diff options
-rw-r--r-- | docs/interfaces/addresses.rst | 2 | ||||
-rw-r--r-- | docs/interfaces/geneve.rst | 19 | ||||
-rw-r--r-- | docs/routing/arp.rst | 8 | ||||
-rw-r--r-- | docs/services/dhcp.rst | 206 | ||||
-rw-r--r-- | docs/services/dns-forwarding.rst | 125 | ||||
-rw-r--r-- | docs/services/dynamic-dns.rst | 52 | ||||
-rw-r--r-- | docs/services/lldp.rst | 33 |
7 files changed, 228 insertions, 217 deletions
diff --git a/docs/interfaces/addresses.rst b/docs/interfaces/addresses.rst index 034fb0ef..709490c8 100644 --- a/docs/interfaces/addresses.rst +++ b/docs/interfaces/addresses.rst @@ -13,7 +13,7 @@ addresses might be: .. cfgcmd:: set interfaces ethernet eth0 description 'OUTSIDE' -An interface description is assigned using the following command: + An interface description is assigned using the following command: IPv4 ^^^^ diff --git a/docs/interfaces/geneve.rst b/docs/interfaces/geneve.rst index 252668c1..dc762738 100644 --- a/docs/interfaces/geneve.rst +++ b/docs/interfaces/geneve.rst @@ -34,21 +34,22 @@ Geneve Header: .. cfgcmd:: set interfaces geneve gnv0 address '192.0.2.2/24' -Create GENEVE tunnel listening on local address `192.0.2.2/24`. + Create GENEVE tunnel listening on local address `192.0.2.2/24`. .. cfgcmd:: set interfaces geneve gnv0 remote '172.18.204.10' -Specify the IP address of the other end of the tunnel. + Specify the IP address of the other end of the tunnel. .. cfgcmd:: set interfaces geneve gnv0 vni '1000' -:abbr:`VNI (Virtual Network Identifier)` is an identifier for a unique element -of a virtual network. In many situations this may represent an L2 segment, -however, the control plane defines the forwarding semantics of decapsulated -packets. The VNI MAY be used as part of ECMP forwarding decisions or MAY be -used as a mechanism to distinguish between overlapping address spaces contained -in the encapsulated packet when load balancing across CPUs. + :abbr:`VNI (Virtual Network Identifier)` is an identifier for a unique + element of a virtual network. In many situations this may represent an L2 + segment, however, the control plane defines the forwarding semantics of + decapsulated packets. The VNI MAY be used as part of ECMP forwarding + decisions or MAY be used as a mechanism to distinguish between overlapping + address spaces contained in the encapsulated packet when load balancing + across CPUs. .. cfgcmd:: set interfaces geneve gnv0 mtu -Set interface :abbr:`MTU (Maximum Transfer Unit)` size. + Set interface :abbr:`MTU (Maximum Transfer Unit)` size. diff --git a/docs/routing/arp.rst b/docs/routing/arp.rst index 96a6ffeb..70d83503 100644 --- a/docs/routing/arp.rst +++ b/docs/routing/arp.rst @@ -21,15 +21,15 @@ Configure .. cfgcmd:: set protocols static arp 192.0.2.100 hwaddr 00:53:27:de:23:aa -This will configure a static ARP entry always resolving `192.0.2.100` to -`00:53:27:de:23:aa` + This will configure a static ARP entry always resolving `192.0.2.100` to + `00:53:27:de:23:aa` Operation ========= .. opcmd:: show protocols static arp -Display all known ARP table entries spanning accross all interfaces + Display all known ARP table entries spanning accross all interfaces .. code-block:: none @@ -41,7 +41,7 @@ Display all known ARP table entries spanning accross all interfaces .. opcmd:: show protocols static arp interface eth1 -Display all known ARP table entries on a given interface only (`eth1`): + Display all known ARP table entries on a given interface only (`eth1`): .. code-block:: none diff --git a/docs/services/dhcp.rst b/docs/services/dhcp.rst index 1303395a..19c92aac 100644 --- a/docs/services/dhcp.rst +++ b/docs/services/dhcp.rst @@ -52,38 +52,37 @@ Explanation .. cfgcmd:: set service dhcp-server shared-network-name dhcpexample authoritative -This says that this device is the only DHCP server for this network. If other -devices are trying to offer DHCP leases, this machine will send 'DHCPNAK' to -any device trying to request an IP address that is -not valid for this network. + This says that this device is the only DHCP server for this network. If other + devices are trying to offer DHCP leases, this machine will send 'DHCPNAK' to + any device trying to request an IP address that is not valid for this + network. .. cfgcmd:: set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 default-router 192.0.2.1 -This is a configuration parameter for the subnet, saying that as part of the -response, tell the client that I am the default router for this network + This is a configuration parameter for the subnet, saying that as part of the + response, tell the client that I am the default router for this network. .. cfgcmd:: set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 dns-server 192.0.2.1 -This