:c3:22:46:81; }
192 }
193 group {
195 filename "Xncd19c";
196 next-server ncd-booter;
197 host ncd2 { hardware ethernet 0:c0:c3:88:2d:81; }
199 host ncd3 { hardware ethernet 0:c0:c3:00:14:11; }
200 }
201 group {
203 filename "XncdHMX";
204 next-server ncd-booter;
205 host ncd1 { hardware ethernet 0:c0:c3:11:90:23; }
207 host ncd4 { hardware ethernet 0:c0:c3:91:a7:8; }
208 host ncd8 { hardware ethernet 0:c0:c3:cc:a:8f; }
209 }
210
212 The pool declaration can be used to specify a pool of addresses that
213 will be treated differently than another pool of addresses, even on the
214 same network segment or subnet. For example, you may want to provide
215 a large set of addresses that can be assigned to DHCP clients that are
216 registered to your DHCP server, while providing a smaller set of
217 addresses, possibly with short lease times, that are available for
218 unknown clients. If you have a firewall, you may be able to arrange
219 for addresses from one pool to be allowed access to the Internet, while
220 addresses in another pool are not, thus encouraging users to register
221 their DHCP clients. To do this, you would set up a pair of pool dec‐
222 larations:
223 subnet 10.0.0.0 netmask 255.255.255.0 {
225 option routers 10.0.0.254;
226 # Unknown clients get this pool.
228 pool {
229 option domain-name-servers bogus.example.com;
230 max-lease-time 300;
231 range 10.0.0.200 10.0.0.253;
232 allow unknown-clients;
233 }
234 # Known clients get this pool.
236 pool {
237 option domain-name-servers ns1.example.com, ns2.example.com;
238 max-lease-time 28800;
239 range 10.0.0.5 10.0.0.199;
240 deny unknown-clients;
241 }
242 }
243 It is also possible to set up entirely different subnets for known and
245 unknown clients - address pools exist at the level of shared networks,
246 so address ranges within pool declarations can be on different subnets.
247 As you can see in the preceding example, pools can have permit lists
249 that control which clients are allowed access to the pool and which
250 aren't. Each entry in a pool's permit list is introduced with the
251 allow or deny keyword. If a pool has a permit list, then only those
252 clients that match specific entries on the permit list will be eligible
253 to be assigned addresses from the pool. If a pool has a deny list,
254 then only those clients that do not match any entries on the deny list
255 will be eligible. If both permit and deny lists exist for a pool,
256 then only clients that match the permit list and do not match the deny
257 list will be allowed access.
258
260 Address allocation is actually only done when a client is in the INIT
261 state and has sent a DHCPDISCOVER message. If the client thinks it has
262 a valid lease and sends a DHCPREQUEST to initiate or renew that lease,
263 the server has only three choices - it can ignore the DHCPREQUEST, send
264 a DHCPNAK to tell the client it should stop using the address, or send
265 a DHCPACK, telling the client to go ahead and use the address for a
266 while.
267 If the server finds the address the client is requesting, and that
269 address is available to the client, the server will send a DHCPACK. If
270 the address is no longer available, or the client isn't permitted to
271 have it, the server will send a DHCPNAK. If the server knows nothing
272 about the address, it will remain silent, unless the address is incor‐
273 rect for the network segment to which the client has been attached and
274 the server is authoritative for that network segment, in which case the
275 server will send a DHCPNAK even though it doesn't know about the
276 address.
277 There may be a host declaration matching the client's identification.
279 If that host declaration contains a fixed-address declaration that
280 lists an IP address that is valid for the network segment to which the
281 client is connected. In this case, the DHCP server will never do
282 dynamic address allocation. In this case, the client is required to
283 take the address specified in the host declaration. If the client
284 sends a DHCPREQUEST for some other address, the server will respond
285 with a DHCPNAK.
286 When the DHCP server allocates a new address for a client (remember,
288 this only happens if the client has sent a DHCPDISCOVER), it first
289 looks to see if the client already has a valid lease on an IP address,
290 or if there is an old IP address the client had before that hasn't yet
291 been reassigned. In that case, the server will take that address and
292 check it to see if the client is still permitted to use it. If the
293 client is no longer permitted to use it, the lease is freed if the
294 server thought it was still in use - the fact that the client has sent
295 a DHCPDISCOVER proves to the server that the client is no longer using
296 the lease.
297 If no existing lease is found, or if the client is forbidden to receive
299 the existing lease, then the server will look in the list of address
300 pools for the network segment to which the client is attached for a
301 lease that is not in use and that the client is permitted to have. It
302 looks through each pool declaration in sequence (all range declarations
303 that appear outside of pool declarations are grouped into a single pool
304 with no permit list). If the permit list for the pool allows the
305 client to be allocated an address from that pool, the pool is examined
306 to see if there is an address available. If so, then the client is
307 tentatively assigned that address. Otherwise, the next pool is
308 tested. If no addresses are found that can be assigned to the client,
309 no response is sent to the client.
310 If an address is found that the client is permitted to have, and that
312 has never been assigned to any client before, the address is immedi‐
313 ately allocated to the client. If the address is available for allo‐
314 cation but has been previously assigned to a different client, the
315 server will keep looking in hopes of finding an address that has never
316 before been assigned to a client.
317 The DHCP server generates the list of available IP addresses from a
319 hash table. This means that the addresses are not sorted in any par‐
320 ticular order, and so it is not possible to predict the order in which
321 the DHCP server will allocate IP addresses. Users of previous ver‐
322 sions of the ISC DHCP server may have become accustomed to the DHCP
323 server allocating IP addresses in ascending order, but this is no
324 longer possible, and there is no way to configure this behavior with
325 version 3 of the ISC DHCP server.
326
328 The DHCP server checks IP addresses to see if they are in use before
329 allocating them to clients. It does this by sending an ICMP Echo
330 request message to the IP address being allocated. If no ICMP Echo
331 reply is received within a second, the address is assumed to be free.
332 This is only done for leases that have been specified in range state‐
333 ments, and only when the lease is thought by the DHCP server to be free
334 - i.e., the DHCP server or its failover peer has not listed the lease
335 as in use.
336 If a response is received to an ICMP Echo request, the DHCP server
338 assumes that there is a configuration error - the IP address is in use
339 by some host on the network that is not a DHCP client. It marks the
340 address as abandoned, and will not assign it to clients.
341 If a DHCP client tries to get an IP address, but none are available,
343 but there are abandoned IP addresses, then the DHCP server will attempt
344 to reclaim an abandoned IP address. It marks one IP address as free,
345 and then does the same ICMP Echo request check described previously.
346 If there is no answer to the ICMP Echo request, the address is assigned
347 to the client.
348 The DHCP server does not cycle through abandoned IP addresses if the
350 first IP address it tries to reclaim is free. Rather, when the next
351 DHCPDISCOVER comes in from the client, it will attempt a new allocation
352 using the same method described here, and will typically try a new IP
353 address.
354
356 This version of the ISC DHCP server supports the DHCP failover protocol
357 as documented in draft-ietf-dhc-failover-07.txt. This is not a final
358 protocol document, and we have not done interoperability testing with
359 other vendors' implementations of this protocol, so you must not assume
360 that this implementation conforms to the standard. If you wish to use
361 the failover protocol, make sure that both failover peers are running
362 the same version of the ISC DHCP server.
363 The failover protocol allows two DHCP servers (and no more than two) to
365 share a common address pool. Each server will have about half of the
366 available IP addresses in the pool at any given time for allocation.
367 If one server fails, the other server will continue to renew leases out
368 of the pool, and will allocate new addresses out of the roughly half of
369 available addresses that it had when communications with the other
370 server were lost.
371 It is possible during a prolonged failure to tell the remaining server
373 that the other server is down, in which case the remaining server will
374 (over time) reclaim all the addresses the other server had available
375 for allocation, and begin to reuse them. This is called putting the
376 server into the PARTNER-DOWN state.
377 You can put the server into the PARTNER-DOWN state either by using the
379 omshell (1) command or by stopping the server, editing the last peer
380 state declaration in the lease file, and restarting the server. If
381 you use this last method, be sure to leave the date and time of the
382 start of the state blank:
383 failover peer name state {
385 my state partner-down;
386 peer state state at date;
387 }
388 When the other server comes back online, it should automatically detect
390 that it has been offline and request a complete update from the server
391 that was running in the PARTNER-DOWN state, and then both servers will
392 resume processing together.
393 It is possible to get into a dangerous situation: if you put one server
395 into the PARTNER-DOWN state, and then *that* server goes down, and the
396 other server comes back up, the other server will not know that the
397 first server was in the PARTNER-DOWN state, and may issue addresses
398 previously issued by the other server to different clients, resulting
399 in IP address conflicts. Before putting a server into PARTNER-DOWN
400 state, therefore, make sure that the other server will not restart
401 automatically.
402 The failover protocol defines a primary server role and a secondary
404 server role. There are some differences in how primaries and secon‐
405 daries act, but most of the differences simply have to do with provid‐
406 ing a way for each peer to behave in the opposite way from the other.
