--- embedaddon/dnsmasq/man/dnsmasq.8 2013/07/29 19:37:40 1.1.1.1 +++ embedaddon/dnsmasq/man/dnsmasq.8 2014/06/15 16:31:38 1.1.1.2 @@ -13,7 +13,10 @@ Dnsmasq accepts DNS queries and either answers them fr cache or forwards them to a real, recursive, DNS server. It loads the contents of /etc/hosts so that local hostnames which do not appear in the global DNS can be resolved and also answers -DNS queries for DHCP configured hosts. It can also act as the authoritative DNS server for one or more domains, allowing local names to appear in the global DNS. +DNS queries for DHCP configured hosts. It can also act as the +authoritative DNS server for one or more domains, allowing local names +to appear in the global DNS. It can be configured to do DNSSEC +validation. .PP The dnsmasq DHCP server supports static address assignments and multiple networks. It automatically @@ -199,7 +202,20 @@ or .B --listen-address configuration, indeed .B --auth-server -will overide these and provide a different DNS service on the specified interface. The is the "glue record". It should resolve in the global DNS to a A and/or AAAA record which points to the address dnsmasq is listening on. +will overide these and provide a different DNS service on the +specified interface. The is the "glue record". It should +resolve in the global DNS to a A and/or AAAA record which points to +the address dnsmasq is listening on. When an interface is specified, +it may be qualified with "/4" or "/6" to specify only the IPv4 or IPv6 +addresses associated with the interface. +.TP +.B --local-service +Accept DNS queries only from hosts whose address is on a local subnet, +ie a subnet for which an interface exists on the server. This option +only has effect is there are no --interface --except-interface, +--listen-address or --auth-server options. It is intended to be set as +a default on installation, to allow unconfigured installations to be +useful but also safe from being used for DNS amplification attacks. .TP .B \-2, --no-dhcp-interface= Do not provide DHCP or TFTP on the specified interface, but do provide DNS service. @@ -338,7 +354,8 @@ by '/', like the --server syntax, eg. Don't poll /etc/resolv.conf for changes. .TP .B --clear-on-reload -Whenever /etc/resolv.conf is re-read, clear the DNS cache. +Whenever /etc/resolv.conf is re-read or the upstream servers are set +via DBus, clear the DNS cache. This is useful when new nameservers may have different data than that held in cache. .TP @@ -406,6 +423,14 @@ source address specified but the port may be specified part of the source address. Forcing queries to an interface is not implemented on all platforms supported by dnsmasq. .TP +.B --rev-server=/,[#][@|[#]] +This is functionally the same as +.B --server, +but provides some syntactic sugar to make specifying address-to-name queries easier. For example +.B --rev-server=1.2.3.0/24,192.168.0.1 +is exactly equivalent to +.B --server=/3.2.1.in-addr.arpa/192.168.0.1 +.TP .B \-A, --address=//[domain/] Specify an IP address to return for any host in the given domains. Queries in the domains are never forwarded and always replied to @@ -496,7 +521,7 @@ Return an NAPTR DNS record, as specified in RFC3403. Return a CNAME record which indicates that is really . There are significant limitations on the target; it must be a DNS name which is known to dnsmasq from /etc/hosts (or additional -hosts files), from DHCP or from another +hosts files), from DHCP, from --interface-name or from another .B --cname. If the target does not satisfy this criteria, the whole cname is ignored. The cname must be unique, but it @@ -508,17 +533,35 @@ record (which is always in the C_IN class). The value given by the hex data, which may be of the form 01:23:45 or 01 23 45 or 012345 or any mixture of these. .TP -.B --interface-name=, +.B --interface-name=,[/4|/6] Return a DNS record associating the name with the primary address on -the given interface. This flag specifies an A record for the given +the given interface. This flag specifies an A or AAAA record for the given name in the same way as an /etc/hosts line, except that the address is -not constant, but taken from the given interface. If the interface is +not constant, but taken from the given interface. The interface may be +followed by "/4" or "/6" to specify that only IPv4 or IPv6 addresses +of the interface should be used. If the interface is down, not configured or non-existent, an empty record is returned. The matching PTR record is also created, mapping the interface address to the name. More than one name may be associated with an interface address by repeating the flag; in that case the first instance is used for the reverse address-to-name mapping. .TP +.B --synth-domain=,