is a configuration parameter for the subnet, saying that as part of the -response, tell the client that I am the DNS server for this network. If you -do not want to run a DNS server, you could also provide one of the public -DNS servers, such as google's. You can add multiple entries by repeating the -line. + This is a configuration parameter for the subnet, saying that as part of the + response, tell the client that I am the DNS server for this network. If you + do not want to run a DNS server, you could also provide one of the public + DNS servers, such as google's. You can add multiple entries by repeating the + line. .. cfgcmd:: set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 lease 86400 -Assign the IP address to this machine for 24 hours. It is unlikely you'd need -to shorten this period, unless you are running a network with lots of devices -appearing and disappearing. - + Assign the IP address to this machine for 24 hours. It is unlikely you'd need + to shorten this period, unless you are running a network with lots of devices + appearing and disappearing. .. cfgcmd:: set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 range 0 start 192.0.2.100 -Make a range of addresses available for clients starting from .100 [...] + Make a range of addresses available for clients starting from .100 [...] .. cfgcmd:: set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 range 0 stop 192.0.2.199 -[...] and ending at .199. + [...] and ending at .199. Failover -------- @@ -93,22 +92,22 @@ explicitly by the following statements. .. cfgcmd:: set service dhcp-server shared-network-name 'LAN' subnet '192.0.2.0/24' failover local-address '192.0.2.1' -Local IP address used when communicating to the failover peer. + Local IP address used when communicating to the failover peer. .. cfgcmd:: set service dhcp-server shared-network-name 'LAN' subnet '192.0.2.0/24' failover peer-address '192.0.2.2' -Peer IP address of the second DHCP server in this failover cluster. + Peer IP address of the second DHCP server in this failover cluster. .. cfgcmd:: set service dhcp-server shared-network-name 'LAN' subnet '192.0.2.0/24' failover name 'foo' -A generic name referencing this sync service. + A generic name referencing this sync service. .. note:: `name` must be identical on both sides! .. cfgcmd:: set service dhcp-server shared-network-name 'LAN' subnet '192.0.2.0/24' failover status '{primary|secondary}' -The primary and secondary statements determines whether the server is primary -or secondary. + The primary and secondary statements determines whether the server is primary + or secondary. .. note:: In order for the primary and the secondary DHCP server to keep their lease tables in sync, they must be able to reach each other on TCP @@ -131,12 +130,14 @@ inside the subnet definition but can be outside of the range statement. .. cfgcmd:: set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping static-mapping-01 mac-address ff:ff:ff:ff:ff:ff -Each host is uniquely identified by its MAC address. + Each host is uniquely identified by its MAC address. .. cfgcmd:: set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping static-mapping-01 ip-address 192.0.2.10 -IP address to assign to this host. It must be inside the subnet in which it is defined but can be outside the dynamic range. -If ip-address is not specified, an IP from the dynamic pool (as specified by ``range``) is used. This is useful, for example, in combination with hostfile update. + IP address to assign to this host. It must be inside the subnet in which it + is defined but can be outside the dynamic range. If ip-address is not + specified, an IP from the dynamic pool (as specified by ``range``) is used. + This is useful, for example, in combination with hostfile update. .. hint:: This is the equivalent of the host block in dhcpd.conf of isc-dhcpd. @@ -145,25 +146,25 @@ DHCP Options .. cfgcmd:: set service dhcp-server shared-network-name '<name>' subnet 192.0.2.0/24 default-router '<address>' -Specify the default routers IPv4 address which should be used in this subnet. -This can - of course - be a VRRP address (DHCP option 003). + Specify the default routers IPv4 address which should be used in this subnet. + This can - of course - be a VRRP address (DHCP option 003). .. cfgcmd:: set service dhcp-server shared-network-name '<name>' subnet 192.0.2.0/24 dns-server '<address>' -Specify the DNS nameservers used (Option 006). This option may be used mulltiple -times to specify additional DNS nameservers. + Specify the DNS nameservers used (Option 006). This option may be used + mulltiple times to specify additional DNS nameservers. .. cfgcmd:: set service dhcp-server shared-network-name '<name>' subnet 