407 So one server must be configured as primary, and the other must be con‐
408 figured as secondary, and it doesn't matter too much which one is
409 which.
410
412 When a server starts that has not previously communicated with its
413 failover peer, it must establish communications with its failover peer
414 and synchronize with it before it can serve clients. This can happen
415 either because you have just configured your DHCP servers to perform
416 failover for the first time, or because one of your failover servers
417 has failed catastrophically and lost its database.
418 The initial recovery process is designed to ensure that when one
420 failover peer loses its database and then resynchronizes, any leases
421 that the failed server gave out before it failed will be honored. When
422 the failed server starts up, it notices that it has no saved failover
423 state, and attempts to contact its peer.
424 When it has established contact, it asks the peer for a complete copy
426 its peer's lease database. The peer then sends its complete database,
427 and sends a message indicating that it is done. The failed server then
428 waits until MCLT has passed, and once MCLT has passed both servers make
429 the transition back into normal operation. This waiting period ensures
430 that any leases the failed server may have given out while out of con‐
431 tact with its partner will have expired.
432 While the failed server is recovering, its partner remains in the part‐
434 ner-down state, which means that it is serving all clients. The failed
435 server provides no service at all to DHCP clients until it has made the
436 transition into normal operation.
437 In the case where both servers detect that they have never before com‐
439 municated with their partner, they both come up in this recovery state
440 and follow the procedure we have just described. In this case, no
441 service will be provided to DHCP clients until MCLT has expired.
442
444 In order to configure failover, you need to write a peer declaration
445 that configures the failover protocol, and you need to write peer ref‐
446 erences in each pool declaration for which you want to do failover.
447 You do not have to do failover for all pools on a given network seg‐
448 ment. You must not tell one server it's doing failover on a particu‐
449 lar address pool and tell the other it is not. You must not have any
450 common address pools on which you are not doing failover. A pool dec‐
451 laration that utilizes failover would look like this:
452 pool {
454 failover peer "foo";
455 deny dynamic bootp clients;
456 pool specific parameters
457 };
458 Dynamic BOOTP leases are not compatible with failover, and, as such,
460 you need to disallow BOOTP in pools that you are using failover for.
461 The server currently does very little sanity checking, so if you
463 configure it wrong, it will just fail in odd ways. I would recommend
464 therefore that you either do failover or don't do failover, but don't
465 do any mixed pools. Also, use the same master configuration file for
466 both servers, and have a separate file that contains the peer
467 declaration and includes the master file. This will help you to avoid
468 configuration mismatches. As our implementation evolves, this will
469 become less of a problem. A basic sample dhcpd.conf file for a
470 primary server might look like this:
471 failover peer "foo" {
473 primary;
474 address anthrax.rc.vix.com;
475 port 647;
476 peer address trantor.rc.vix.com;
477 peer port 847;
478 max-response-delay 60;
479 max-unacked-updates 10;
480 mclt 3600;
481 split 128;
482 load balance max seconds 3;
483 }
484 include "/etc/dhcpd.master";
486 The statements in the peer declaration are as follows:
488 The primary and secondary statements
490 [ primary | secondary ];
492 This determines whether the server is primary or secondary, as
494 described earlier under DHCP FAILOVER.
495 The address statement
497 address address;
499 The address statement declares the IP address or DNS name on which
501 the server should listen for connections from its failover peer, and
502 also the value to use for the DHCP Failover Protocol server identi‐
503 fier. Because this value is used as an identifier, it may not be
504 omitted.
505 The peer address statement
507 peer address address;
509 The peer address statement declares the IP address or DNS name to
511 which the server should connect to reach its failover peer for
512 failover messages.
513 The port statement
515 port port-number;
517 The port statement declares the TCP port on which the server should
519 listen for connections from its failover peer.
520 The peer port statement
522 peer port port-number;
524 The peer port statement declares the TCP port to which the server
526 should connect to reach its failover peer for failover messages. The
527 port number declared in the peer port statement may be the same as
528 the port number declared in the port statement.
529 The max-response-delay statement
531 max-response-delay seconds;
533 The max-response-delay statement tells the DHCP server how many sec‐
535 onds may pass without receiving a message from its failover peer
536 before it assumes that connection has failed. This number should be
537 small enough that a transient network failure that breaks the connec‐
538 tion will not result in the servers being out of communication for a
539 long time, but large enough that the server isn't constantly making
540 and breaking connections. This parameter must be specified.
541 The max-unacked-updates statement
543 max-unacked-updates count;
545 The max-unacked-updates statement tells the DHCP server how many
547 BNDUPD messages it can send before it receives a BNDACK from the
548 failover peer. We don't have enough operational experience to say
549 what a good value for this is, but 10 seems to work. This parameter
550 must be specified.
551 The mclt statement
553 mclt seconds;
555 The mclt statement defines the Maximum Client Lead Time. It must be
557 specified on the primary, and may not be specified on the secondary.
558 This is the length of time for which a lease may be renewed by either
559 failover peer without contacting the other. The longer you set
560 this, the longer it will take for the running server to recover IP
561 addresses after moving into PARTNER-DOWN state. The shorter you set
562 it, the more load your servers will experience when they are not com‐
563 municating. A value of something like 3600 is probably reasonable,
564 but again bear in mind that we have no real operational experience
565 with this.
566 The split statement
568 split index;
570 The split statement specifies the split between the primary and sec‐
572 ondary for the purposes of load balancing. Whenever a client makes
573 a DHCP request, the DHCP server runs a hash on the client identifica‐
574 tion. If the hash comes out to less than the split value, the pri‐
575 mary answers. If it comes out to equal to or more than the split,
576 the secondary answers. The only meaningful value is 128, and can
577 only be configured on the primary.
578 The hba statement
580 hba colon-separated-hex-list;
582 The hba statement specifies the split between the primary and sec‐
584 ondary as a bitmap rather than a cutoff, which theoretically allows
585 for finer-grained control. In practice, there is probably no need
586 for such fine-grained control, however. An example hba statement:
587 hba ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
589 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00;
590 This is equivalent to a split 128; statement. You must only have
592 split or hba defined, never both. For most cases, the fine-grained
593 control that hba offers isn't necessary, and split should be used.
594 As such, the use of hba is deprecated.
595 The load balance max seconds statement
597 load balance max seconds seconds;
599 This statement allows you to configure a cutoff after which load bal‐
601 ancing is disabled. The cutoff is based on the number of seconds
602 since the client sent its first DHCPDISCOVER or DHCPREQUEST message,
603 and only works with clients that correctly implement the secs field -
604 fortunately most clients do. We recommend setting this to something
605 like 3 or 5. The effect of this is that if one of the failover peers
606 gets into a state where it is responding to failover messages but not
607 responding to some client requests, the other failover peer will take
608 over its client load automatically as the clients retry.
609
611 Clients can be separated into classes, and treated differently depend‐
612 ing on what class they are in. This separation can be done either
613 with a conditional statement, or with a match statement within the
614 class declaration. It is possible to specify a limit on the total
615 number of clients within a particular class or subclass that may hold
616 leases at one time, and it is possible to specify automatic subclassing
617 based on the contents of the client packet.
618 To add clients to classes based on conditional evaluation, you can
620 specify a matching expression in the class statement:
621 class "ras-clients" {
623 match if substring (option dhcp-client-identifier, 1, 3) = "RAS";
624 }
625 Note that whether you use matching expressions or add statements (or
627 both) to classify clients, you must always write a class declaration
628 for any class that you use. If there will be no match statement and
629 no in-scope statements for a class, the declaration should look like
630 this:
631 class "ras-clients" {
633 }
634
636 In addition to classes, it is possible to declare subclasses. A sub‐
637 class is a class with the same name as a regular class, but with a spe‐
638 cific submatch expression which is hashed for quick matching. This is
639 essentially a speed hack - the main difference between five classes
640 with match expressions and one class with five subclasses is that it
641 will be quicker to find the subclasses. Subclasses work as follows:
642 class "allocation-class-1" {
644 match pick-first-value (option dhcp-client-identifier, hardware);
645 }
646 class "allocation-class-2" {
648 match pick-first-value (option dhcp-client-identifier, hardware);
649 }
650 subclass "allocation-class-1" 1:8:0:2b:4c:39:ad;
652 subclass "allocation-class-2" 1:8:0:2b:a9:cc:e3;
653 subclass "allocation-class-1" 1:0:0:c4:aa:29:44;
654 subnet 10.0.0.0 netmask 255.255.255.0 {
656 pool {
657 allow members of "allocation-class-1";
658 range 10.0.0.11 10.0.0.50;
659 }
660 pool {
661 allow members of "allocation-class-2";
662 range 10.0.0.51 10.0.0.100;
663 }
664 }
665 The data following the class name in the subclass declaration is a con‐
667 stant value to use in matching the match expression for the class.
