kea/doc/guide/bind10-guide.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY mdash  "&#x2014;" >
<!ENTITY % version SYSTEM "version.ent">
%version;
]>

<!--
 - Copyright (C) 2010-2014  Internet Systems Consortium, Inc. ("ISC")
 -
 - Permission to use, copy, modify, and/or distribute this software for any
 - purpose with or without fee is hereby granted, provided that the above
 - copyright notice and this permission notice appear in all copies.
 -
 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 - PERFORMANCE OF THIS SOFTWARE.
-->

<book>
  <?xml-stylesheet href="bind10-guide.css" type="text/css"?>

  <bookinfo>
    <title>Kea Guide</title>
    <subtitle>Administrator Reference for Kea</subtitle>

    <copyright>
      <year>2010-2014</year><holder>Internet Systems Consortium, Inc.</holder>
    </copyright>

    <abstract>
      <para>
        Kea is an open source implementation of the Dynamic Host Configuration
        Protocol (DHCP) servers, developed and maintained by Internet Systems
        Consortium (ISC).
      </para>

      <!-- TODO: The VERSION needs to be updated -->
      <para>
        This is the reference guide for Kea version &__VERSION__;.
        The most up-to-date version of this document (in PDF, HTML,
        and plain text formats), along with other documents for
        Kea, can be found at <ulink url="http://kea.isc.org/docs"/>.
        </para> </abstract>

      <releaseinfo>This is the reference guide for Kea version
        &__VERSION__;.</releaseinfo>

  </bookinfo>

  <!-- todo: Preface is now empty, but leave it around now
  <preface>
    <title>Preface</title>
  </preface>
-->
  <chapter id="intro">
    <title>Introduction</title>
    <para>
      Kea is the next generation of DHCP servers developed by ISC.
      It supports both DHCPv4 and DHCPv6 protocols along with their
      extensions (e.g. prefix delegation). It also supports the dynamic
      updates to DNS.
    </para>

    <para>
      Kea has been initially developed as a part of the BIND 10 framework
      (<ulink url="http://bind10.isc.org"/>). In early 2014, ISC
      made the decision to discontinue active development of BIND 10 and
      continue development of Kea as standalone DHCP servers. As a result,
      the components and libraries related to the BIND10 framework and DNS
      are going to be removed from the Kea source tree over time.
      In order to remove the dependency on Python 3, the BIND 10 framework
      will be replaced by the server startup and configuration mechanisms
      written in C++.
    </para>

    <note>
      <simpara>Kea has been implemented in BIND 10 framework and to certain extent
      it still depends on various BIND 10 libraries. It also requires the BIND 10
      framework to run, because BIND 10 configuration mechanisms are used to
      configure Kea. As a result, this document still refers to BIND 10 in many
      paragraphs. The term "BIND 10" in the context of this document means
      "BIND 10 libraries and applications which are necessary for Kea to run
      and configure". The term "Kea" means "the collection of binaries and libraries
      which, as a whole, implement the DHCP protocols.
      </simpara>
    </note>

    <para>
      This guide covers Kea version &__VERSION__;.
    </para>

    <section>
      <!-- todo: revisit (maybe extend) the list of supported platforms -->
      <title>Supported Platforms</title>
      <para>
        Kea builds have been tested on (in no particular order)
        Debian GNU/Linux 6 and unstable, Ubuntu 9.10, NetBSD 5,
        Solaris 10 and 11, FreeBSD 7 and 8, CentOS Linux 5.3,
        MacOS 10.6 and 10.7, and OpenBSD 5.1.

        It has been tested on Sparc, i386, and amd64 hardware
        platforms.

        It is planned for Kea to build, install and run on
        Windows and standard Unix-type platforms.
      </para>
    </section>

    <section id="required-software">
      <title>Required Software at Run-time</title>

      <para>
        Running Kea uses various extra software which may
        not be provided in some operating systems' default
        installations nor standard packages collections. You may
        need to install this required software separately.
        (For the build requirements, also see
        <xref linkend="build-requirements"/>.)
      </para>

      <para>
        Kea was developed as a collection of applications within
        BIND 10 framework and it still relies on the remaining parts
        of this framework. In particular, the servers' configuration
        and startup are still facilitated by the modules which originate
        in BIND 10. These modules require at least Python 3.1 to run.
        They also work with Python 3.2
        (<ulink url="http://www.python.org/"/>)). The dependency
        on Python will be removed once a replacing configuration
        and startup mechanisms are developed for Kea. At this point
        Kea will be written in pure C++.
      </para>

      <para>
        Kea supports two crypto libraries: Botan and OpenSSL. Only one
        of them is required during compilation. Kea uses the Botan crypto
        library for C++ (<ulink url="http://botan.randombit.net/"/>).
        It requires at least Botan version 1.8. As an alternative to Botan,
        Kea can use the OpenSSL crypto library
        (<ulink url="http://www.openssl.org/"/>).
        It requires a version with SHA-2 support.
      </para>

      <para>
        Kea uses the log4cplus C++ logging library
        (<ulink url="http://log4cplus.sourceforge.net/"/>).
        It requires at least log4cplus version 1.0.3.
<!-- TODO: It is recommended to use at least version .... -->
      </para>
    </section>

    <section id="starting_stopping">
      <title>Starting and Stopping the Server</title>
      <para>
        Kea is modular.  Part of this modularity is
        accomplished using multiple cooperating processes which, together,
        provide the server functionality.
      </para>

      <!-- todo: Rename processes here, once they are renamed in the source -->
      <para>
        At first, running many different processes may seem confusing.
        However, these processes are started by running a single
	command, <command>bind10</command>.  This command starts
	a master process, <command>b10-init</command>, which will
	start other required processes and other processes when
	configured.  The processes that may be started have names
	starting with "b10-", including:
      </para>