192.0.2.0/24 domain-name '<domain-name>' -The domain-name parameter should be the domain name that will be appended to -the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP -Option 015). + The domain-name parameter should be the domain name that will be appended to + the client's hostname to form a fully-qualified domain-name (FQDN) (DHCP + Option 015). .. cfgcmd:: set service dhcp-server shared-network-name '<name>' subnet 192.0.2.0/24 domain-search '<domain-name>' -The domain-name parameter should be the domain name used when completing DNS -request where no full FQDN is passed. This option can be given multiple times -if you need multiple search domains (DHCP Option 119). + The domain-name parameter should be the domain name used when completing DNS + request where no full FQDN is passed. This option can be given multiple times + if you need multiple search domains (DHCP Option 119). .. list-table:: :header-rows: 1 @@ -319,18 +320,18 @@ Example .. opcmd:: set service dhcp-server shared-network-name dhcpexample subnet 192.0.2.0/24 static-mapping example static-mapping-parameters "option domain-name-servers 192.0.2.11, 192.0.2.12;" -Override the static-mapping's dns-server with a custom one that will be sent only to this host. + Override the static-mapping's dns-server with a custom one that will be sent only to this host. Operation Mode -------------- .. opcmd:: restart dhcp server -Restart the DHCP server + Restart the DHCP server .. opcmd:: show dhcp server statistics -Show the DHCP server statistics: + Show the DHCP server statistics: .. code-block:: none @@ -341,11 +342,11 @@ Show the DHCP server statistics: .. opcmd:: show dhcp server statistics pool <pool> -Show the DHCP server statistics for the specified pool. + Show the DHCP server statistics for the specified pool. .. opcmd:: show dhcp server leases -Show statuses of all active leases: + Show statuses of all active leases: .. code-block:: none @@ -355,19 +356,22 @@ Show statuses of all active leases: 192.0.2.104 aa:bb:cc:dd:ee:ff active 2019/12/05 14:24:23 2019/12/06 02:24:23 6:05:35 dhcpexample test1 192.0.2.115 ab:ac:ad:ae:af:bf active 2019/12/05 18:02:37 2019/12/06 06:02:37 9:43:49 dhcpexample test2 -.. hint:: Static mappings aren't shown. To show all states, use ``show dhcp server leases state all``. +.. hint:: Static mappings aren't shown. To show all states, use + ``show dhcp server leases state all``. .. opcmd:: show dhcp server leases pool <pool> -Show only leases in the specified pool. + Show only leases in the specified pool. .. opcmd:: show dhcp server leases sort <key> -Sort the output by the specified key. Possible keys: ip, hardware_address, state, start, end, remaining, pool, hostname (default = ip) + Sort the output by the specified key. Possible keys: ip, hardware_address, + state, start, end, remaining, pool, hostname (default = ip) .. opcmd:: show dhcp server leases state <state> -Show only leases with the specified state. Possible states: all, active, free, expired, released, abandoned, reset, backup (default = active) + Show only leases with the specified state. Possible states: all, active, + free, expired, released, abandoned, reset, backup (default = active) DHCPv6 Server ============= @@ -380,47 +384,46 @@ Configuration Options .. cfgcmd:: set service dhcpv6-server preference <preference value> -Clients receiving advertise messages from multiple servers choose the server -with the highest preference value. The range for this value is ``0...255``. - + Clients receiving advertise messages from multiple servers choose the server + with the highest preference value. The range for this value is ``0...255``. .. cfgcmd:: set service dhcpv6-server shared-network-name '<name>' subnet '<v6net>' lease-time {default | maximum | minimum} -The default lease time for DHCPv6 leases is 24 hours. This can be changed by -supplying a ``default-time``, ``maximum-time`` and ``minimum-time``. All values -need to be supplied in seconds. + The default lease time for DHCPv6 leases is 24 hours. This can be changed by + supplying a ``default-time``, ``maximum-time`` and ``minimum-time``. All + values need to be supplied in seconds. .. cfgcmd:: set service dhcpv6-server shared-network-name '<name>' subnet '<v6net>' nis-domain '<domain-name>' -A :abbr:`NIS (Network Information Service)` domain can be set to be used for -DHCPv6 clients. + A :abbr:`NIS (Network Information Service)` domain can be set to be used for + DHCPv6 clients. .. cfgcmd:: set service dhcpv6-server shared-network-name '<name>' subnet '<v6net>' nisplus-domain '<domain-name>' -The procedure to specify a :abbr:`NIS+ (Network Information Service Plus)` -domain is similar to the NIS domain one: + The procedure to