668 When class matching is done, the server will evaluate the match expres‐
669 sion and then look the result up in the hash table. If it finds a
670 match, the client is considered a member of both the class and the sub‐
671 class.
672 Subclasses can be declared with or without scope. In the above exam‐
674 ple, the sole purpose of the subclass is to allow some clients access
675 to one address pool, while other clients are given access to the other
676 pool, so these subclasses are declared without scopes. If part of the
677 purpose of the subclass were to define different parameter values for
678 some clients, you might want to declare some subclasses with scopes.
679 In the above example, if you had a single client that needed some con‐
681 figuration parameters, while most didn't, you might write the following
682 subclass declaration for that client:
683 subclass "allocation-class-2" 1:08:00:2b:a1:11:31 {
685 option root-path "samsara:/var/diskless/alphapc";
686 filename "/tftpboot/netbsd.alphapc-diskless";
687 }
688 In this example, we've used subclassing as a way to control address
690 allocation on a per-client basis. However, it's also possible to use
691 subclassing in ways that are not specific to clients - for example, to
692 use the value of the vendor-class-identifier option to determine what
693 values to send in the vendor-encapsulated-options option. An example
694 of this is shown under the VENDOR ENCAPSULATED OPTIONS head in the
695 dhcp-options(5) manual page.
696
698 You may specify a limit to the number of clients in a class that can be
699 assigned leases. The effect of this will be to make it difficult for
700 a new client in a class to get an address. Once a class with such a
701 limit has reached its limit, the only way a new client in that class
702 can get a lease is for an existing client to relinquish its lease,
703 either by letting it expire, or by sending a DHCPRELEASE packet.
704 Classes with lease limits are specified as follows:
705 class "limited-1" {
707 lease limit 4;
708 }
709 This will produce a class in which a maximum of four members may hold a
711 lease at one time.
712
714 It is possible to declare a spawning class. A spawning class is a
715 class that automatically produces subclasses based on what the client
716 sends. The reason that spawning classes were created was to make it
717 possible to create lease-limited classes on the fly. The envisioned
718 application is a cable-modem environment where the ISP wishes to pro‐
719 vide clients at a particular site with more than one IP address, but
720 does not wish to provide such clients with their own subnet, nor give
721 them an unlimited number of IP addresses from the network segment to
722 which they are connected.
723 Many cable modem head-end systems can be configured to add a Relay
725 Agent Information option to DHCP packets when relaying them to the DHCP
726 server. These systems typically add a circuit ID or remote ID option
727 that uniquely identifies the customer site. To take advantage of
728 this, you can write a class declaration as follows:
729 class "customer" {
731 spawn with option agent.circuit-id;
732 lease limit 4;
733 }
734 Now whenever a request comes in from a customer site, the circuit ID
736 option will be checked against the class's hash table. If a subclass
737 is found that matches the circuit ID, the client will be classified in
738 that subclass and treated accordingly. If no subclass is found match‐
739 ing the circuit ID, a new one will be created and logged in the
740 dhcpd.leases file, and the client will be classified in this new class.
741 Once the client has been classified, it will be treated according to
742 the rules of the class, including, in this case, being subject to the
743 per-site limit of four leases.
744 The use of the subclass spawning mechanism is not restricted to relay
746 agent options - this particular example is given only because it is a
747 fairly straightforward one.
748
750 In some cases, it may be useful to use one expression to assign a
751 client to a particular class, and a second expression to put it into a
752 subclass of that class. This can be done by combining the match if
753 and spawn with statements, or the match if and match statements. For
754 example:
755 class "jr-cable-modems" {
757 match if option dhcp-vendor-identifier = "jrcm";
758 spawn with option agent.circuit-id;
759 lease limit 4;
760 }
761 class "dv-dsl-modems" {
763 match if opton dhcp-vendor-identifier = "dvdsl";
764 spawn with option agent.circuit-id;
765 lease limit 16;
766 }
767 This allows you to have two classes that both have the same spawn with
769 expression without getting the clients in the two classes confused with
770 each other.
771
773 The DHCP server has the ability to dynamically update the Domain Name
774 System. Within the configuration files, you can define how you want
775 the Domain Name System to be updated. These updates are RFC 2136 com‐
776 pliant so any DNS server supporting RFC 2136 should be able to accept
777 updates from the DHCP server.
778 Two DNS update schemes are currently implemented, and another is
780 planned. The two that are currently available are the ad-hoc DNS
781 update mode and the interim DHCP-DNS interaction draft update mode. If
782 and when the DHCP-DNS interaction draft and the DHCID draft make it
783 through the IETF standards process, there will be a third mode, which
784 will be the standard DNS update method. The DHCP server must be con‐
785 figured to use one of the two currently-supported methods, or not to do
786 dns updates. This can be done with the ddns-update-style configura‐
787 tion parameter.
788
790 The ad-hoc Dynamic DNS update scheme is now deprecated and does not
791 work. In future releases of the ISC DHCP server, this scheme will not
792 likely be available. The interim scheme works, allows for failover,
793 and should now be used. The following description is left here for
794 informational purposes only.
795 The ad-hoc Dynamic DNS update scheme implemented in this version of the
797 ISC DHCP server is a prototype design, which does not have much to do
798 with the standard update method that is being standardized in the IETF
799 DHC working group, but rather implements some very basic, yet useful,
800 update capabilities. This mode does not work with the failover proto‐
801 col because it does not account for the possibility of two different
802 DHCP servers updating the same set of DNS records.
803 For the ad-hoc DNS update method, the client's FQDN is derived in two
805 parts. First, the hostname is determined. Then, the domain name is
806 determined, and appended to the hostname.
807 The DHCP server determines the client's hostname by first looking for a
809 ddns-hostname configuration option, and using that if it is present.
810 If no such option is present, the server looks for a valid hostname in
811 the FQDN option sent by the client. If one is found, it is used; oth‐
812 erwise, if the client sent a host-name option, that is used. Other‐
813 wise, if there is a host declaration that applies to the client, the
814 name from that declaration will be used. If none of these applies, the
815 server will not have a hostname for the client, and will not be able to
816 do a DNS update.
817 The domain name is determined from the ddns-domainname configuration
819 option. The default configuration for this option is:
820 option server.ddns-domainname = config-option domain-name;
822 So if this configuration option is not configured to a different value
824 (over-riding the above default), or if a domain-name option has not
825 been configured for the client's scope, then the server will not
826 attempt to perform a DNS update.
827 The client's fully-qualified domain name, derived as we have described,
829 is used as the name on which an "A" record will be stored. The A
830 record will contain the IP address that the client was assigned in its
831 lease. If there is already an A record with the same name in the DNS
832 server, no update of either the A or PTR records will occur - this pre‐
833 vents a client from claiming that its hostname is the name of some net‐
834 work server. For example, if you have a fileserver called
835 "fs.sneedville.edu", and the client claims its hostname is "fs", no DNS
836 update will be done for that client, and an error message will be
837 logged.
838 If the A record update succeeds, a PTR record update for the assigned
840 IP address will be done, pointing to the A record. This update is
841 unconditional - it will be done even if another PTR record of the same
842 name exists. Since the IP address has been assigned to the DHCP
843 server, this should be safe.
844 Please note that the current implementation assumes clients only have a
846 single network interface. A client with two network interfaces will
847 see unpredictable behavior. This is considered a bug, and will be
848 fixed in a later release. It may be helpful to enable the one-lease-
849 per-client parameter so that roaming clients do not trigger this same
850 behavior.
851 The DHCP protocol normally involves a four-packet exchange - first the
853 client sends a DHCPDISCOVER message, then the server sends a DHCPOFFER,
854 then the client sends a DHCPREQUEST, then the server sends a DHCPACK.
855 In the current version of the server, the server will do a DNS update
856 after it has received the DHCPREQUEST, and before it has sent the DHC‐
857 PACK. It only sends the DNS update if it has not sent one for the
858 client's address before, in order to minimize the impact on the DHCP
859 server.
860 When the client's lease expires, the DHCP server (if it is operating at
862 the time, or when next it operates) will remove the client's A and PTR
863 records from the DNS database. If the client releases its lease by
864 sending a DHCPRELEASE message, the server will likewise remove the A
865 and PTR records.
866
868 The interim DNS update scheme operates mostly according to several
869 drafts that are being considered by the IETF and are expected to become
870 standards, but are not yet standards, and may not be standardized
871 exactly as currently proposed. These are:
872 draft-ietf-dhc-ddns-resolution-??.txt
874 draft-ietf-dhc-fqdn-option-??.txt
875 draft-ietf-dnsext-dhcid-rr-??.txt
876 Because our implementation is slightly different than the standard, we
878 will briefly document the operation of this update style here.
879 The first point to understand about this style of DNS update is that
881 unlike the ad-hoc style, the DHCP server does not necessarily always
882 update both the A and the PTR records. The FQDN option includes a
883 flag which, when sent by the client, indicates that the client wishes
884 to update its own A record. In that case, the server can be config‐
885 ured either to honor the client's intentions or ignore them. This is
886 done with the statement allow client-updates; or the statement ignore
887 client-updates;. By default, client updates are allowed.