      <para>

        <itemizedlist>

          <listitem>
            <simpara>
              <command>b10-cfgmgr</command> &mdash;
              Configuration manager.
              This process maintains all of the configuration for BIND 10.
            </simpara>
          </listitem>

          <listitem>
            <simpara>
              <command>b10-cmdctl</command> &mdash;
              Command and control service.
              This process allows external control of the BIND 10 system.
            </simpara>
          </listitem>

          <listitem>
            <simpara>
              <command>b10-dhcp4</command> &mdash;
              DHCPv4 server process.
              This process responds to DHCPv4 queries from clients.
            </simpara>
          </listitem>

          <listitem>
            <simpara>
              <command>b10-dhcp6</command> &mdash;
              DHCPv6 server process.
              This process responds to DHCPv6 queries from clients.
            </simpara>
          </listitem>

          <listitem>
            <simpara>
              <command>b10-dhcp-ddns</command> &mdash;
              DHCP-DDNS process.
              This process acts as an intermediary between the DHCP servers
              and DNS server. It receives name update requests from the DHCP
              servers and sends DNS Update messages to the DNS servers.
            </simpara>
          </listitem>

          <listitem>
            <simpara>
              <command>b10-msgq</command> &mdash;
              Message bus daemon.
              This process coordinates communication between all of the other
              BIND 10 processes.
            </simpara>
          </listitem>

          <listitem>
            <simpara>
              <command>b10-sockcreator</command> &mdash;
              Socket creator daemon.
              This process creates sockets used by
              network-listening BIND 10 processes.
            </simpara>
          </listitem>

          <listitem>
            <simpara>
              <command>b10-stats</command> &mdash;
              Statistics collection daemon.
              This process collects and reports statistics data.
            </simpara>
          </listitem>

          <listitem>
            <simpara>
              <command>b10-stats-httpd</command> &mdash;
              HTTP server for statistics reporting.
              This process reports statistics data in XML format over HTTP.
            </simpara>
          </listitem>

        </itemizedlist>
      </para>

      <para>
        These do not need to be manually started independently.
      </para>

    </section>

    <section id="managing_once_running">
      <title>Managing BIND 10</title>

      <para>
        Once BIND 10 is running, a few commands are used to interact
        directly with the system:
        <itemizedlist>
          <listitem>
            <simpara>
              <command>bindctl</command> &mdash;
              Interactive administration interface.
              This is a low-level command-line tool which allows
              a developer or an experienced administrator to control
              Kea.
            </simpara>
          </listitem>
          <listitem>
            <simpara>
              <command>b10-cmdctl-usermgr</command> &mdash;
              User access control.
              This tool allows an administrator to authorize additional users
              to manage Kea.
            </simpara>
          </listitem>
  <!-- TODO usermgr -->
        </itemizedlist>
      </para>
    </section>

    <para>
      The tools and modules are covered in full detail in this guide.
<!-- TODO point to these -->
      In addition, manual pages are also provided in the default installation.
    </para>

<!--
bin/
  bindctl*
  host*
lib/
  libauth
  libdns
  libexceptions
  python3.1/site-packages/isc/{cc,config}
sbin/
  bind10
share/
  share/bind10/
    auth.spec
    b10-cmdctl.pem
    init.spec
    passwd.csv
  man/
var/
  bind10/b10-config.db
-->

    <para>
      BIND 10 also provides libraries and programmer interfaces
      for C++ and Python for the message bus and configuration backend,
      and, of course, DHCP. These include detailed developer
      documentation and code examples.
<!-- TODO point to this -->
    </para>

  </chapter>

  <chapter id="quickstart">
    <title>Quick start</title>

    <para>
        This quickly covers the standard steps for installing
        and deploying Kea.
        For further details, full customizations, and troubleshooting,
        see the respective chapters in the Kea guide.
    </para>

    <section id="quick-start-dhcp6">
      <title>Quick start guide for DHCPv6 service</title>

      <orderedlist>

        <listitem>
          <simpara>
            Install required run-time and build dependencies.
          </simpara>
        </listitem>

        <!-- We may need to replace it with the link to a downloadable tarball
        once we have it. -->
        <listitem>
          <simpara>
            Checkout the latest Kea revision from the Git repository:
            <screen>$ <userinput>git clone git://git.kea.isc.org/kea</userinput> </screen>
          </simpara>
        </listitem>

        <listitem>
          <para>Go into the source and run configure:
            <screen>$ <userinput>cd kea</userinput>
$ <userinput>autoreconf --install</userinput>
$ <userinput>./configure</userinput></screen>
          </para>
        </listitem>

        <listitem>
          <para>Build it:
            <screen>$ <userinput>make</userinput></screen>
          </para>
        </listitem>

        <listitem>
          <para>Install it as root (by default to prefix
          <filename>/usr/local/</filename>):
            <screen>$ <userinput>make install</userinput></screen>
          </para>
        </listitem>

        <listitem>
          <para>Change directory to the install prefix (by default
          <filename>/usr/local/</filename>):
            <screen>$ <userinput>cd /usr/local/</userinput></screen>
          </para>
        </listitem>

        <listitem>
          <para>Create a user for yourself:
            <screen>$ <userinput>sbin/b10-cmdctl-usermgr add root</userinput></screen>
	  and enter a newly chosen password when prompted.
          </para>
        </listitem>

        <listitem>
          <para>Start the server (as root):
            <screen>$ <userinput>sbin/bind10</userinput></screen>
          </para>
        </listitem>

        <listitem>
          <para>DHCP components are not started in the default
	    configuration.  In another console, enable the DHCPv6
	    service (by using the <command>bindctl</command> utility
	    to configure the <command>b10-dhcp6</command> component to
	    run): <screen>$ <userinput>bin/bindctl</userinput></screen>
	    (Login with the username and password you used above to create a user.)
            <screen>
&gt; <userinput>config add Init/components b10-dhcp6</userinput>
<!-- todo: Should the kind be needed or dispensable? -->
&gt; <userinput>config set Init/components/b10-dhcp6/kind dispensable</userinput>
&gt; <userinput>config commit</userinput>
&gt; <userinput>quit</userinput>
            </screen>
          </para>
        </listitem>