specify a :abbr:`NIS+ (Network Information Service Plus)` + domain is similar to the NIS domain one: .. cfgcmd:: set service dhcpv6-server shared-network-name '<name>' subnet '<v6net>' nis-server '<address>' -Specify a NIS server address for DHCPv6 clients. + Specify a NIS server address for DHCPv6 clients. .. cfgcmd:: set service dhcpv6-server shared-network-name '<name>' subnet '<v6net>' nisplus-server '<address>' -Specify a NIS+ server address for DHCPv6 clients. + Specify a NIS+ server address for DHCPv6 clients. .. cfgcmd:: set service dhcpv6-server shared-network-name '<name>' subnet '<v6net>' sip-server-address '<address>' -Specify a :abbr:`SIP (Session Initiation Protocol)` server by IPv6 address for -all DHCPv6 clients. + Specify a :abbr:`SIP (Session Initiation Protocol)` server by IPv6 address + for all DHCPv6 clients. .. cfgcmd:: set service dhcpv6-server shared-network-name '<name>' subnet '<v6net>' sip-server-name '<fqdn>' -Specify a :abbr:`SIP (Session Initiation Protocol)` server by FQDN for all -DHCPv6 clients. + Specify a :abbr:`SIP (Session Initiation Protocol)` server by FQDN for all + DHCPv6 clients. .. cfgcmd:: set service dhcpv6-server shared-network-name '<name>' subnet '<v6net>' sntp-server-address '<address>' -A SNTP server address can be specified for DHCPv6 clients: + A SNTP server address can be specified for DHCPv6 clients. Address pools ------------- @@ -468,9 +471,11 @@ be created. The following example explains the process. * IPv6 address ``2001:db8::101`` shall be statically mapped * Host specific mapping shall be named ``client1`` -.. hint:: The identifier is the device's DUID: colon-separated hex list (as used by isc-dhcp option dhcpv6.client-id). - If the device already has a dynamic lease from the DHCPv6 server, its DUID can be found with ``show service dhcpv6 server leases``. - The DUID begins at the 5th octet (after the 4th colon) of IAID_DUID. +.. hint:: The identifier is the device's DUID: colon-separated hex list (as + used by isc-dhcp option dhcpv6.client-id). If the device already has a + dynamic lease from the DHCPv6 server, its DUID can be found with ``show + service dhcpv6 server leases``. The DUID begins at the 5th octet (after the + 4th colon) of IAID_DUID. .. code-block:: none @@ -502,15 +507,15 @@ Operation Mode .. opcmd:: restart dhcpv6 server -To restart the DHCPv6 server + To restart the DHCPv6 server .. opcmd:: show dhcpv6 server status -To show the current status of the DHCPv6 server. + To show the current status of the DHCPv6 server. .. opcmd:: show dhcpv6 server leases -Show statuses of all assigned leases: + Show statuses of all assigned leases: .. code-block:: none @@ -520,19 +525,22 @@ Show statuses of all assigned leases: 2001:db8::101 active 2019/12/05 19:40:10 2019/12/06 07:40:10 11:45:21 non-temporary NET1 98:76:54:32:00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff 2001:db8::102 active 2019/12/05 14:01:23 2019/12/06 02:01:23 6:06:34 non-temporary NET1 87:65:43:21:00:01:00:01:11:22:33:44:fa:fb:fc:fd:fe:ff -.. hint:: Static mappings aren't shown. To show all states, use ``show dhcp server leases state all``. +.. hint:: Static mappings aren't shown. To show all states, use ``show dhcp + server leases state all``. .. opcmd:: show dhcpv6 server leases pool <pool> -Show only leases in the specified pool. + Show only leases in the specified pool. .. opcmd:: show dhcpv6 server leases sort <key> -Sort the output by the specified key. Possible keys: expires, iaid_duid, ip, last_comm, pool, remaining, state, type (default = ip) + Sort the output by the specified key. Possible keys: expires, iaid_duid, ip, + last_comm, pool, remaining, state, type (default = ip) .. opcmd:: show dhcpv6 server leases state <state> -Show only leases with the specified state. Possible states: abandoned, active, all, backup, expired, free, released, reset (default = active) + Show only leases with the specified state. Possible states: abandoned, + active, all, backup, expired, free, released, reset (default = active) DHCP Relay ========== @@ -550,16 +558,16 @@ Configuration .. cfgcmd:: set service dhcp-relay interface '<interface>' -Enable the DHCP relay service on the given interface. + Enable the DHCP relay service on the given interface. .. cfgcmd:: set service dhcp-relay server 10.0.1.4 -Configure IP address of the DHCP server + Configure IP address of the DHCP server .. cfgcmd:: set service dhcp-relay relay-options relay-agents-packets discard -The router should discard DHCP packages already containing relay agent -information to ensure that only requests from DHCP clients are forwarded. + The router should discard DHCP packages already containing relay agent + information to ensure that only requests