888 If the server is configured to allow client updates, then if the client
890 sends a fully-qualified domain name in the FQDN option, the server will
891 use that name the client sent in the FQDN option to update the PTR
892 record. For example, let us say that the client is a visitor from the
893 "radish.org" domain, whose hostname is "jschmoe". The server is for
894 the "example.org" domain. The DHCP client indicates in the FQDN
895 option that its FQDN is "jschmoe.radish.org.". It also indicates that
896 it wants to update its own A record. The DHCP server therefore does
897 not attempt to set up an A record for the client, but does set up a PTR
898 record for the IP address that it assigns the client, pointing at
899 jschmoe.radish.org. Once the DHCP client has an IP address, it can
900 update its own A record, assuming that the "radish.org" DNS server will
901 allow it to do so.
902 If the server is configured not to allow client updates, or if the
904 client doesn't want to do its own update, the server will simply choose
905 a name for the client from either the fqdn option (if present) or the
906 hostname option (if present). It will use its own domain name for the
907 client, just as in the ad-hoc update scheme. It will then update both
908 the A and PTR record, using the name that it chose for the client. If
909 the client sends a fully-qualified domain name in the fqdn option, the
910 server uses only the leftmost part of the domain name - in the example
911 above, "jschmoe" instead of "jschmoe.radish.org".
912 Also, if the use-host-decl-names configuration option is enabled, then
914 the host declaration's hostname will be used in place of the hostname
915 option, and the same rules will apply as described above.
916 The other difference between the ad-hoc scheme and the interim scheme
918 is that with the interim scheme, a method is used that allows more than
919 one DHCP server to update the DNS database without accidentally delet‐
920 ing A records that shouldn't be deleted nor failing to add A records
921 that should be added. The scheme works as follows:
922 When the DHCP server issues a client a new lease, it creates a text
924 string that is an MD5 hash over the DHCP client's identification (see
925 draft-ietf-dnsext-dhcid-rr-??.txt for details). The update adds an A
926 record with the name the server chose and a TXT record containing the
927 hashed identifier string (hashid). If this update succeeds, the
928 server is done.
929 If the update fails because the A record already exists, then the DHCP
931 server attempts to add the A record with the prerequisite that there
932 must be a TXT record in the same name as the new A record, and that TXT
933 record's contents must be equal to hashid. If this update succeeds,
934 then the client has its A record and PTR record. If it fails, then
935 the name the client has been assigned (or requested) is in use, and
936 can't be used by the client. At this point the DHCP server gives up
937 trying to do a DNS update for the client until the client chooses a new
938 name.
939 The interim DNS update scheme is called interim for two reasons.
941 First, it does not quite follow the drafts. The current versions of
942 the drafts call for a new DHCID RRtype, but this is not yet available.
943 The interim DNS update scheme uses a TXT record instead. Also, the
944 existing ddns-resolution draft calls for the DHCP server to put a DHCID
945 RR on the PTR record, but the interim update method does not do this.
946 It is our position that this is not useful, and we are working with the
947 author in hopes of removing it from the next version of the draft, or
948 better understanding why it is considered useful.
949 In addition to these differences, the server also does not update very
951 aggressively. Because each DNS update involves a round trip to the DNS
952 server, there is a cost associated with doing updates even if they do
953 not actually modify the DNS database. So the DHCP server tracks
954 whether or not it has updated the record in the past (this information
955 is stored on the lease) and does not attempt to update records that it
956 thinks it has already updated.
957 This can lead to cases where the DHCP server adds a record, and then
959 the record is deleted through some other mechanism, but the server
960 never again updates the DNS because it thinks the data is already
961 there. In this case the data can be removed from the lease through
962 operator intervention, and once this has been done, the DNS will be
963 updated the next time the client renews.
964
966 When you set your DNS server up to allow updates from the DHCP server,
967 you may be exposing it to unauthorized updates. To avoid this, you
968 should use TSIG signatures - a method of cryptographically signing
969 updates using a shared secret key. As long as you protect the secrecy
970 of this key, your updates should also be secure. Note, however, that
971 the DHCP protocol itself provides no security, and that clients can
972 therefore provide information to the DHCP server which the DHCP server
973 will then use in its updates, with the constraints described previ‐
974 ously.
975 The DNS server must be configured to allow updates for any zone that
977 the DHCP server will be updating. For example, let us say that clients
978 in the sneedville.edu domain will be assigned addresses on the
979 10.10.17.0/24 subnet. In that case, you will need a key declaration
980 for the TSIG key you will be using, and also two zone declarations -
981 one for the zone containing A records that will be updates and one for
982 the zone containing PTR records - for ISC BIND, something like this:
983 key DHCP_UPDATER {
985 algorithm hmac-md5;
986 secret pRP5FapFoJ95JEL06sv4PQ==;
987 };
988 zone "example.org" {
990 type master;
991 file "example.org.db";
992 allow-update { key DHCP_UPDATER; };
993 };
994 zone "17.10.10.in-addr.arpa" {
996 type master;
997 file "10.10.17.db";
998 allow-update { key DHCP_UPDATER; };
999 };
1000 You will also have to configure your DHCP server to do updates to these
1002 zones. To do so, you need to add something like this to your
1003 dhcpd.conf file:
1004 key DHCP_UPDATER {
1006 algorithm hmac-md5;
1007 secret pRP5FapFoJ95JEL06sv4PQ==;
1008 };
1009 zone EXAMPLE.ORG. {
1011 primary 127.0.0.1;
1012 key DHCP_UPDATER;
1013 }
1014 zone 17.127.10.in-addr.arpa. {
1016 primary 127.0.0.1;
1017 key DHCP_UPDATER;
1018 }
1019 The primary statement specifies the IP address of the name server whose
1021 zone information is to be updated.
1022 Note that the zone declarations have to correspond to authority records
1024 in your name server - in the above example, there must be an SOA record
1025 for "example.org." and for "17.10.10.in-addr.arpa.". For example, if
1026 there were a subdomain "foo.example.org" with no separate SOA, you
1027 could not write a zone declaration for "foo.example.org." Also keep in
1028 mind that zone names in your DHCP configuration should end in a ".";
1029 this is the preferred syntax. If you do not end your zone name in a
1030 ".", the DHCP server will figure it out. Also note that in the DHCP
1031 configuration, zone names are not encapsulated in quotes where there
1032 are in the DNS configuration.
1033 You should choose your own secret key, of course. The ISC BIND 8 and 9
1035 distributions come with a program for generating secret keys called
1036 dnssec-keygen. The version that comes with BIND 9 is likely to produce
1037 a substantially more random key, so we recommend you use that one even
1038 if you are not using BIND 9 as your DNS server. If you are using BIND
1039 9's dnssec-keygen, the above key would be created as follows:
1040 dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER
1042 If you are using the BIND 8 dnskeygen program, the following command
1044 will generate a key as seen above:
1045 dnskeygen -H 128 -u -c -n DHCP_UPDATER
1047 You may wish to enable logging of DNS updates on your DNS server. To
1049 do so, you might write a logging statement like the following:
1050 logging {
1052 channel update_debug {
1053 file "/var/log/update-debug.log";
1054 severity debug 3;
1055 print-category yes;
1056 print-severity yes;
1057 print-time yes;
1058 };
1059 channel security_info {
1060 file "/var/log/named-auth.info";
1061 severity info;
1062 print-category yes;
1063 print-severity yes;
1064 print-time yes;
1065 };
1066 category update { update_debug; };
1068 category security { security_info; };
1069 };
1070 You must create the /var/log/named-auth.info and /var/log/update-
1072 debug.log files before starting the name server. For more information
1073 on configuring ISC BIND, consult the documentation that accompanies it.
1074
1076 There are three kinds of events that can happen regarding a lease, and
1077 it is possible to declare statements that occur when any of these
1078 events happen. These events are the commit event, when the server has
1079 made a commitment of a certain lease to a client, the release event,
1080 when the client has released the server from its commitment, and the
1081 expiry event, when the commitment expires.
1082 To declare a set of statements to execute when an event happens, you
1084 must use the on statement, followed by the name of the event, followed
1085 by a series of statements to execute when the event happens, enclosed
1086 in braces. Events are used to implement DNS updates, so you should
1087 not define your own event handlers if you are using the built-in DNS
1088 update mechanism.
1089 The built-in version of the DNS update mechanism is in a text string
1091 towards the top of server/dhcpd.c. If you want to use events for
1092 things other than DNS updates, and you also want DNS updates, you will
1093 have to start out by copying this code into your dhcpd.conf file and
1094 modifying it.
1095
1097 The include statement
1098 include "filename";
1100 The include statement is used to read in a named file, and process the
1102 contents of that file as though it were entered in place of the include
1103 statement.