        <listitem>
         <para>Test it; for example, use the
         <ulink url="http://www.isc.org/downloads/DHCP/">ISC DHCP client</ulink>
         to send DHCPv6 queries to the server and verify that the client receives a
         configuration from the server:
            <screen>$ <userinput>dhclient -6</userinput></screen>
         </para>
        </listitem>
      </orderedlist>

    </section>

  </chapter>

  <chapter id="installation">
    <title>Installation</title>

    <section id="packages">
      <title>Packages</title>

      <para>
        Some operating systems or software package vendors may
        provide ready-to-use, pre-built software packages for Kea.
        Installing a pre-built package means you do not need to
        install build-only prerequisites and do not need to
        <emphasis>make</emphasis> the software.
      </para>

      <para>
        FreeBSD ports, NetBSD pkgsrc, and Debian
        <emphasis>testing</emphasis> package collections provide
        all the prerequisite packages.
      </para>
    </section>

    <section id="install-hierarchy">
      <title>Install Hierarchy</title>
      <para>
        The following is the standard, common layout of the
        complete Kea installation:
        <itemizedlist>
          <listitem>
           <simpara>
              <filename>bin/</filename> &mdash;
              general tools and diagnostic clients.
            </simpara>
          </listitem>
          <listitem>
          <simpara>
            <filename>etc/bind10/</filename> &mdash;
            configuration files.
          </simpara>
          </listitem>
          <listitem>
            <simpara>
              <filename>lib/</filename> &mdash;
              libraries and python modules.
            </simpara>
          </listitem>
          <listitem>
            <simpara>
              <filename>libexec/bind10/</filename> &mdash;
              executables that a user wouldn't normally run directly and
              are not run independently.
              These are the BIND 10 and Kea modules which are daemons started by
              the <command>b10-init</command> master process.
            </simpara>
          </listitem>
          <listitem>
            <simpara>
              <filename>sbin/</filename> &mdash;
              commands used by the system administrator.
            </simpara>
          </listitem>
          <listitem>
            <simpara>
              <filename>share/bind10/</filename> &mdash;
              configuration specifications.
            </simpara>
          </listitem>
          <listitem>
            <simpara>
              <filename>share/doc/bind10/</filename> &mdash;
              this guide and other supplementary documentation.
            </simpara>
          </listitem>
          <listitem>
            <simpara>
              <filename>share/man/</filename> &mdash;
              manual pages (online documentation).
            </simpara>
          </listitem>
          <listitem>
            <simpara>
              <filename>var/bind10/</filename> &mdash;
              data source and configuration databases.
            </simpara>
          </listitem>
        </itemizedlist>
      </para>
    </section>

    <section id="build-requirements">
      <title>Building Requirements</title>

        <para>
          In addition to the run-time requirements (listed in
          <xref linkend="required-software"/>), building Kea
          from source code requires various development include headers and
          program development tools.
        </para>

        <note>
          <simpara>
            Some operating systems have split their distribution packages into
            a run-time and a development package.  You will need to install
            the development package versions, which include header files and
            libraries, to build Kea from source code.
          </simpara>
        </note>

        <para>
          Building from source code requires the Boost
          build-time headers
          (<ulink url="http://www.boost.org/"/>).
          At least Boost version 1.35 is required.
  <!-- TODO: we don't check for this version -->
  <!-- NOTE: jreed has tested with 1.34, 1.38, and 1.41. -->
        </para>

        <para>
          To build Kea, also install the Botan (at least version
          1.8) or OpenSSL, and the log4cplus (at least version 1.0.3)
          development include headers.
        </para>

<!--
TODO
Debian and Ubuntu:
 libgmp3-dev and libbz2-dev required for botan too
-->

<!-- NOTE: _sqlite3 is only needed at test time; it is already listed
as a dependency earlier -->

        <para>
          Building Kea also requires a C++ compiler and
          standard development headers, make, and pkg-config.
          Kea builds have been tested with GCC g++ 3.4.3, 4.1.2,
          4.1.3, 4.2.1, 4.3.2, and 4.4.1; Clang++ 2.8; and Sun C++ 5.10.
        </para>

        <para>
          Visit the user-contributed wiki at <ulink
          url="http://kea.isc.org/wiki/SystemSpecificNotes" />
          for system-specific installation tips.
        </para>

    </section>

    <section id="install">
      <title>Installation from source</title>
      <para>
        Kea is open source software written in C++ (some components of the
        BIND 10 framework are written in Python).
        It is freely available in source code form from ISC as a
        downloadable tar file or via Kea Git code revision control
        service. (It may also be available in pre-compiled ready-to-use
        packages from operating system vendors.)
      </para>

      <section>

        <title>Download Tar File</title>
        <para>
          Kea 0.8 is available as a part of BIND10 1.2 release, which is
          a final release of BIND10 from ISC. This release can be downloaded
          from: <ulink url="ftp://ftp.isc.org/isc/bind10/"/>.
        </para>
      </section>

      <section>
        <title>Retrieve from Git</title>
        <para>
          Downloading this "bleeding edge" code is recommended only for
          developers or advanced users.  Using development code in a production
          environment is not recommended.
        </para>

        <note>
          <para>
            When using source code retrieved via Git, additional
            software will be required:  automake (v1.11 or newer),
            libtoolize, and autoconf (2.59 or newer).
            These may need to be installed.
          </para>
        </note>

        <para>
          The latest development code (and temporary experiments
          and un-reviewed code) is available via the Kea code revision
          control system. This is powered by Git and all the Kea
          development is public.
          The leading development is done in the <quote>master</quote>
          branch.
        </para>
        <para>
          The code can be checked out from
          <filename>git://git.kea.isc.org/kea</filename>;
          for example:

        <screen>$ <userinput>git clone git://git.kea.isc.org/kea</userinput></screen>
        </para>

        <para>
          When checking out the code from
          the code version control system, it doesn't include the
          generated configure script, Makefile.in files, nor their
          related build files.
          They can be created by running <command>autoreconf</command>
          with the <option>--install</option> switch.
          This will run <command>autoconf</command>,
          <command>aclocal</command>,
          <command>libtoolize</command>,
          <command>autoheader</command>,
          <command>automake</command>,
          and related commands.
        </para>

      </section>


      <section id="configure">
        <title>Configure before the build</title>
        <para>
          Kea uses the GNU Build System to discover build environment
          details.
          To generate the makefiles using the defaults, simply run:
          <screen>$ <userinput>./configure</userinput></screen>
        </para>
        <para>
          Run <command>./configure</command> with the <option>--help</option>
          switch to view the different options. Some commonly-used options are:

          <variablelist>

          <varlistentry>
            <term>--prefix</term>
            <listitem>
              <simpara>Define the installation location (the
                default is <filename>/usr/local/</filename>).
              </simpara>
            </listitem>
          </varlistentry>

          <varlistentry>
            <term>--with-boost-include</term>
            <listitem>
              <simpara>Define the path to find the Boost headers.
              </simpara>
            </listitem>
          </varlistentry>

          <varlistentry>
            <term>--with-pythonpath</term>
            <listitem>
              <simpara>Define the path to Python 3.1 if it is not in the
                standard execution path.
              </simpara>
            </listitem>
          </varlistentry>

          <varlistentry>
            <term>--with-gtest</term>
            <listitem>
              <simpara>Enable building the C++ Unit Tests using the
                Google Tests framework. Optionally this can define the
                path to the gtest header files and library.
              </simpara>
            </listitem>
          </varlistentry>

          <varlistentry>
            <term>--with-openssl</term>
            <listitem>
              <simpara>Replace Botan by OpenSSL for the crypto library.
                The default is to try to find a working Botan then
                OpenSSL only if not found.
<!-- missing -with-botan-config -->
              </simpara>
            </listitem>
          </varlistentry>

          <varlistentry>
            <term>--without-werror</term>
            <listitem>
              <simpara>Disable the default use of the
		<option>-Werror</option> compiler flag so that
		compiler warnings aren't build failures.
              </simpara>
            </listitem>
          </varlistentry>

          </variablelist>
          <note>
            <para>
              For additional instructions concerning the building and installation of
              Kea for various databases, see <xref linkend="dhcp-install-configure"/>.
              For additional instructions concerning configuration backends, see
              <xref linkend="dhcp-config-backend" />.
            </para>
          </note>
        </para>
  <!-- TODO: lcov -->

        <para>
          For example, the following configures it to
    find the Boost headers, find the
    Python interpreter, and sets the installation location:

          <screen>$ <userinput>./configure \
      --with-boost-include=/usr/pkg/include \
      --with-pythonpath=/usr/pkg/bin/python3.1 \
      --prefix=/opt/bind10</userinput></screen>
        </para>

        <para>
          If the configure fails, it may be due to missing or old
          dependencies.
        </para>


      </section>

      <section>
        <title>Build</title>
        <para>
    After the configure step is complete, to build the executables
    from the C++ code and prepare the Python scripts, run:

          <screen>$ <userinput>make</userinput></screen>
        </para>
      </section>

      <section>
        <title>Install</title>
        <para>
          To install the Kea executables, support files,
          and documentation, run:
          <screen>$ <userinput>make install</userinput></screen>
        </para>
        <para>
          Please don't use any form of parallel or job server options
          (such as GNU make's <command>-j</command> option) when
          performing this step. Doing so may cause errors.
        </para>
        <note>
          <para>The install step may require superuser privileges.</para>
        </note>
        <para>
	  If required, run <command>ldconfig</command> as root with
	  <filename>/usr/local/lib</filename> (or with ${prefix}/lib if
	  configured with --prefix) in
	  <filename>/etc/ld.so.conf</filename> (or the relevant linker
	  cache configuration file for your OS):
	  <screen>$ <userinput>ldconfig</userinput></screen>
        </para>
        <note>
          <para>
	    If you do not run <command>ldconfig</command> where it is
	    required, you may see errors like the following:
            <screen>
	      program: error while loading shared libraries: libkea-something.so.1:
	      cannot open shared object file: No such file or directory
	    </screen>
	  </para>
        </note>
      </section>

  <!-- TODO: tests -->

    </section>

  <!--
      <section id="install.troubleshooting">
        <title>Troubleshooting</title>
        <para>
        </para>
      </section>
  -->

  </chapter>

  <chapter id="bind10">
    <title>Starting Kea with <command>bind10</command></title>
    <para>
      Kea is started with the <command>bind10</command> command.
      It runs the <command>b10-init</command> daemon which
      starts up the required processes, and
      will also restart some processes that exit unexpectedly.
      <command>bind10</command> is the only command needed to start Kea.
    </para>

    <para>
      After starting the <command>b10-msgq</command> communications channel,
      <command>b10-init</command> connects to it,
      runs the configuration manager, and reads its own configuration.
      Then it starts the other modules.
    </para>

    <para>
      The <command>b10-sockcreator</command>, <command>b10-msgq</command> and
      <command>b10-cfgmgr</command>
      services make up the core. The <command>b10-msgq</command> daemon
      provides the communication channel between every part of the system.
      The <command>b10-cfgmgr</command> daemon is always needed by every
      module, if only to send information about themselves somewhere,
      but more importantly to ask about their own settings, and
      about other modules. The <command>b10-sockcreator</command> daemon
      can allocate Internet addresses and ports needed by network services
      but is currently unused by DHCP servers.
    </para>