[,] +Create artificial A/AAAA and PTR records for an address range. The +records use the address, with periods (or colons for IPv6) replaced +with dashes. + +An example should make this clearer. +.B --synth-domain=thekelleys.org.uk,192.168.0.0/24,internal- +will result in a query for internal-192-168-0-56.thekelleys.org.uk returning +192.168.0.56 and a reverse query vice versa. The same applies to IPv6, +but IPv6 addresses may start with '::' +but DNS labels may not start with '-' so in this case if no prefix is +configured a zero is added in front of the label. ::1 becomes 0--1. + +The address range can be of the form +, or / +.TP .B --add-mac Add the MAC address of the requestor to DNS queries which are forwarded upstream. This may be used to DNS filtering by the upstream @@ -526,7 +569,20 @@ server. The MAC address can only be added if the reque subnet as the dnsmasq server. Note that the mechanism used to achieve this (an EDNS0 option) is not yet standardised, so this should be considered experimental. Also note that exposing MAC addresses in this way may -have security and privacy implications. +have security and privacy implications. The warning about caching +given for --add-subnet applies to --add-mac too. +.TP +.B --add-subnet[[=],] +Add the subnet address of the requestor to the DNS queries which are +forwarded upstream. The amount of the address forwarded depends on the +prefix length parameter: 32 (128 for IPv6) forwards the whole address, +zero forwards none of it but still marks the request so that no +upstream nameserver will add client address information either. The +default is zero for both IPv4 and IPv6. Note that upstream nameservers +may be configured to return different results based on this +information, but the dnsmasq cache does not take account. If a dnsmasq +instance is configured such that different results may be encountered, +caching should be disabled. .TP .B \-c, --cache-size= Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching. @@ -542,27 +598,89 @@ Set the maximum number of concurrent DNS queries. The where this needs to be increased is when using web-server log file resolvers, which can generate large numbers of concurrent queries. .TP +.B --dnssec +Validate DNS replies and cache DNSSEC data. When forwarding DNS queries, dnsmasq requests the +DNSSEC records needed to validate the replies. The replies are validated and the result returned as +the Authenticated Data bit in the DNS packet. In addition the DNSSEC records are stored in the cache, making +validation by clients more efficient. Note that validation by clients is the most secure DNSSEC mode, but for +clients unable to do validation, use of the AD bit set by dnsmasq is useful, provided that the network between +the dnsmasq server and the client is trusted. Dnsmasq must be compiled with HAVE_DNSSEC enabled, and DNSSEC +trust anchors provided, see +.B --trust-anchor. +Because the DNSSEC validation process uses the cache, it is not +permitted to reduce the cache size below the default when DNSSEC is +enabled. The nameservers upstream of dnsmasq must be DNSSEC-capable, +ie capable of returning DNSSEC records with data. If they are not, +then dnsmasq will not be able to determine the trusted status of +answers. In the default mode, this menas that all replies will be +marked as untrusted. If +.B --dnssec-check-unsigned +is set and the upstream servers don't support DNSSEC, then DNS service will be entirely broken. +.TP +.B --trust-anchor=[],,,,, +Provide DS records to act a trust anchors for DNSSEC +validation. Typically these will be the DS record(s) for Zone Signing +key(s) of the root zone, +but trust anchors for limited domains are also possible. The current +root-zone trust anchors may be donwloaded from https://data.iana.org/root-anchors/root-anchors.xml +.TP +.B --dnssec-check-unsigned +As a default, dnsmasq does not check that unsigned DNS replies are +legitimate: they are assumed to be valid and passed on (without the +"authentic data" bit set, of course). This does not protect against an +attacker forging unsigned replies for signed DNS zones, but it is +fast. If this flag is set, dnsmasq will check the zones of unsigned +replies, to ensure that unsigned replies are allowed in those +zones. The cost of this is more upstream queries and slower +performance. See also the warning about upstream servers in the +section on +.B --dnssec +.TP +.B --dnssec-no-timecheck +DNSSEC signatures are only valid for specified time windows, and should be rejected outside those windows. This generates an +interesting chicken-and-egg problem for machines which don't have a hardware real time clock. For these machines to determine the correct +time typically requires use of NTP and therefore DNS, but validating DNS requires that the correct time is already known. Setting this flag +removes the time-window checks (but not other