1104 The shared-network statement
1106 shared-network name {
1108 [ parameters ]
1109 [ declarations ]
1110 }
1111 The shared-network statement is used to inform the DHCP server that
1113 some IP subnets actually share the same physical network. Any subnets
1114 in a shared network should be declared within a shared-network state‐
1115 ment. Parameters specified in the shared-network statement will be
1116 used when booting clients on those subnets unless parameters provided
1117 at the subnet or host level override them. If any subnet in a shared
1118 network has addresses available for dynamic allocation, those addresses
1119 are collected into a common pool for that shared network and assigned
1120 to clients as needed. There is no way to distinguish on which subnet
1121 of a shared network a client should boot.
1122 Name should be the name of the shared network. This name is used when
1124 printing debugging messages, so it should be descriptive for the shared
1125 network. The name may have the syntax of a valid domain name
1126 (although it will never be used as such), or it may be any arbitrary
1127 name, enclosed in quotes.
1128 The subnet statement
1130 subnet subnet-number netmask netmask {
1132 [ parameters ]
1133 [ declarations ]
1134 }
1135 The subnet statement is used to provide dhcpd with enough information
1137 to tell whether or not an IP address is on that subnet. It may also be
1138 used to provide subnet-specific parameters and to specify what
1139 addresses may be dynamically allocated to clients booting on that sub‐
1140 net. Such addresses are specified using the range declaration.
1141 The subnet-number should be an IP address or domain name which resolves
1143 to the subnet number of the subnet being described. The netmask
1144 should be an IP address or domain name which resolves to the subnet
1145 mask of the subnet being described. The subnet number, together with
1146 the netmask, are sufficient to determine whether any given IP address
1147 is on the specified subnet.
1148 Although a netmask must be given with every subnet declaration, it is
1150 recommended that if there is any variance in subnet masks at a site, a
1151 subnet-mask option statement be used in each subnet declaration to set
1152 the desired subnet mask, since any subnet-mask option statement will
1153 override the subnet mask declared in the subnet statement.
1154 The range statement
1156 range [ dynamic-bootp ] low-address [ high-address];
1158 For any subnet on which addresses will be assigned dynamically, there
1160 must be at least one range statement. The range statement gives the
1161 lowest and highest IP addresses in a range. All IP addresses in the
1162 range should be in the subnet in which the range statement is declared.
1163 The dynamic-bootp flag may be specified if addresses in the specified
1164 range may be dynamically assigned to BOOTP clients as well as DHCP
1165 clients. When specifying a single address, high-address can be omit‐
1166 ted.
1167 The host statement
1169 host hostname {
1171 [ parameters ]
1172 [ declarations ]
1173 }
1174 The host declaration provides a scope in which to provide configuration
1176 information about a specific client, and also provides a way to assign
1177 a client a fixed address. The host declaration provides a way for the
1178 DHCP server to identify a DHCP or BOOTP client, and also a way to
1179 assign the client a static IP address.
1180 If it is desirable to be able to boot a DHCP or BOOTP client on more
1182 than one subnet with fixed addresses, more than one address may be
1183 specified in the fixed-address declaration, or more than one host
1184 statement may be specified matching the same client.
1185 If client-specific boot parameters must change based on the network to
1187 which the client is attached, then multiple host declarations should be
1188 used. The host declarations will only match a client if one of their
1189 fixed-address statements is viable on the subnet (or shared network)
1190 where the client is attached. Conversely, for a host declaration to
1191 match a client being allocated a dynamic address, it must not have any
1192 fixed-address statements. You may therefore need a mixture of host
1193 declarations for any given client...some having fixed-address state‐
1194 ments, others without.
1195 hostname should be a name identifying the host. If a hostname option
1197 is not specified for the host, hostname is used.
1198 Host declarations are matched to actual DHCP or BOOTP clients by match‐
1200 ing the dhcp-client-identifier option specified in the host declaration
1201 to the one supplied by the client, or, if the host declaration or the
1202 client does not provide a dhcp-client-identifier option, by matching
1203 the hardware parameter in the host declaration to the network hardware
1204 address supplied by the client. BOOTP clients do not normally provide
1205 a dhcp-client-identifier, so the hardware address must be used for all
1206 clients that may boot using the BOOTP protocol.
1207 Please be aware that only the dhcp-client-identifier option and the
1209 hardware address can be used to match a host declaration. For exam‐
1210 ple, it is not possible to match a host declaration to a host-name
1211 option. This is because the host-name option cannot be guaranteed to
1212 be unique for any given client, whereas both the hardware address and
1213 dhcp-client-identifier option are at least theoretically guaranteed to
1214 be unique to a given client.
1215 The group statement
1217 group {
1219 [ parameters ]
1220 [ declarations ]
1221 }
1222 The group statement is used simply to apply one or more parameters to a
1224 group of declarations. It can be used to group hosts, shared net‐
1225 works, subnets, or even other groups.
1226
1228 The allow and deny statements can be used to control the response of
1229 the DHCP server to various sorts of requests. The allow and deny key‐
1230 words actually have different meanings depending on the context. In a
1231 pool context, these keywords can be used to set up access lists for
1232 address allocation pools. In other contexts, the keywords simply con‐
1233 trol general server behavior with respect to clients based on scope.
1234 In a non-pool context, the ignore keyword can be used in place of the
1235 deny keyword to prevent logging of denied requests.
1236
1238 The following usages of allow and deny will work in any scope, although
1239 it is not recommended that they be used in pool declarations.
1240 The unknown-clients keyword
1242 allow unknown-clients;
1244 deny unknown-clients;
1245 ignore unknown-clients;
1246 The unknown-clients flag is used to tell dhcpd whether or not to dynam‐
1248 ically assign addresses to unknown clients. Dynamic address assign‐
1249 ment to unknown clients is allowed by default. An unknown client is
1250 simply a client that has no host declaration.
1251 The use of this option is now deprecated. If you are trying to
1253 restrict access on your network to known clients, you should use deny
1254 unknown-clients; inside of your address pool, as described under the
1255 heading ALLOW AND DENY WITHIN POOL DECLARAIONS.
1256 The bootp keyword
1258 allow bootp;
1260 deny bootp;
1261 ignore bootp;
1262 The bootp flag is used to tell dhcpd whether or not to respond to bootp
1264 queries. Bootp queries are allowed by default.
1265 This option does not satisfy the requirement of failover peers for
1267 denying dynamic bootp clients. The deny dynamic bootp clients; option
1268 should be used instead. See the ALLOW AND DENY WITHIN POOL DECLARATIONS
1269 section of this man page for more details.
1270 The booting keyword
1272 allow booting;
1274 deny booting;
1275 ignore booting;
1276 The booting flag is used to tell dhcpd whether or not to respond to
1278 queries from a particular client. This keyword only has meaning when
1279 it appears in a host declaration. By default, booting is allowed, but
1280 if it is disabled for a particular client, then that client will not be
1281 able to get an address from the DHCP server.
1282 The duplicates keyword
1284 allow duplicates;
1286 deny duplicates;
1287 Host declarations can match client messages based on the DHCP Client
1289 Identifer option or based on the client's network hardware type and MAC
1290 address. If the MAC address is used, the host declaration will match
1291 any client with that MAC address - even clients with different client
1292 identifiers. This doesn't normally happen, but is possible when one
1293 computer has more than one operating system installed on it - for exam‐
1294 ple, Microsoft Windows and NetBSD or Linux.
1295 The duplicates flag tells the DHCP server that if a request is received
1297 from a client that matches the MAC address of a host declaration, any
1298 other leases matching that MAC address should be discarded by the
1299 server, even if the UID is not the same. This is a violation of the
1300 DHCP protocol, but can prevent clients whose client identifiers change
1301 regularly from holding many leases at the same time. By default,
1302 duplicates are allowed.
1303 The declines keyword
1305 allow declines;
1307 deny declines;
1308 ignore declines;
1309 The DHCPDECLINE message is used by DHCP clients to indicate that the
1311 lease the server has offered is not valid. When the server receives a
1312 DHCPDECLINE for a particular address, it normally abandons that
1313 address, assuming that some unauthorized system is using it. Unfortu‐
1314 nately, a malicious or buggy client can, using DHCPDECLINE messages,
1315 completely exhaust the DHCP server's allocation pool. The server will
1316 reclaim these leases, but while the client is running through the pool,
1317 it may cause serious thrashing in the DNS, and it will also cause the
1318 DHCP server to forget old DHCP client address allocations.
1319 The declines flag tells the DHCP server whether or not to honor DHCPDE‐
1321 CLINE messages. If it is set to deny or ignore in a particular scope,
1322 the DHCP server will not respond to DHCPDECLINE messages.
1323 The client-updates keyword
1325 allow client-updates;
1327 deny client-updates;
1328 The client-updates flag tells the DHCP server whether or not to honor
1330 the client's intention to do its own update of its A record. This is
1331 only relevant when doing interim DNS updates. See the documentation
1332 under the heading THE INTERIM DNS UPDATE SCHEME for details.