from DHCP clients are forwarded. Example ------- @@ -592,38 +600,38 @@ Options .. cfgcmd:: set service dhcp-relay relay-options hop-count 'count' -Set the maximum hop count before packets are discarded. Range 0...255, -default 10. + Set the maximum hop count before packets are discarded. Range 0...255, + default 10. .. cfgcmd:: set service dhcp-relay relay-options max-size 'size' -Set maximum size of DHCP packets including relay agent information. If a -DHCP packet size surpasses this value it will be forwarded without appending -relay agent information. Range 64...1400, default 576. + Set maximum size of DHCP packets including relay agent information. If a + DHCP packet size surpasses this value it will be forwarded without appending + relay agent information. Range 64...1400, default 576. .. cfgcmd:: set service dhcp-relay relay-options relay-agents-packet 'policy' -Four policies for reforwarding DHCP packets exist: + Four policies for reforwarding DHCP packets exist: -* **append:** The relay agent is allowed to append its own relay information - to a received DHCP packet, disregarding relay information already present in - the packet. + * **append:** The relay agent is allowed to append its own relay information + to a received DHCP packet, disregarding relay information already present in + the packet. -* **discard:** Received packets which already contain relay information will - be discarded. + * **discard:** Received packets which already contain relay information will + be discarded. -* **forward:** All packets are forwarded, relay information already present - will be ignored. + * **forward:** All packets are forwarded, relay information already present + will be ignored. -* **replace:** Relay information already present in a packet is stripped and - replaced with the router's own relay information set. + * **replace:** Relay information already present in a packet is stripped and + replaced with the router's own relay information set. Operation --------- .. opcmd:: restart dhcp relay-agent -Restart DHCP relay service + Restart DHCP relay service DHCPv6 relay ============ @@ -633,12 +641,12 @@ Configuration .. cfgcmd:: set service dhcpv6-relay listen-interface eth1 -Set eth1 to be the listening interface for the DHCPv6 relay: + Set eth1 to be the listening interface for the DHCPv6 relay: .. cfgcmd:: set service dhcpv6-relay upstream-interface eth2 address 2001:db8::4 -Set eth2 to be the upstream interface and specify the IPv6 address of -the DHCPv6 server: + Set eth2 to be the upstream interface and specify the IPv6 address of + the DHCPv6 server: Example ^^^^^^^ @@ -670,20 +678,20 @@ Options .. cfgcmd:: set service dhcpv6-relay max-hop-count 'count' -Set maximum hop count before packets are discarded, default: 10 + Set maximum hop count before packets are discarded, default: 10 .. cfgcmd:: set service dhcpv6-relay use-interface-id-option -If this is set the relay agent will insert the interface ID. This option is -set automatically if more than one listening interfaces are in use. + If this is set the relay agent will insert the interface ID. This option is + set automatically if more than one listening interfaces are in use. Operation --------- .. opcmd:: show dhcpv6 relay-agent status -Show the current status of the DHCPv6 relay agent: + Show the current status of the DHCPv6 relay agent: .. opcmd:: restart dhcpv6 relay-agent -Restart DHCPv6 relay agent immediately. + Restart DHCPv6 relay agent immediately. diff --git a/docs/services/dns-forwarding.rst b/docs/services/dns-forwarding.rst index a4fbdd9f..fb996709 100644 --- a/docs/services/dns-forwarding.rst +++ b/docs/services/dns-forwarding.rst @@ -18,91 +18,92 @@ avoid to be tracked by the provider of your upstream DNS server. .. cfgcmd:: set service dns forwarding system -Forward incoming DNS queries to the DNS servers configured under the ``system -name-server`` nodes. + Forward incoming DNS queries to the DNS servers configured under the ``system + name-server`` nodes. .. cfgcmd:: set service dns forwarding name-server <address> -Send all DNS queries to the IPv4/IPv6 DNS server specified under `<address>`. -You can configure multiple nameservers here. + Send all DNS queries to the IPv4/IPv6 DNS server specified under `<address>`. + You can configure multiple nameservers here. .. cfgcmd:: set service dns forwarding domain <domain-name> server <address> -Forward received queries for a particular domain (specified via `domain-name`) -to a given name-server. Multiple nameservers can be specified. + Forward received queries for a particular domain (specified via `domain-name`) + to a given name-server. Multiple nameservers can be specified. .. note:: This also works for reverse-lookup