DNSSEC validation.) only until the dnsmasq process receives SIGHUP. The intention is +that dnsmasq should be started with this flag when the platform determines that reliable time is not currently available. As soon as +reliable time is established, a SIGHUP should be sent to dnsmasq, which enables time checking, and purges the cache of DNS records +which have not been throughly checked. +.TP .B --proxy-dnssec -A resolver on a client machine can do DNSSEC validation in two ways: it -can perform the cryptograhic operations on the reply it receives, or -it can rely on the upstream recursive nameserver to do the validation -and set a bit in the reply if it succeeds. Dnsmasq is not a DNSSEC -validator, so it cannot perform the validation role of the recursive nameserver, -but it can pass through the validation results from its own upstream -nameservers. This option enables this behaviour. You should only do -this if you trust all the configured upstream nameservers -.I and the network between you and them. -If you use the first DNSSEC mode, validating resolvers in clients, -this option is not required. Dnsmasq always returns all the data -needed for a client to do validation itself. +Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it. This is an +alternative to having dnsmasq validate DNSSEC, but it depends on the security of the network between +dnsmasq and the upstream servers, and the trustworthiness of the upstream servers. .TP -.B --auth-zone=[,[,.....]] +.B --dnssec-debug +Set debugging mode for the DNSSEC validation, set the Checking Disabled bit on upstream queries, +and don't convert replies which do not validate to responses with +a return code of SERVFAIL. Note that +setting this may affect DNS behaviour in bad ways, it is not an +extra-logging flag and should not be set in production. +.TP +.B --auth-zone=[,[/][,[/].....]] Define a DNS zone for which dnsmasq acts as authoritative server. Locally defined DNS records which are in the domain -will be served, except that A and AAAA records must be in one of the -specified subnets, or in a subnet corresponding to a contructed DHCP -range. The subnet(s) are also used to define in-addr.arpa and -ipv6.arpa domains which are served for reverse-DNS queries. For IPv4 -subnets, the prefix length is limited to the values 8, 16 or 24. +will be served. If subnet(s) are given, A and AAAA records must be in one of the +specified subnets. + +As alternative to directly specifying the subnets, it's possible to +give the name of an interface, in which case the subnets implied by +that interface's configured addresses and netmask/prefix-length are +used; this is useful when using constructed DHCP ranges as the actual +address is dynamic and not known when configuring dnsmasq. The +interface addresses may be confined to only IPv6 addresses using +/6 or to only IPv4 using /4. This is useful when +an interface has dynamically determined global IPv6 addresses which should +appear in the zone, but RFC1918 IPv4 addresses which should not. +Interface-name and address-literal subnet specifications may be used +freely in the same --auth-zone declaration. + +The subnet(s) are also used to define in-addr.arpa and +ip6.arpa domains which are served for reverse-DNS queries. If not +specified, the prefix length defaults to 24 for IPv4 and 64 for IPv6. +For IPv4 subnets, the prefix length should be have the value 8, 16 or 24 +unless you are familiar with RFC 2317 and have arranged the +in-addr.arpa delegation accordingly. Note that if no subnets are +specified, then no reverse queries are answered. .TP .B --auth-soa=[,[,[,[,]]]] Specify fields in the SOA record associated with authoritative @@ -619,7 +737,8 @@ always optional. It is always allowed to have more than one dhcp-range in a single subnet. For IPv6, the parameters are slightly different: instead of netmask -and broadcast address, there is an optional prefix length. If not +and broadcast address, there is an optional prefix length which must +be equal to or larger then the prefix length on the local interface. If not given, this defaults to 64. Unlike the IPv4 case, the prefix length is not automatically derived from the interface configuration. The mimimum size of the prefix length is 64. @@ -630,8 +749,21 @@ This forms a template which describes how to create ra .B --dhcp-range=::1,::400,constructor:eth0 -will look for addresses of the form ::1 on eth0 and then create a range from ::1 to ::400. If the interface is assigned more than one network, then the corresponding ranges will be automatically created, and then deprecated and finally removed again as the address is deprecated and then deleted. The interface name may have a final "*" wildcard. +will look for addresses on +eth0 and then create a range from ::1 to ::400. If +the interface is assigned