    <para>
      In its default configuration, the <command>b10-init</command>
      master process will also start up
      <command>b10-cmdctl</command> for administration tools to
      communicate with the system, and
      <command>b10-stats</command> for statistics collection.
      The DHCP servers are not started by default.
      The configuration of components to start is covered in
      <xref linkend="kea.components"/>.
    </para>

    <section id="start">
      <title>Starting Kea</title>
      <para>
        To start the BIND 10 service, simply run <command>bind10</command>
        as root.
        It will run in the foreground and your shell prompt will not
        be available. It will output various log messages as it starts up
        and is used.
        Run it with the <option>--verbose</option> switch to
        get additional debugging or diagnostic output.
      </para>

<!-- TODO: user switch -->

<!-- TODO:  example:  nohup /usr/local/sbin/bind10 1>bind10.log 2>&1 -->

      <note>
        <para>
          If the setproctitle Python module is detected at start up,
          the process names for the Python-based daemons will be renamed
          to better identify them instead of just <quote>python</quote>.
          This is not needed on some operating systems.
        </para>
      </note>

    </section>

  </chapter>

  <chapter id="msgq">
    <title>Command channel</title>

      <para>
        The BIND 10 components use the <command>b10-msgq</command>
        message routing daemon to communicate with Kea components.
        The <command>b10-msgq</command> implements what is called the
        <quote>Command Channel</quote>.
        Processes intercommunicate by sending messages on the command
        channel.
        Example messages include shutdown, get configurations, and set
        configurations.
        This Command Channel is not used for DNS message passing.
        It is used only to control and monitor the BIND 10 system.
      </para>

      <para>
        Administrators do not communicate directly with the
        <command>b10-msgq</command> daemon.
        By default, BIND 10 uses a UNIX domain socket file named
        <filename>/usr/local/var/bind10/msg_socket</filename>
        for this interprocess communication.
      </para>

  </chapter>

  <chapter id="cfgmgr">
    <title>Configuration manager</title>

      <para>
         The configuration manager, <command>b10-cfgmgr</command>,
         handles all system configuration.  It provides
         persistent storage for configuration, and notifies running
         modules of configuration changes.
      </para>

      <para>
        The <command>b10-dhcp6</command>, <command>b10-dhcp4</command> and
        <command>b10-dhcp-ddns</command> daemons receive their configurations
        from the configuration manager over the <command>b10-msgq</command>
        command channel.
      </para>

      <para>The administrator doesn't connect to it directly, but
        uses a user interface to communicate with the configuration
        manager via <command>b10-cmdctl</command>'s REST-ful interface.
        <command>b10-cmdctl</command> is covered in <xref linkend="cmdctl"/>.
      </para>

<!-- TODO -->
      <note>
        <para>
          In future releases of Kea, the architecture which originates in
          the BIND 10 project will be replaced by the new mechanisms to start
          and configure Kea. The new mechanisms will use a file based
          configuration.
        </para>
      </note>

      <para>
        The <command>b10-cfgmgr</command> daemon can send all
        specifications and all current settings to the
        <command>bindctl</command> client (via
        <command>b10-cmdctl</command>).
        <command>b10-cfgmgr</command> relays configurations received
        from <command>b10-cmdctl</command> to the appropriate modules.
      </para>
<!-- TODO:
        Configuration settings for itself are defined as ConfigManager.
TODO: show examples
-->

<!-- TODO:
config changes are actually commands to cfgmgr
-->

<!-- TODO: what about run time config to change this? -->
<!-- jelte: > config set cfgmgr/config_database <file> -->
<!-- TODO: what about command line switch to change this? -->
      <para>
        The stored configuration file is at
        <filename>/usr/local/var/bind10/b10-config.db</filename>.
        (The directory is what was defined at build configure time for
        <option>--localstatedir</option>.
        The default is <filename>/usr/local/var/</filename>.)
        The format is loosely based on JSON and is directly parseable
        python, but this may change in a future version.
        This configuration data file is not manually edited by the
        administrator.
      </para>

<!--

Well the specfiles have a more fixed format (they must contain specific
stuff), but those are also directly parseable python structures (and
'coincidentally', our data::element string representation is the same)

loosely based on json, tweaked to be directly parseable in python, but a
subset of that.
wiki page is http://bind10.isc.org/wiki/DataElementDesign

nope, spec files are written by module developers, and db should be done
through bindctl and friends

-->

    <para>
      The configuration manager does not have any command line arguments.
      Normally it is not started manually, but is automatically
      started using the <command>b10-init</command> master process
      (as covered in <xref linkend="bind10"/>).
    </para>

<!-- TODO: upcoming plans:
configuration for configuration manager itself. And perhaps we might
change the messaging protocol, but an admin should never see any of that
-->

<!-- TODO: show examples, test this -->
<!--
, so an admin can simply run bindctl,
do config show, and it shows all modules; config show >module> shows all
options for that module
-->

  </chapter>

  <chapter id="cmdctl">
    <title>Remote control daemon</title>

    <para>
      <command>b10-cmdctl</command> is the gateway between
      administrators and the BIND 10 system.
      It is a HTTPS server that uses standard HTTP Digest
      Authentication for username and password validation.
      It provides a REST-ful interface for accessing and controlling
      BIND 10.
    </para>
<!-- TODO: copy examples from wiki, try with wget -->

    <para>
      When <command>b10-cmdctl</command> starts, it firsts
      asks <command>b10-cfgmgr</command> about what modules are
      running and what their configuration is (over the
      <command>b10-msgq</command> channel). Then it will start listening
      on HTTPS for clients &mdash; the user interface &mdash; such
      as <command>bindctl</command>.
    </para>

    <para>
      <command>b10-cmdctl</command> directly sends commands
      (received from the user interface) to the specified component.
      Configuration changes are actually commands to
      <command>b10-cfgmgr</command> so are sent there.
    </para>

<!--
TODO:
"For bindctl to list a module's available configurations and
available commands, it communicates over the cmdctl REST interface.
cmdctl then asks cfgmgr over the msgq command channel. Then cfgmgr
asks the module for its specification and also cfgmgr looks in its
own configuration database for current values."