zones e.g. ``18.172.in-addr.arpa``. .. cfgcmd:: set service dns forwarding allow-from <network> -Given the fact that open DNS recursors could be used on DDOS amplification -attacts, you must configure the networks which are allowed to use this recursor. -A network of ``0.0.0.0/0`` or ``::/0`` would allow all IPv4 and IPv6 networks -to query this server. This is on general a bad idea. + Given the fact that open DNS recursors could be used on DDOS amplification + attacts, you must configure the networks which are allowed to use this + recursor. A network of ``0.0.0.0/0`` or ``::/0`` would allow all IPv4 and + IPv6 networks to query this server. This is on general a bad idea. .. cfgcmd:: set service dns forwarding dnssec <off | process-no-validate | process | log-fail | validate> -The PowerDNS Recursor has 5 different levels of DNSSEC processing, which can -be set with the dnssec setting. In order from least to most processing, these -are: - -* **off** In this mode, no DNSSEC processing takes place. The recursor will not - set the DNSSEC OK (DO) bit in the outgoing queries and will ignore the DO and - AD bits in queries. - -* **process-no-validate** In this mode the Recursor acts as a "security aware, - non-validating" nameserver, meaning it will set the DO-bit on outgoing queries - and will provide DNSSEC related RRsets (NSEC, RRSIG) to clients that ask for - them (by means of a DO-bit in the query), except for zones provided through - the auth-zones setting. It will not do any validation in this mode, not even - when requested by the client. - -* **process** When dnssec is set to process the behaviour is similar to - process-no-validate. However, the recursor will try to validate the data if - at least one of the DO or AD bits is set in the query; in that case, it will - set the AD-bit in the response when the data is validated successfully, or - send SERVFAIL when the validation comes up bogus. - -* **log-fail** In this mode, the recursor will attempt to validate all data it - retrieves from authoritative servers, regardless of the client's DNSSEC - desires, and will log the validation result. This mode can be used to - determine the extra load and amount of possibly bogus answers before turning - on full-blown validation. Responses to client queries are the same as with - process. - -* **validate** The highest mode of DNSSEC processing. In this mode, all queries - will be be validated and will be answered with a SERVFAIL in case of bogus - data, regardless of the client's request. - -.. note:: The famous UNIX/Linux ``dig`` tool sets the AD-bit in the query. This - might lead to unexpected query results when testing. Set ``+noad`` on the - ``dig`` commandline when this is the case. - -.. note:: The ``CD``-bit is honored correctly for process and validate. For - log-fail, failures will be logged too. + The PowerDNS Recursor has 5 different levels of DNSSEC processing, which can + be set with the dnssec setting. In order from least to most processing, these + are: + + * **off** In this mode, no DNSSEC processing takes place. The recursor will + not set the DNSSEC OK (DO) bit in the outgoing queries and will ignore the + DO and AD bits in queries. + + * **process-no-validate** In this mode the Recursor acts as a "security + aware, non-validating" nameserver, meaning it will set the DO-bit on + outgoing queries and will provide DNSSEC related RRsets (NSEC, RRSIG) to + clients that ask for them (by means of a DO-bit in the query), except for + zones provided through the auth-zones setting. It will not do any + validation in this mode, not even when requested by the client. + + * **process** When dnssec is set to process the behaviour is similar to + process-no-validate. However, the recursor will try to validate the data + if at least one of the DO or AD bits is set in the query; in that case, + it will set the AD-bit in the response when the data is validated + successfully, or send SERVFAIL when the validation comes up bogus. + + * **log-fail** In this mode, the recursor will attempt to validate all data + it retrieves from authoritative servers, regardless of the client's DNSSEC + desires, and will log the validation result. This mode can be used to + determine the extra load and amount of possibly bogus answers before + turning on full-blown validation. Responses to client queries are the same + as with process. + + * **validate** The highest mode of DNSSEC processing. In this mode, all + queries will be be validated and will be answered with a SERVFAIL in case + of bogus data, regardless of the client's request. + + .. note:: The famous UNIX/Linux ``dig`` tool sets the AD-bit in the query. + This might lead to unexpected query results when testing. Set ``+noad`` + on the ``dig`` commandline when this is the case. + + .. note:: The ``CD``-bit is honored correctly for process and validate. For + log-fail, failures will be logged too. .. cfgcmd:: set service dns forwarding ignore-hosts-file -Do not use local ``/etc/hosts`` file in name resolution. VyOS DHCP server will -use this file to add resolvers to assigned addresses. + Do not use local ``/etc/hosts`` file in name resolution. VyOS DHCP server + will use this file to add resolvers to assigned addresses. .. cfgcmd:: set service dns forwarding max-cache-entries -Maximum number of DNS cache entries. 