more than one network, then the +corresponding ranges will be automatically created, and then +deprecated and finally removed again as the address is deprecated and +then deleted. The interface name may have a final "*" wildcard. Note +that just any address on eth0 will not do: it must not be an +autoconfigured or privacy address, or be deprecated. +If a dhcp-range is only being used for stateless DHCP and/or SLAAC, +then the address can be simply :: + +.B --dhcp-range=::,constructor:eth0 + + The optional .B set: sets an alphanumeric label which marks this network so that @@ -650,7 +782,7 @@ or from /etc/ethers will be served. A static-only subn all zeros may be used as a "catch-all" address to enable replies to all Information-request packets on a subnet which is provided with stateless DHCPv6, ie -.B --dhcp=range=::,static +.B --dhcp-range=::,static For IPv4, the may be .B proxy @@ -721,7 +853,8 @@ the same subnet as some valid dhcp-range. For subnets which don't need a pool of dynamically allocated addresses, use the "static" keyword in the dhcp-range declaration. -It is allowed to use client identifiers rather than +It is allowed to use client identifiers (called client +DUID in IPv6-land rather than hardware addresses to identify hosts by prefixing with 'id:'. Thus: .B --dhcp-host=id:01:02:03:04,..... refers to the host with client identifier 01:02:03:04. It is also @@ -736,11 +869,12 @@ IPv6 addresses may contain only the host-identifier pa .B --dhcp-host=laptop,[::56] in which case they act as wildcards in constructed dhcp ranges, with the appropriate network part inserted. -Note that in IPv6 DHCP, the hardware address is not normally -available, so a client must be identified by client-id (called client -DUID in IPv6-land) or hostname. +Note that in IPv6 DHCP, the hardware address may not be +available, though it normally is for direct-connected clients, or +clients using DHCP relays which support RFC 6939. -The special option id:* means "ignore any client-id + +For DHCPv4, the special option id:* means "ignore any client-id and use MAC addresses only." This is useful when a client presents a client-id sometimes but not others. @@ -763,7 +897,7 @@ This is useful when there is another DHCP server on the network which should be used by some machines. -The set: contruct sets the tag +The set: construct sets the tag whenever this dhcp-host directive is in use. This can be used to selectively send DHCP options just for this host. More than one tag can be set in a dhcp-host directive (but not in other places where @@ -847,9 +981,11 @@ and to set the time-server address to 192.168.0.4, do .B --dhcp-option = 42,192.168.0.4 or .B --dhcp-option = option:ntp-server, 192.168.0.4 -The special address 0.0.0.0 (or [::] for DHCPv6) is taken to mean "the address of the -machine running dnsmasq". Data types allowed are comma separated -dotted-quad IP addresses, a decimal number, colon-separated hex digits +The special address 0.0.0.0 is taken to mean "the address of the +machine running dnsmasq". + +Data types allowed are comma separated +dotted-quad IPv4 addresses, []-wrapped IPv6 addresses, a decimal number, colon-separated hex digits and a text string. If the optional tags are given then this option is only sent when all the tags are matched. @@ -865,7 +1001,9 @@ keyword, followed by the option number or option name. name space is disjoint from the IPv4 option name space. IPv6 addresses in options must be bracketed with square brackets, eg. .B --dhcp-option=option6:ntp-server,[1234::56] - +For IPv6, [::] means "the global address of +the machine running dnsmasq", whilst [fd00::] is replaced with the +ULA, if it exists, and [fe80::] with the link-local address. Be careful: no checking is done that the correct type of data for the option number is sent, it is quite possible to @@ -928,6 +1066,38 @@ DHCP options. This make extra space available in the D options but can, rarely, confuse old or broken clients. This flag forces "simple and safe" behaviour to avoid problems in such a case. .TP +.B --dhcp-relay=,[,,[enterprise:,] Map from a vendor-class string to a tag. Most DHCP clients provide a "vendor class" which represents, in some sense, the type of host. This option @@ -956,7 +1126,7 @@ this to set a different printer server for hosts in th "accounts" than for hosts in the class "engineering". .TP .B \-4, --dhcp-mac=set:, -(IPv4 only) Map from a MAC address to a tag. The MAC address may include +Map from a MAC address to a tag. The MAC address may include wildcards. For example .B --dhcp-mac=set:3com,01:34:23:*:*:* will set the tag "3com" for any host whose MAC address matches the pattern. @@ -978,7 +1148,7 @@ agent ID and one provided by a relay agent, the tag is (IPv4 only) A normal DHCP relay agent is only used to forward the initial