(05:32:03) jelte: i think cmdctl doesn't request it upon a incoming
GET, but rather requests it once and then listens in for updates,
but you might wanna check with likun
-->

<!-- TODO: replace /usr/local -->
<!-- TODO: permissions -->
    <para>The HTTPS server requires a private key,
      such as a RSA PRIVATE KEY.
      The default location is at
      <filename>/usr/local/etc/bind10/cmdctl-keyfile.pem</filename>.
      (A sample key is at
      <filename>/usr/local/share/bind10/cmdctl-keyfile.pem</filename>.)
      It also uses a certificate located at
      <filename>/usr/local/etc/bind10/cmdctl-certfile.pem</filename>.
      (A sample certificate is at
      <filename>/usr/local/share/bind10/cmdctl-certfile.pem</filename>.)
      This may be a self-signed certificate or purchased from a
      certification authority.
    </para>

    <note><para>
      The HTTPS server doesn't support a certificate request from a
      client (at this time).
<!-- TODO: maybe allow request from server side -->
      The <command>b10-cmdctl</command> daemon does not provide a
      public service. If any client wants to control BIND 10, then
      a certificate needs to be first received from the BIND 10
      administrator.
      The Kea installation provides a sample PEM bundle that matches
      the sample key and certificate.
    </para></note>
<!-- TODO: cross-ref -->

<!-- TODO
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
but that is a single file, maybe this should go back to that format?
-->

<!--
    <para>
(08:20:56) shane: It is in theory possible to run without cmdctl.
(08:21:02) shane: I think we discussed this.
    </para>
-->

<!-- TODO: Please check https://bind10.isc.org/wiki/cmd-ctrld -->


    <para>
      The <command>b10-cmdctl</command> daemon also requires
      the user account file located at
      <filename>/usr/local/etc/bind10/cmdctl-accounts.csv</filename>.
      This comma-delimited file lists the accounts with a user name,
      hashed password, and salt.
    </para>

    <para>
      The administrator may create a user account with the
      <command>b10-cmdctl-usermgr</command> tool.
    </para>
<!-- TODO: show example -->

<!-- TODO: does cmdctl need to be restarted to change cert or key
or accounts database -->

    <para>
      By default the HTTPS server listens on the localhost port 8080.
      The port can be set by using the <option>--port</option> command line option.
      The address to listen on can be set using the <option>--address</option> command
      line argument.
      Each HTTPS connection is stateless and times out in 1200 seconds
      by default.  This can be
      redefined by using the <option>--idle-timeout</option> command line argument.
    </para>

    <section id="cmdctl.spec">
      <title>Configuration specification for b10-cmdctl</title>
      <para>
        The configuration items for <command>b10-cmdctl</command> are:
        <varname>accounts_file</varname> which defines the path to the
        user accounts database (the default is
        <filename>/usr/local/etc/bind10/cmdctl-accounts.csv</filename>);
        <varname>cert_file</varname> which defines the path to the
        PEM certificate file (the default is
        <filename>/usr/local/etc/bind10/cmdctl-certfile.pem</filename>);
        and
	<varname>key_file</varname> which defines the path to the
	PEM private key file (the default is
        <filename>/usr/local/etc/bind10/cmdctl-keyfile.pem</filename>).
      </para>

    </section>

<!--
TODO
(12:21:30) jinmei: I'd like to have sample session using a command line www client such as wget
-->

  </chapter>

  <chapter id="bindctl">
    <title>Control and configure user interface</title>

    <note><para>
      <command>bindctl</command> has an internal command history, as
      well as tab-completion for most of the commands and arguments.
      However, these are only enabled if the python readline module
      is available on the system. If not, neither of these
      features will be supported.
    </para></note>

    <para>
      The <command>bindctl</command> tool provides an interactive
      prompt for configuring, controlling, and querying the Kea
      components.
      It communicates directly with a REST-ful interface over HTTPS
      provided by <command>b10-cmdctl</command>. It doesn't
      communicate to any other components directly.
    </para>

    <section id="bindctl_commandline_options">
        <title>bindctl command-line options</title>
        <variablelist>
          <varlistentry>
            <term>-a <replaceable>&lt;address&gt;</replaceable>, --address=<replaceable>&lt;address&gt;</replaceable></term>
            <listitem>
              <simpara>
                  IP address that BIND 10's <command>b10-cmdctl</command>
                  module is listening on. By default, this is 127.0.0.1.
              </simpara>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>-c <replaceable>&lt;certificate file&gt;</replaceable>, --certificate-chain=<replaceable>&lt;certificate file&gt;</replaceable></term>
            <listitem>
              <simpara>
                  PEM-formatted server certificate file. When this option is
                  given, <command>bindctl</command> will verify the server
                  certificate using the given file as the root of the
                  certificate chain. If not specified, <command>bindctl
                  </command> does not validate the certificate.
              </simpara>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>--csv-file-dir=<replaceable>&lt;csv file&gt;</replaceable></term>
            <listitem>
              <simpara>
                  <command>bindctl</command> stores the username and
                  password for logging in in a file called
                  <filename>default_user.csv</filename>;
                  this option specifies the directory where this file is
                  stored and read from. When not specified,
                  <filename>~/.bind10/</filename> is used.
                  <note>Currently, this file contains an unencrypted password.</note>
              </simpara>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>-h, --help</term>
            <listitem>
              <simpara>
                  Shows a short overview of the command-line options of
                  <command>bindctl</command>, and exits.
              </simpara>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>--version</term>
            <listitem>
              <simpara>
                  Shows the version of <command>bindctl</command>, and exits.
              </simpara>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>-p <replaceable>&lt;port number&gt;</replaceable>, --port=<replaceable>&lt;port number&gt;</replaceable></term>
            <listitem>
              <simpara>
                  Port number that BIND 10's <command>b10-cmdctl</command>
                  module is listening on. By default, this is port 8080.
              </simpara>
            </listitem>
          </varlistentry>
        </variablelist>
    </section>

    <section id="bindctl_general_syntax">
        <title>General syntax of bindctl commands</title>
        The <command>bindctl</command> tool is an interactive
        command-line tool, with dynamic commands depending on the
        BIND 10 modules that are running. There are a number of
        fixed commands that have no module and that are always
        available.