1333
1335 The uses of the allow and deny keywords shown in the previous section
1336 work pretty much the same way whether the client is sending a DHCPDIS‐
1337 COVER or a DHCPREQUEST message - an address will be allocated to the
1338 client (either the old address it's requesting, or a new address) and
1339 then that address will be tested to see if it's okay to let the client
1340 have it. If the client requested it, and it's not okay, the server
1341 will send a DHCPNAK message. Otherwise, the server will simply not
1342 respond to the client. If it is okay to give the address to the
1343 client, the server will send a DHCPACK message.
1344 The primary motivation behind pool declarations is to have address
1346 allocation pools whose allocation policies are different. A client
1347 may be denied access to one pool, but allowed access to another pool on
1348 the same network segment. In order for this to work, access control
1349 has to be done during address allocation, not after address allocation
1350 is done.
1351 When a DHCPREQUEST message is processed, address allocation simply con‐
1353 sists of looking up the address the client is requesting and seeing if
1354 it's still available for the client. If it is, then the DHCP server
1355 checks both the address pool permit lists and the relevant in-scope
1356 allow and deny statements to see if it's okay to give the lease to the
1357 client. In the case of a DHCPDISCOVER message, the allocation process
1358 is done as described previously in the ADDRESS ALLOCATION section.
1359 When declaring permit lists for address allocation pools, the following
1361 syntaxes are recognized following the allow or deny keywords:
1362 known-clients;
1364 If specified, this statement either allows or prevents allocation from
1366 this pool to any client that has a host declaration (i.e., is known).
1367 A client is known if it has a host declaration in any scope, not just
1368 the current scope.
1369 unknown-clients;
1371 If specified, this statement either allows or prevents allocation from
1373 this pool to any client that has no host declaration (i.e., is not
1374 known).
1375 members of "class";
1377 If specified, this statement either allows or prevents allocation from
1379 this pool to any client that is a member of the named class.
1380 dynamic bootp clients;
1382 If specified, this statement either allows or prevents allocation from
1384 this pool to any bootp client.
1385 authenticated clients;
1387 If specified, this statement either allows or prevents allocation from
1389 this pool to any client that has been authenticated using the DHCP
1390 authentication protocol. This is not yet supported.
1391 unauthenticated clients;
1393 If specified, this statement either allows or prevents allocation from
1395 this pool to any client that has not been authenticated using the DHCP
1396 authentication protocol. This is not yet supported.
1397 all clients;
1399 If specified, this statement either allows or prevents allocation from
1401 this pool to all clients. This can be used when you want to write a
1402 pool declaration for some reason, but hold it in reserve, or when you
1403 want to renumber your network quickly, and thus want the server to
1404 force all clients that have been allocated addresses from this pool to
1405 obtain new addresses immediately when they next renew.
1406
1408 The always-broadcast statement
1409 always-broadcast flag;
1411 The DHCP and BOOTP protocols both require DHCP and BOOTP clients to
1413 set the broadcast bit in the flags field of the BOOTP message header.
1414 Unfortunately, some DHCP and BOOTP clients do not do this, and there‐
1415 fore may not receive responses from the DHCP server. The DHCP
1416 server can be made to always broadcast its responses to clients by
1417 setting this flag to 'on' for the relevant scope; relevant scopes
1418 would be inside a conditional statement, as a parameter for a class,
1419 or as a parameter for a host declaration. To avoid creating excess
1420 broadcast traffic on your network, we recommend that you restrict the
1421 use of this option to as few clients as possible. For example, the
1422 Microsoft DHCP client is known not to have this problem, as are the
1423 OpenTransport and ISC DHCP clients.
1424 The always-reply-rfc1048 statement
1426 always-reply-rfc1048 flag;
1428 Some BOOTP clients expect RFC1048-style responses, but do not follow
1430 RFC1048 when sending their requests. You can tell that a client is
1431 having this problem if it is not getting the options you have config‐
1432 ured for it and if you see in the server log the message "(non-
1433 rfc1048)" printed with each BOOTREQUEST that is logged.
1434 If you want to send rfc1048 options to such a client, you can set the
1436 always-reply-rfc1048 option in that client's host declaration, and
1437 the DHCP server will respond with an RFC-1048-style vendor options
1438 field. This flag can be set in any scope, and will affect all
1439 clients covered by that scope.
1440 The authoritative statement
1442 authoritative;
1444 not authoritative;
1446 The DHCP server will normally assume that the configuration informa‐
1448 tion about a given network segment is not known to be correct and is
1449 not authoritative. This is so that if a naive user installs a DHCP
1450 server not fully understanding how to configure it, it does not send
1451 spurious DHCPNAK messages to clients that have obtained addresses
1452 from a legitimate DHCP server on the network.
1453 Network administrators setting up authoritative DHCP servers for
1455 their networks should always write authoritative; at the top of their
1456 configuration file to indicate that the DHCP server should send DHCP‐
1457 NAK messages to misconfigured clients. If this is not done, clients
1458 will be unable to get a correct IP address after changing subnets
1459 until their old lease has expired, which could take quite a long
1460 time.
1461 Usually, writing authoritative; at the top level of the file should
1463 be sufficient. However, if a DHCP server is to be set up so that it
1464 is aware of some networks for which it is authoritative and some net‐
1465 works for which it is not, it may be more appropriate to declare
1466 authority on a per-network-segment basis.
1467 Note that the most specific scope for which the concept of authority
1469 makes any sense is the physical network segment - either a shared-
1470 network statement or a subnet statement that is not contained within
1471 a shared-network statement. It is not meaningful to specify that the
1472 server is authoritative for some subnets within a shared network, but
1473 not authoritative for others, nor is it meaningful to specify that
1474 the server is authoritative for some host declarations and not oth‐
1475 ers.
1476 The boot-unknown-clients statement
1478 boot-unknown-clients flag;
1480 If the boot-unknown-clients statement is present and has a value of
1482 false or off, then clients for which there is no host declaration
1483 will not be allowed to obtain IP addresses. If this statement is
1484 not present or has a value of true or on, then clients without host
1485 declarations will be allowed to obtain IP addresses, as long as those
1486 addresses are not restricted by allow and deny statements within
1487 their pool declarations.
1488 The ddns-hostname statement
1490 ddns-hostname name;
1492 The name parameter should be the hostname that will be used in set‐
1494 ting up the client's A and PTR records. If no ddns-hostname is
1495 specified in scope, then the server will derive the hostname automat‐
1496 ically, using an algorithm that varies for each of the different
1497 update methods.
1498 The ddns-domainname statement
1500 ddns-domainname name;
1502 The name parameter should be the domain name that will be appended to
1504 the client's hostname to form a fully-qualified domain-name (FQDN).
1505 The ddns-rev-domainname statement
1507 ddns-rev-domainname name; The name parameter should be the domain
1509 name that will be appended to the client's reversed IP address to
1510 produce a name for use in the client's PTR record. By default, this
1511 is "in-addr.arpa.", but the default can be overridden here.
1512 The reversed IP address to which this domain name is appended is
1514 always the IP address of the client, in dotted quad notation,
1515 reversed - for example, if the IP address assigned to the client is
1516 10.17.92.74, then the reversed IP address is 74.92.17.10. So a
1517 client with that IP address would, by default, be given a PTR record
1518 of 10.17.92.74.in-addr.arpa.
1519 The ddns-update-style parameter
1521 ddns-update-style style;
1523 The style parameter must be one of ad-hoc, interim or none. The
1525 ddns-update-style statement is only meaningful in the outer scope -
1526 it is evaluated once after reading the dhcpd.conf file, rather than
1527 each time a client is assigned an IP address, so there is no way to
1528 use different DNS update styles for different clients.
1529 The ddns-updates statement
1531 ddns-updates flag;
1533 The ddns-updates parameter controls whether or not the server will
1535 attempt to do a DNS update when a lease is confirmed. Set this to
1536 off if the server should not attempt to do updates within a certain
1537 scope. The ddns-updates parameter is on by default. To disable DNS
1538 updates in all scopes, it is preferable to use the ddns-update-style
1539 statement, setting the style to none.
1540 The default-lease-time statement
1542 default-lease-time time;
1544 Time should be the length in seconds that will be assigned to a lease
1546 if the client requesting the lease does not ask for a specific expi‐
1547 ration time.
1548 The do-forward-updates statement
1550 do-forward-updates flag;
1552 The do-forward-updates statement instructs the DHCP server as to
1554 whether it should attempt to update a DHCP client's A record when the
1555 client acquires or renews a lease. This statement has no effect
1556 unless DNS updates are enabled and ddns-update-style is set to
1557 interim. Forward updates are enabled by default. If this state‐
1558 ment is used to disable forward updates, the DHCP server will never
1559 attempt to update the client's A record, and will only ever attempt
1560 to update the client's PTR record if the client supplies an FQDN that
1561 should be placed in the PTR record using the fqdn option. If forward
1562 updates are enabled, the DHCP server will still honor the setting of
1563 the client-updates flag.