parts of a DHCP interaction to the DHCP server. Once a client is configured, it communicates directly with the server. This is undesirable if the -relay agent is addding extra information to the DHCP packets, such as +relay agent is adding extra information to the DHCP packets, such as that used by .B dhcp-circuitid and @@ -995,7 +1165,7 @@ relays at those addresses are affected. Without a value, set the tag if the client sends a DHCP option of the given number or name. When a value is given, set the tag only if the option is sent and matches the value. The value may be of the form -"01:ff:*:02" in which case the value must match (apart from widcards) +"01:ff:*:02" in which case the value must match (apart from wildcards) but the option sent may have unmatched data past the end of the value. The value may also be of the same form as in .B dhcp-option @@ -1008,7 +1178,7 @@ will set the tag "efi-ia32" if the the number 6 appear architectures sent by the client in option 93. (See RFC 4578 for details.) If the value is a string, substring matching is used. -The special form with vi-encap: matches against +The special form with vi-encap: matches against vendor-identifying vendor classes for the specified enterprise. Please see RFC 3925 for more details of these rare and interesting beasts. .TP @@ -1036,7 +1206,7 @@ dhcp-host configuration in dnsmasq and the contents of .TP .B --dhcp-generate-names=tag:[,tag:] (IPv4 only) Generate a name for DHCP clients which do not otherwise have one, -using the MAC address expressed in hex, seperated by dashes. Note that +using the MAC address expressed in hex, separated by dashes. Note that if a host provides a name, it will be used by preference to this, unless .B --dhcp-ignore-names @@ -1113,7 +1283,7 @@ timeout has elapsed with no keyboard input, the first option will be automatically executed. If the timeout is zero then the first available menu item will be executed immediately. If .B pxe-prompt -is ommitted the system will wait for user input if there are multiple +is omitted the system will wait for user input if there are multiple items in the menu, but boot immediately if there is only one. See .B pxe-service @@ -1172,6 +1342,11 @@ tried. This flag disables this check. Use with caution Extra logging for DHCP: log all the options sent to DHCP clients and the tags used to determine them. .TP +.B --quiet-dhcp, --quiet-dhcp6, --quiet-ra +Suppress logging of the routine operation of these protocols. Errors and +problems will still be logged. --quiet-dhcp and quiet-dhcp6 are +over-ridden by --log-dhcp. +.TP .B \-l, --dhcp-leasefile= Use the specified file to store DHCP lease information. .TP @@ -1262,8 +1437,8 @@ every call to the script. DNSMASQ_IAID containing the IAID for the lease. If the lease is a temporary allocation, this is prefixed to 'T'. +DNSMASQ_MAC containing the MAC address of the client, if known. - Note that the supplied hostname, vendorclass and userclass data is only supplied for "add" actions or "old" actions when a host resumes an existing lease, @@ -1412,7 +1587,7 @@ In the default mode, dnsmasq inserts the unqualified n DHCP clients into the DNS. For this reason, the names must be unique, even if two clients which have the same name are in different domains. If a second DHCP client appears which has the same name as an -existing client, the name is transfered to the new client. If +existing client, the name is transferred to the new client. If .B --dhcp-fqdn is set, this behaviour changes: the unqualified name is no longer put in the DNS, only the qualified name. Two DHCP clients with the @@ -1450,11 +1625,26 @@ the relevant link-local address of the machine running as recursive DNS server. If provided, the DHCPv6 options dns-server and domain-search are used for RDNSS and DNSSL. .TP -.B --enable-tftp +.B --ra-param=,[high|low],[[],] +Set non-default values for router advertisements sent via an +interface. The priority field for the router may be altered from the +default of medium with eg +.B --ra-param=eth0,high. +The interval between router advertisements may be set (in seconds) with +.B --ra-param=eth0,60. +The lifetime of the route may be changed or set to zero, which allows +a router to advertise prefixes but not a route via itself. +.B --ra-parm=eth0,0,0 +(A value of zero for the interval means the default value.) All three parameters may be set at once. +.B --ra-param=low,60,1200 +The interface field may include a wildcard. +.TP +.B --enable-tftp[=[,]] Enable the TFTP server function. This is deliberately limited to that needed to net-boot a client. Only reading is allowed; the tsize and blksize extensions are supported (tsize is only supported in octet -mode). +mode). Without an argument, the TFTP service is provided to the same set of interfaces as DHCP service. +If the