1 million per CPU core will generally -suffice for most installations. + Maximum number of DNS cache entries. 1 million per CPU core will generally + suffice for most installations. .. cfgcmd:: set service dns forwarding negative-ttl -A query for which there is authoritatively no answer is cached to quickly deny -a record's existence later on, without putting a heavy load on the remote -server. In practice, caches can become saturated with hundreds of thousands of -hosts which are tried only once. This setting, which defaults to 3600 seconds, -puts a maximum on the amount of time negative entries are cached. + A query for which there is authoritatively no answer is cached to quickly + deny a record's existence later on, without putting a heavy load on the + remote server. In practice, caches can become saturated with hundreds of + thousands of hosts which are tried only once. This setting, which defaults + to 3600 seconds, puts a maximum on the amount of time negative entries are + cached. .. cfgcmd:: set service dns forwarding listen-address -Local IPv4 or IPv6 addresses to bind to - waiting on this address for incoming -connections. + Local IPv4 or IPv6 addresses to bind to - waiting on this address for + incoming connections. Example ======= @@ -137,9 +138,9 @@ Operation .. opcmd:: reset dns forwarding <all | domain> -Reset local DNS forwarding cache database. You can reset the cache for all -entries or only for entries to a specific domain. + Reset local DNS forwarding cache database. You can reset the cache for all + entries or only for entries to a specific domain. .. opcmd:: restart dns forwarding -Restart DNS recursor process which also invalidates the cache. + Restart DNS recursor process which also invalidates the cache. diff --git a/docs/services/dynamic-dns.rst b/docs/services/dynamic-dns.rst index 154f9023..3842c1c4 100644 --- a/docs/services/dynamic-dns.rst +++ b/docs/services/dynamic-dns.rst @@ -22,31 +22,33 @@ Configuration .. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> -Create new :rfc:`2136` DNS update configuration which will update the IP address -assigned to `<interface>` on the service you configured under `<service-name>`. + Create new :rfc:`2136` DNS update configuration which will update the IP + address assigned to `<interface>` on the service you configured under + `<service-name>`. .. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> key <keyfile> -File identified by `<keyfile>` containing the secret RNDC key shared with -remote DNS server. + File identified by `<keyfile>` containing the secret RNDC key shared with + remote DNS server. .. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> server <server> -Configure the DNS `<server>` IP/FQDN used when updating this dynamic assignemnt. + Configure the DNS `<server>` IP/FQDN used when updating this dynamic + assignemnt. .. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> zone <zone> -Configure DNS `<zone>` to be updated. + Configure DNS `<zone>` to be updated. .. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> record <record> -Configure DNS `<record>` which should be updated. This can be set multiple -times. + Configure DNS `<record>` which should be updated. This can be set multiple + times. .. cfgcmd:: set service dns dynamic interface <interface> rfc2136 <service-name> ttl <ttl> -Configure optional TTL value on the given resource record. This defualts to 600 -seconds. + Configure optional TTL value on the given resource record. This defualts to + 600 seconds. Example ^^^^^^^ @@ -99,30 +101,30 @@ hostnames, protocol and server. .. cfgcmd:: set service dns dynamic interface <interface> service <service> host-name <hostname> -Setup the dynamic DNS hostname `<hostname>` associated with the DynDNS provider -identified by `<service>` when the IP address on interface `<interface>` -changes. + Setup the dynamic DNS hostname `<hostname>` associated with the DynDNS + provider identified by `<service>` when the IP address on interface + `<interface>` changes. .. cfgcmd:: set service dns dynamic interface <interface> service <service> login <username> -Configure `<username>` used when authenticating the update request for DynDNS -service identified by `<service>`. + Configure `<username>` used when authenticating the update request for + DynDNS service identified by `<service>`. .. cfgcmd:: set service dns dynamic interface <interface> service <service> password <password> -Configure `<password>` used when authenticating the update request for DynDNS -service identified by `<service>`. + Configure `<password>` used when authenticating the update request for + DynDNS service identified by `<service>`. .. cfgcmd:: set service dns dynamic interface <interface> service <service> protocol <protocol> -When a ``custom`` DynDNS provider is used the protocol used for communicating to -the provider must be specified under `<protocol>`. See the embedded completion -helper for available protocols. + When a ``custom`` DynDNS provider is used the protocol used for communicating + to the provider must be specified under `<protocol>`. See the embedded + completion helper for available protocols. .. cfgcmd:: set service dns dynamic interface <interface> service <service> server <server> -When a ``custom`` DynDNS provider is used the `<server>` where update requests -are beeing sent to must be specified. + When a ``custom`` DynDNS provider is used the `<server>` where update + requests are beeing sent to must be specified. Example: ^^^^^^^^ @@ -151,11 +153,11 @@ by: .. cfgcmd:: set service dns dynamic interface <interface> use-web url <url> -Use configured `<url>` to determine your IP address. ddclient_ will load `<url>` -and tries to extract your IP address from the response. + Use configured `<url>` to determine your IP address. ddclient_ will load + `<url>` and tries to extract your IP address from the response. .. cfgcmd:: set service dns dynamic interface <interface> use-web skip <pattern> -ddclient_ will skip any address located before the string set in `<pattern>`. + ddclient_ will skip any address located before the string set in `<pattern>`. .. _ddclient: https://github.com/ddclient/ddclient diff --git a/docs/services/lldp.rst b/docs/services/lldp.rst index 05c187b0..c1f39fba 100644 --- a/docs/services/lldp.rst +++ b/docs/services/lldp.rst @@ -36,42 +36,41 @@ Configuration .. cfgcmd:: set service lldp -Enable LLDP service + Enable LLDP service .. cfgcmd:: set service lldp management-address <address> -Define IPv4 management address transmitted via LLDP. + Define IPv4 management address transmitted via LLDP. .. cfgcmd:: set service lldp interface <interface> -Enable transmission of LLDP information on given `<interface>`. You can also -say ``all`` here so LLDP is turned on on every interface. + Enable transmission of LLDP information on given `<interface>`. You can also + say ``all`` here so LLDP is turned on on every interface. .. cfgcmd:: set service lldp interface <interface> disable -Disable transmit of LLDP frames on given `<interface>`. Useful to exclude -certain interfaces from LLDP when ``all`` have been enabled. + Disable transmit of LLDP frames on given `<interface>`. Useful to exclude + certain interfaces from LLDP when ``all`` have been enabled. .. cfgcmd:: set service lldp snmp enable -Enable SNMP queries of the LLDP database - + Enable SNMP queries of the LLDP database .. cfgcmd:: set service lldp legacy-protocols <cdp|edp|fdp|sonmp> -Enable given legacy protocol on this LLDP instance. Legacy protocols include: + Enable given legacy protocol on this LLDP instance. Legacy protocols include: -* ``cdp`` - Listen for CDP for Cisco routers/switches -* ``edp`` - Listen for EDP for Extreme routers/switches -* ``fdp`` - Listen for FDP for Foundry routers/switches -* ``sonmp`` - Listen for SONMP for Nortel routers/switches + * ``cdp`` - Listen for CDP for Cisco routers/switches + * ``edp`` - Listen for EDP for Extreme routers/switches + * ``fdp`` - Listen for FDP for Foundry routers/switches + * ``sonmp`` - Listen for SONMP for Nortel routers/switches Operation ========= .. opcmd:: show lldp neighbors -Displays information about all neighbors discovered via LLDP. + Displays information about all neighbors discovered via LLDP. .. code-block:: none @@ -85,7 +84,7 @@ Displays information about all neighbors discovered via LLDP. .. opcmd:: show lldp neighbors detail -Get detailed information about LLDP neighbors. + Get detailed information about LLDP neighbors. .. code-block:: none @@ -135,8 +134,8 @@ Get detailed information about LLDP neighbors. .. opcmd:: show lldp neighbors interface <interface> -Show LLDP neighbors connected via interface `<interface>`. + Show LLDP neighbors connected via interface `<interface>`. .. opcmd:: show log lldp -Used for troubleshooting. + Used for troubleshooting. |