1564 The dynamic-bootp-lease-cutoff statement
1566 dynamic-bootp-lease-cutoff date;
1568 The dynamic-bootp-lease-cutoff statement sets the ending time for all
1570 leases assigned dynamically to BOOTP clients. Because BOOTP clients
1571 do not have any way of renewing leases, and don't know that their
1572 leases could expire, by default dhcpd assignes infinite leases to all
1573 BOOTP clients. However, it may make sense in some situations to set
1574 a cutoff date for all BOOTP leases - for example, the end of a school
1575 term, or the time at night when a facility is closed and all machines
1576 are required to be powered off.
1577 Date should be the date on which all assigned BOOTP leases will end.
1579 The date is specified in the form:
1580 W YYYY/MM/DD HH:MM:SS
1582 W is the day of the week expressed as a number from zero (Sunday) to
1584 six (Saturday). YYYY is the year, including the century. MM is the
1585 month expressed as a number from 1 to 12. DD is the day of the
1586 month, counting from 1. HH is the hour, from zero to 23. MM is the
1587 minute and SS is the second. The time is always in Coordinated Uni‐
1588 versal Time (UTC), not local time.
1589 The dynamic-bootp-lease-length statement
1591 dynamic-bootp-lease-length length;
1593 The dynamic-bootp-lease-length statement is used to set the length of
1595 leases dynamically assigned to BOOTP clients. At some sites, it may
1596 be possible to assume that a lease is no longer in use if its holder
1597 has not used BOOTP or DHCP to get its address within a certain time
1598 period. The period is specified in length as a number of seconds.
1599 If a client reboots using BOOTP during the timeout period, the lease
1600 duration is reset to length, so a BOOTP client that boots frequently
1601 enough will never lose its lease. Needless to say, this parameter
1602 should be adjusted with extreme caution.
1603 The filename statement
1605 filename "filename";
1607 The filename statement can be used to specify the name of the initial
1609 boot file which is to be loaded by a client. The filename should be
1610 a filename recognizable to whatever file transfer protocol the client
1611 can be expected to use to load the file.
1612 The fixed-address declaration
1614 fixed-address address [, address ... ];
1616 The fixed-address declaration is used to assign one or more fixed IP
1618 addresses to a client. It should only appear in a host declaration.
1619 If more than one address is supplied, then when the client boots, it
1620 will be assigned the address that corresponds to the network on which
1621 it is booting. If none of the addresses in the fixed-address state‐
1622 ment are valid for the network to which the client is connected, that
1623 client will not match the host declaration containing that fixed-
1624 address declaration. Each address in the fixed-address declaration
1625 should be either an IP address or a domain name that resolves to one
1626 or more IP addresses.
1627 The get-lease-hostnames statement
1629 get-lease-hostnames flag;
1631 The get-lease-hostnames statement is used to tell dhcpd whether or
1633 not to look up the domain name corresponding to the IP address of
1634 each address in the lease pool and use that address for the DHCP
1635 hostname option. If flag is true, then this lookup is done for all
1636 addresses in the current scope. By default, or if flag is false, no
1637 lookups are done.
1638 The hardware statement
1640 hardware hardware-type hardware-address;
1642 In order for a BOOTP client to be recognized, its network hardware
1644 address must be declared using a hardware clause in the host state‐
1645 ment. hardware-type must be the name of a physical hardware inter‐
1646 face type. Currently, only the ethernet and token-ring types are
1647 recognized, although support for a fddi hardware type (and others)
1648 would also be desirable. The hardware-address should be a set of
1649 hexadecimal octets (numbers from 0 through ff) separated by colons.
1650 The hardware statement may also be used for DHCP clients.
1651 The lease-file-name statement
1653 lease-file-name name;
1655 Name should be the name of the DHCP server's lease file. By
1657 default, this is /var/lib/dhcpd/dhcpd.leases. This statement must
1658 appear in the outer scope of the configuration file - if it appears
1659 in some other scope, it will have no effect.
1660 The local-port statement
1662 local-port port;
1664 This statement causes the DHCP server to listen for DHCP requests on
1666 the UDP port specified in port, rather than on port 67.
1667 The local-address statement
1669 local-address address;
1671 This statement causes the DHCP server to listen for DHCP requests
1673 sent to the specified address, rather than requests sent to all
1674 addresses. Since serving directly attached DHCP clients implies that
1675 the server must respond to requests sent to the all-ones IP address,
1676 this option cannot be used if clients are on directly attached net‐
1677 works...it is only realistically useful for a server whose only
1678 clients are reached via unicasts, such as via DHCP relay agents.
1679 Note: This statement is only effective if the server was compiled
1681 using the USE_SOCKETS #define statement, which is default on a small
1682 number of operating systems, and must be explicitly chosen at com‐
1683 pile-time for all others. You can be sure if your server is compiled
1684 with USE_SOCKETS if you see lines of this format at startup:
1685 Listening on Socket/eth0
1687 Note also that since this bind()s all DHCP sockets to the specified
1689 address, that only one address may be supported in a daemon at a
1690 given time.
1691 The log-facility statement
1693 log-facility facility;
1695 This statement causes the DHCP server to do all of its logging on the
1697 specified log facility once the dhcpd.conf file has been read. By
1698 default the DHCP server logs to the daemon facility. Possible log
1699 facilities include auth, authpriv, cron, daemon, ftp, kern, lpr,
1700 mail, mark, news, ntp, security, syslog, user, uucp, and local0
1701 through local7. Not all of these facilities are available on all
1702 systems, and there may be other facilities available on other sys‐
1703 tems.
1704 In addition to setting this value, you may need to modify your sys‐
1706 log.conf file to configure logging of the DHCP server. For example,
1707 you might add a line like this:
1708 local7.debug /var/log/dhcpd.log
1710 The syntax of the syslog.conf file may be different on some operating
1712 systems - consult the syslog.conf manual page to be sure. To get
1713 syslog to start logging to the new file, you must first create the
1714 file with correct ownership and permissions (usually, the same owner
1715 and permissions of your /var/log/messages or /usr/adm/messages file
1716 should be fine) and send a SIGHUP to syslogd. Some systems support
1717 log rollover using a shell script or program called newsyslog or
1718 logrotate, and you may be able to configure this as well so that your
1719 log file doesn't grow uncontrollably.
1720 Because the log-facility setting is controlled by the dhcpd.conf
1722 file, log messages printed while parsing the dhcpd.conf file or
1723 before parsing it are logged to the default log facility. To prevent
1724 this, see the README file included with this distribution, which
1725 describes how to change the default log facility. When this parame‐
1726 ter is used, the DHCP server prints its startup message a second time
1727 after parsing the configuration file, so that the log will be as com‐
1728 plete as possible.
1729 The max-lease-time statement
1731 max-lease-time time;
1733 Time should be the maximum length in seconds that will be assigned to
1735 a lease. The only exception to this is that Dynamic BOOTP lease
1736 lengths, which are not specified by the client, are not limited by
1737 this maximum.
1738 The min-lease-time statement
1740 min-lease-time time;
1742 Time should be the minimum length in seconds that will be assigned to
1744 a lease.
1745 The min-secs statement
1747 min-secs seconds;
1749 Seconds should be the minimum number of seconds since a client began
1751 trying to acquire a new lease before the DHCP server will respond to
1752 its request. The number of seconds is based on what the client
1753 reports, and the maximum value that the client can report is 255 sec‐
1754 onds. Generally, setting this to one will result in the DHCP server
1755 not responding to the client's first request, but always responding
1756 to its second request.
1757 This can be used to set up a secondary DHCP server which never offers
1759 an address to a client until the primary server has been given a
1760 chance to do so. If the primary server is down, the client will
1761 bind to the secondary server, but otherwise clients should always
1762 bind to the primary. Note that this does not, by itself, permit a
1763 primary server and a secondary server to share a pool of dynamically-
1764 allocatable addresses.
1765 The next-server statement
1767 next-server server-name;
1769 The next-server statement is used to specify the host address of the
1771 server from which the initial boot file (specified in the filename
1772 statement) is to be loaded. Server-name should be a numeric IP
1773 address or a domain name.
1774 The omapi-port statement
1776 omapi-port port;
1778 The omapi-port statement causes the DHCP server to listen for OMAPI
1780 connections on the specified port. This statement is required to
1781 enable the OMAPI protocol, which is used to examine and modify the
1782 state of the DHCP server as it is running.
1783 The one-lease-per-client statement
1785 one-lease-per-client flag;
1787 If this flag is enabled, whenever a client sends a DHCPREQUEST for a
1789 particular lease, the server will automatically free any other leases
1790 the client holds. This presumes that when the client sends a
1791 DHCPREQUEST, it has forgotten any lease not mentioned in the DHCPRE‐
1792 QUEST - i.e., the client has only a single network interface and it
1793 does not remember leases it's holding on networks to which it is not
1794 currently attached. Neither of these assumptions are guaranteed or
1795 provable, so we urge caution in the use of this statement.