list of interfaces is provided, that defines which interfaces recieve TFTP service. .TP .B --tftp-root=[,] Look for files to transfer using TFTP relative to the given @@ -1525,6 +1715,13 @@ files. If extension(s) are given, any files which end extensions are skipped. Any files whose names end in ~ or start with . or start and end with # are always skipped. This flag may be given on the command line or in a configuration file. +.TP +.B --servers-file= +A special case of +.B --conf-file +which differs in two respects. Firstly, only --server and --rev-server are allowed +in the configuration file included. Secondly, the file is re-read and the configuration +therein is updated when dnsmasq recieves SIGHUP. .SH CONFIG FILE At startup, dnsmasq reads .I /etc/dnsmasq.conf, @@ -1565,12 +1762,22 @@ When it receives a SIGUSR1, writes statistics to the system log. It writes the cache size, the number of names which have had to removed from the cache before they expired in order to make room for new names and the total number -of names that have been inserted into the cache. For each upstream +of names that have been inserted into the cache. The number of cache hits and +misses and the number of authoritative queries answered are also given. For each upstream server it gives the number of queries sent, and the number which resulted in an error. In .B --no-daemon mode or when full logging is enabled (-q), a complete dump of the -contents of the cache is made. +contents of the cache is made. + +The cache statistics are also available in the DNS as answers to +queries of class CHAOS and type TXT in domain bind. The domain names are cachesize.bind, insertions.bind, evictions.bind, +misses.bind, hits.bind, auth.bind and servers.bind. An example command to query this, using the +.B dig +utility would be + +dig +short chaos txt cachesize.bind + .PP When it receives SIGUSR2 and it is logging direct to a file (see .B --log-facility @@ -1666,7 +1873,7 @@ used to allocate the address, one from any matching The tag "bootp" is set for BOOTP requests, and a tag whose name is the name of the interface on which the request arrived is also set. -Any configuration lines which includes one or more tag: contructs +Any configuration lines which include one or more tag: constructs will only be valid if all that tags are matched in the set derived above. Typically this is dhcp-option. .B dhcp-option @@ -1674,7 +1881,7 @@ which has tags will be used in preference to an untag .B dhcp-option, provided that _all_ the tags match somewhere in the set collected as described above. The prefix '!' on a tag means 'not' -so --dhcp=option=tag:!purple,3,1.2.3.4 sends the option when the +so --dhcp-option=tag:!purple,3,1.2.3.4 sends the option when the tag purple is not in the set of valid tags. (If using this in a command line rather than a configuration file, be sure to escape !, which is a shell metacharacter) @@ -1791,9 +1998,13 @@ Something like: .nf .B auth-server=our.zone.com,eth0 .B interface-name=our.zone.com,eth0 -.B auth-zone=our.zone.com,1.2.3.0/24 +.B auth-zone=our.zone.com,1.2.3.0/24,eth0 .fi +(The "eth0" argument in auth-zone adds the subnet containing eth0's +dynamic address to the zone, so that the interface-name returns the +address in outside queries.) + Our final configuration builds on that above, but also adds a secondary DNS server. This is another DNS server which learns the DNS data for the zone by doing zones transfer, and acts as a backup should @@ -1822,7 +2033,7 @@ to particular hosts then will do so. Dnsmasq acts as an authoritative server for in-addr.arpa and -ipv6.arpa domains associated with the subnets given in auth-zone +ip6.arpa domains associated with the subnets given in auth-zone declarations, so reverse (address to name) lookups can be simply configured with a suitable NS record, for instance in this example, where we allow 1.2.3.0/24 addresses. @@ -1851,18 +2062,20 @@ IPv4 and IPv6 addresses from /etc/hosts (and .B --addn-hosts ) and .B --host-record +and +.B --interface-name provided the address falls into one of the subnets specified in the .B --auth-zone. .PP -Addresses specified by -.B --interface-name. -In this case, the address is not contrained to a subnet from -.B --auth-zone. - -.PP Addresses of DHCP leases, provided the address falls into one of the subnets specified in the +.B --auth-zone. +(If contructed DHCP ranges are is use, which depend on the address dynamically +assigned to an interface, then the form of .B --auth-zone -OR a constructed DHCP range. In the default mode, where a DHCP lease +which defines subnets by the dynamic address of an interface should +be used to ensure this condition is met.) +.PP +In the default mode, where a DHCP lease has an unqualified name, and possibly a qualified name constructed using .B --domain