1796 The pid-file-name statement
1798 pid-file-name name;
1800 Name should be the name of the DHCP server's process ID file. This
1802 is the file in which the DHCP server's process ID is stored when the
1803 server starts. By default, this is /var/run/dhcpd.pid. Like the
1804 lease-file-name statement, this statement must appear in the outer
1805 scope of the configuration file.
1806 The ping-check statement
1808 ping-check flag;
1810 When the DHCP server is considering dynamically allocating an IP
1812 address to a client, it first sends an ICMP Echo request (a ping) to
1813 the address being assigned. It waits for a second, and if no ICMP
1814 Echo response has been heard, it assigns the address. If a response
1815 is heard, the lease is abandoned, and the server does not respond to
1816 the client.
1817 This ping check introduces a default one-second delay in responding
1819 to DHCPDISCOVER messages, which can be a problem for some clients.
1820 The default delay of one second may be configured using the ping-
1821 timeout parameter. The ping-check configuration parameter can be
1822 used to control checking - if its value is false, no ping check is
1823 done.
1824 The ping-timeout statement
1826 ping-timeout seconds;
1828 If the DHCP server determined it should send an ICMP echo request (a
1830 ping) because the ping-check statement is true, ping-timeout allows
1831 you to configure how many seconds the DHCP server should wait for an
1832 ICMP Echo response to be heard, if no ICMP Echo response has been
1833 received before the timeout expires, it assigns the address. If a
1834 response is heard, the lease is abandoned, and the server does not
1835 respond to the client. If no value is set, ping-timeout defaults to
1836 1 second.
1837 The remote-port statement
1839 remote-port port;
1841 This statement causes the DHCP server to transmit DHCP responses to
1843 DHCP clients upon the UDP port specified in port, rather than on port
1844 68. In the event that the UDP response is transmitted to a DHCP
1845 Relay, the server generally uses the local-port configuration value.
1846 Should the DHCP Relay happen to be addressed as 127.0.0.1, however,
1847 the DHCP Server transmits its response to the remote-port configura‐
1848 tion value. This is generally only useful for testing purposes, and
1849 this configuratoin value should generally not be used.
1850 The server-identifier statement
1852 server-identifier hostname;
1854 The server-identifier statement can be used to define the value that
1856 is sent in the DHCP Server Identifier option for a given scope. The
1857 value specified must be an IP address for the DHCP server, and must
1858 be reachable by all clients served by a particular scope.
1859 The use of the server-identifier statement is not recommended - the
1861 only reason to use it is to force a value other than the default
1862 value to be sent on occasions where the default value would be incor‐
1863 rect. The default value is the first IP address associated with the
1864 physical network interface on which the request arrived.
1865 The usual case where the server-identifier statement needs to be sent
1867 is when a physical interface has more than one IP address, and the
1868 one being sent by default isn't appropriate for some or all clients
1869 served by that interface. Another common case is when an alias is
1870 defined for the purpose of having a consistent IP address for the
1871 DHCP server, and it is desired that the clients use this IP address
1872 when contacting the server.
1873 Supplying a value for the dhcp-server-identifier option is equivalent
1875 to using the server-identifier statement.
1876 The server-name statement
1878 server-name name ;
1880 The server-name statement can be used to inform the client of the
1882 name of the server from which it is booting. Name should be the
1883 name that will be provided to the client.
1884 The site-option-space statement
1886 site-option-space name ;
1888 The site-option-space statement can be used to determine from what
1890 option space site-local options will be taken. This can be used in
1891 much the same way as the vendor-option-space statement. Site-local
1892 options in DHCP are those options whose numeric codes are greater
1893 than 128. These options are intended for site-specific uses, but
1894 are frequently used by vendors of embedded hardware that contains
1895 DHCP clients. Because site-specific options are allocated on an ad
1896 hoc basis, it is quite possible that one vendor's DHCP client might
1897 use the same option code that another vendor's client uses, for dif‐
1898 ferent purposes. The site-option-space option can be used to assign
1899 a different set of site-specific options for each such vendor, using
1900 conditional evaluation (see dhcp-eval (5) for details).
1901 The stash-agent-options statement
1903 stash-agent-options flag;
1905 If the stash-agent-options parameter is true for a given client, the
1907 server will record the relay agent information options sent during
1908 the client's initial DHCPREQUEST message when the client was in the
1909 SELECTING state and behave as if those options are included in all
1910 subsequent DHCPREQUEST messages sent in the RENEWING state. This
1911 works around a problem with relay agent information options, which is
1912 that they usually not appear in DHCPREQUEST messages sent by the
1913 client in the RENEWING state, because such messages are unicast
1914 directly to the server and not sent through a relay agent.
1915 The update-optimization statement
1917 update-optimization flag;
1919 If the update-optimization parameter is false for a given client, the
1921 server will attempt a DNS update for that client each time the client
1922 renews its lease, rather than only attempting an update when it
1923 appears to be necessary. This will allow the DNS to heal from data‐
1924 base inconsistencies more easily, but the cost is that the DHCP
1925 server must do many more DNS updates. We recommend leaving this
1926 option enabled, which is the default. This option only affects the
1927 behavior of the interim DNS update scheme, and has no effect on the
1928 ad-hoc DNS update scheme. If this parameter is not specified, or is
1929 true, the DHCP server will only update when the client information
1930 changes, the client gets a different lease, or the client's lease
1931 expires.
1932 The update-static-leases statement
1934 update-static-leases flag;
1936 The update-static-leases flag, if enabled, causes the DHCP server to
1938 do DNS updates for clients even if those clients are being assigned
1939 their IP address using a fixed-address statement - that is, the
1940 client is being given a static assignment. This can only work with
1941 the interim DNS update scheme. It is not recommended because the
1942 DHCP server has no way to tell that the update has been done, and
1943 therefore will not delete the record when it is not in use. Also,
1944 the server must attempt the update each time the client renews its
1945 lease, which could have a significant performance impact in environ‐
1946 ments that place heavy demands on the DHCP server.
1947 The use-host-decl-names statement
1949 use-host-decl-names flag;
1951 If the use-host-decl-names parameter is true in a given scope, then
1953 for every host declaration within that scope, the name provided for
1954 the host declaration will be supplied to the client as its hostname.
1955 So, for example,
1956 group {
1958 use-host-decl-names on;
1959 host joe {
1961 hardware ethernet 08:00:2b:4c:29:32;
1962 fixed-address joe.fugue.com;
1963 }
1964 }
1965 is equivalent to
1967 host joe {
1969 hardware ethernet 08:00:2b:4c:29:32;
1970 fixed-address joe.fugue.com;
1971 option host-name "joe";
1972 }
1973 An option host-name statement within a host declaration will override
1975 the use of the name in the host declaration.
1976 It should be noted here that most DHCP clients completely ignore the
1978 host-name option sent by the DHCP server, and there is no way to con‐
1979 figure them not to do this. So you generally have a choice of
1980 either not having any hostname to client IP address mapping that the
1981 client will recognize, or doing DNS updates. It is beyond the scope
1982 of this document to describe how to make this determination.
1983 The use-lease-addr-for-default-route statement
1985 use-lease-addr-for-default-route flag;
1987 If the use-lease-addr-for-default-route parameter is true in a given
1989 scope, then instead of sending the value specified in the routers
1990 option (or sending no value at all), the IP address of the lease
1991 being assigned is sent to the client. This supposedly causes Win95
1992 machines to ARP for all IP addresses, which can be helpful if your
1993 router is configured for proxy ARP. The use of this feature is not
1994 recommended, because it won't work for many DHCP clients.
1995 The vendor-option-space statement
1997 vendor-option-space string;
1999 The vendor-option-space parameter determines from what option space
2001 vendor options are taken. The use of this configuration parameter
2002 is illustrated in the dhcp-options(5) manual page, in the VENDOR
2003 ENCAPSULATED OPTIONS section.
2004
2006 Sometimes it's helpful to be able to set the value of a DHCP server
2007 parameter based on some value that the client has sent. To do this,
2008 you can use expression evaluation. The dhcp-eval(5) manual page
2009 describes how to write expressions. To assign the result of an evalu‐
2010 ation to an option, define the option as follows:
2011 my-parameter = expression ;
2013 For example:
2015 ddns-hostname = binary-to-ascii (16, 8, "-",
2017 substring (hardware, 1, 6));
2018
2020 DHCP option statements are documented in the dhcp-options(5) manual
2021 page.
2022
2024 Expressions used in DHCP option statements and elsewhere are documented
2025 in the dhcp-eval(5) manual page.
2026
2028 dhcpd(8), dhcpd.leases(5), dhcp-options(5), dhcp-eval(5), RFC2132,
2029 RFC2131.
2030
2032 dhcpd.conf(5) was written by Ted Lemon under a contract with Vixie
2033 Labs. Funding for this project was provided by Internet Systems Con‐
2034 sortium. Information about Internet Systems Consortium can be found at
2035 http://www.isc.org.
2036 dhcpd.conf(5)