        The general syntax of a command is

        <screen><userinput>&lt;module&gt; &lt;command&gt; <replaceable>[argument(s)]</replaceable></userinput></screen>

        For example, the Init module has a 'shutdown' command to shut down
        BIND 10, with an optional argument 'help':

        <screen>&gt; <userinput>Init shutdown help</userinput>
Command  shutdown 	(Shut down BIND 10 and Kea)
		help (Get help for command)
This command has no parameters
        </screen>
        There are no mandatory arguments, only the optional 'help'.
    </section>

    <section id="bindctl_help">
        <title>Bindctl help</title>
        <command>help</command> is both a command and an option that is available to all other commands. When run as a command directly, it shows the available modules.
        <screen>&gt; <userinput>help</userinput>
usage: &lt;module name&gt; &lt;command name&gt; [param1 = value1 [, param2 = value2]]
Type Tab character to get the hint of module/command/parameters.
Type "help(? h)" for help on bindctl.
Type "&lt;module_name&gt; help" for help on the specific module.
Type "&lt;module_name&gt; &lt;command_name&gt; help" for help on the specific command.

Available module names:
<emphasis>(list of modules)</emphasis>
        </screen>

        When 'help' is used as a command to a module, it shows the supported commands for the module; for example:
        <screen>&gt; <userinput>Init help</userinput>
Module  Init 	Master process
Available commands:
    help        Get help for module.
    shutdown    Shut down BIND10 and Kea
    ping        Ping the Init process
    show_processes
            List the running BIND10 and Kea processes
        </screen>

    And when added to a module command, it shows the description and parameters of that specific command; for example:
    <screen>&gt; <userinput>DhcpDdns shutdown help</userinput>
Command  shutdown 	(Shuts down b10-dhcp-ddns module server.)
		help (Get help for command)
Parameters:
    type (string, optional)
        values: normal (default), now, or drain_first
    </screen>

    </section>

    <section id="bindctl_command_arguments">
        <title>Command arguments</title>
        <simpara>
            Commands can have arguments, which can be either optional or
            mandatory. They can be specified by name
            (e.g. <command><replaceable>&lt;command&gt;</replaceable> <replaceable>&lt;argument name&gt;=&lt;argument value&gt;</replaceable></command>), or positionally,
            (e.g. <command><replaceable>&lt;command&gt;</replaceable> <replaceable>&lt;argument value 1&gt;</replaceable> <replaceable>&lt;argument value 2&gt;</replaceable></command>).
        </simpara>
        <simpara>
            <command><replaceable>&lt;command&gt;</replaceable> <replaceable>help</replaceable></command>
            shows the arguments a command supports and which of those are
            mandatory, and in which order the arguments are expected if
            positional arguments are used.
        </simpara>
        <simpara>
            For example, the <command>shutdown</command> command of the DhcpDdns
            module, as shown in the last example of the previous section, has
            one optional argument which is appended right after the command:
            <screen>&gt; <userinput>DhcpDdns shutdown now</userinput></screen>
            But since the class is optional (defaulting to normal), leaving it out
            works as well:
            <screen>&gt; <userinput>DhcpDdns shutdown</userinput></screen>
        </simpara>
        <simpara>
            The arguments can also be provided with their names:
            <screen>&gt; <userinput>DhcpDdns shutdown type="now"</userinput></screen>
        </simpara>
    </section>

    <section id="bindctl_module_commands">
        <title>Module commands</title>
        Each module has its own set of commands (if any), which will only be
        available if the module is running.
    </section>

    <section>
        <title>Configuration commands</title>
        Configuration commands are used to view and change the configuration
        of BIND 10 and its modules. Module configuration is only shown if
        that module is running, but similar to commands, there are a number
        of top-level configuration items that are always available (for
        instance <varname>tsig_keys</varname> and
        <varname>data_sources</varname>).

        Configuration changes (set, unset, add and remove) are done locally
        first, and have no immediate effect. The changes can be viewed with
        <command>config diff</command>, and either reverted
        (<command>config revert</command>), or committed
        (<command>config commit</command>).
        In the latter case, all local changes are submitted
        to the configuration manager, which verifies them, and if they are
        accepted, applied and saved in persistent storage.

        When identifying items in configuration commands, the format is
        <screen><userinput>Module/example/item</userinput></screen>
        Sub-elements of names, lists and sets (see <xref linkend=
        "bindctl_configuration_data_types"/>) are separated with the '/'
        character, and list indices are identified with [<replaceable>&lt;index&gt;</replaceable>]; for example:

        <screen><userinput>Module/example/list[2]/foo</userinput></screen>

        <section id="bindctl_configuration_command_list">
        <title>List of configuration commands</title>
        The following configuration commands are available:
        <variablelist>
          <varlistentry>
            <term>show [all] [item name]</term>
            <listitem>
              <simpara>
                Shows the current configuration of the given item. If 'all'
                is given, it will recurse through the entire set, and show
                every nested value.
              </simpara>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>show_json [item name]</term>
            <listitem>
              <simpara>
                Shows the full configuration of the given item in JSON format.
              </simpara>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>add &lt;item name&gt; [value]</term>
            <listitem>
              <simpara>
                Add an entry to configuration list or a named set (see <xref
                linkend="bindctl_configuration_data_types"/>).
                When adding to a list, the command has one optional
                argument, a value to add to the list. The value must
                be in correct JSON and complete. When adding to a
                named set, it has one mandatory parameter (the name to
                add), and an optional parameter value, similar to when
                adding to a list. In either case, when no value is
                given, an entry will be constructed with default
                values.
              </simpara>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>remove</term>
            <listitem>
              <simpara>
                Remove an item from a configuration list or a named set.
                When removing an item for a list, either the index needs to
                be specified, or the complete value of the element to remove
                must be specified (in JSON format).
              </simpara>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>set &lt;item name&gt; &lt;value&gt;</term>
            <listitem>
              <simpara>
                  Directly set the value of the given item to the given value.
              </simpara>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>unset &lt;item name&gt;</term>
            <listitem>
              <simpara>
                  Remove any user-specified value for the given item.
              </simpara>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>diff</term>
            <listitem>
              <simpara>
                  Show all current local changes that have not been
                  committed yet.
              </simpara>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>revert</term>
            <listitem>
              <simpara>
                  Revert all local changes without committing them.
              </simpara>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>commit</term>
            <listitem>
              <simpara>
                  Send all local changes to the configuration manager, which
                  will validate them, and apply them if validation succeeds.
              </simpara>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>go</term>
            <listitem>
              <simpara>
                  Go to a specific configuration part, similar to the 'cd'
                  command in a shell.
                  <note>There are a number of problems with the current
                  implementation of go within <command>bindctl</command>,
                  and we recommend not using it for general cases.</note>
              </simpara>
            </listitem>
          </varlistentry>
        </variablelist>
      </section>

      <section id="bindctl_configuration_data_types">
        <title>Configuration data types</title>
        Configuration data can be of different types, which can be modified
        in ways that depend on the types. There are a few syntax
        restrictions on these types, but only basic ones. Modules may impose
        additional restrictions on the values of elements.
        <variablelist>
            <varlistentry>
                <term>integer</term>
                <listitem>
                    <simpara>
                        A basic integer; can be set directly with
                        <command>config set</command>, to any integer
                        value. The value must not be quoted, or else, it
                        will be parsed as a string.
                    </simpara>
                </listitem>
            </varlistentry>
            <varlistentry>
                <term>real</term>
                <listitem>
                    <simpara>
                        A basic floating point number; can be set
                        directly with <command>config set</command>, to
                        any floating point value. The value must not be
                        quoted, or else, it will be parsed as a string.
                    </simpara>
                </listitem>
            </varlistentry>
            <varlistentry>
                <term>boolean</term>
                <listitem>
                    <simpara>
                        A basic boolean value; can be set directly with
                        <command>config set</command>, to either
                        <command>true</command> or
                        <command>false</command>. The value must not be
                        quoted, or else, it will be parsed as a
                        string. Integer values are not allowed.
                    </simpara>
                </listitem>
            </varlistentry>
            <varlistentry>
                <term>string</term>
                <listitem>
                    <simpara>
                        A basic string value; can be set directly with
                        <command>config set</command> to any
                        string. Double quotation marks are optional.
                    </simpara>
                </listitem>
            </varlistentry>
            <varlistentry>
                <term>null</term>
                <listitem>
                    <simpara>
                        This is a special type representing 'no value at all'; usable in compound structures that have optional elements that are not set.
                    </simpara>
                </listitem>
            </varlistentry>

            <varlistentry>
                <term>maps</term>
                <listitem>
                    <simpara>
                        Maps are (pre-defined) compound collections of other
                        elements of any other type. They are not usually
                        modified directly, but their elements are. Every
                        top-level element for a module is a map containing
                        the configuration values for that map, which can
                        themselves be maps again.
                    </simpara>
                    <simpara>
                        Some map entries are optional. If they are, and
                        currently have a value, the value can be unset by
                        using either <command>config unset
                        <replaceable>&lt;item name&gt;</replaceable>
                        </command> or <command>config set
                        <replaceable>&lt;item name&gt;</replaceable>
                        null</command>.

                    </simpara>
                    <simpara>
                        Maps <emphasis>can</emphasis> be modified as a whole,
                        but using the full JSON representation of
                        the entire map to set.

                        Since this involves a lot of text, this is usually
                        not recommended.
                    </simpara>
                    <simpara>
                        Another example is the Logging virtual module, which
                        is, like any module, a map, but it only contains one
                        element: a list of loggers. Normally, an
                        administrator would only modify that list (or its
                        elements) directly, but it is possible to set the
                        entire map in one command; for example:
                        <command> config set Logging { "loggers": [] } </command>
                    </simpara>
                </listitem>
            </varlistentry>

            <varlistentry>
                <term>list</term>
                <listitem>
                    <simpara>
                        A list is a compound list of other elements of the
                        same type. Elements can be added with <command>config
                        add <replaceable>&lt;list name&gt; [value]</replaceable></command>, and removed with
                        <command>config remove <replaceable>&lt;list name&gt; [value]</replaceable></command> or
                        <command>config remove <replaceable>&lt;list name&gt;</replaceable><replaceable>&lt;index&gt;</replaceable></command>.
                        The index is of the form <emphasis>square bracket, number,
                        square bracket</emphasis> (e.g.
                        <command>[0]</command>), and it immediately follows
                        the list name (there is no separator or space
                        between them). List indices start with 0 for the
                        first element.
                    </simpara>
                    <simpara>
                        For addition, if the value is omitted, an entry with
                        default values will be added. For removal, either
                        the index or the full value (in JSON format) needs
                        to be specified.
                    </simpara>
                    <simpara>
                        Lists can also be used with
                        <command>config set</command>,
                        but like maps, only by specifying the
                        entire list value in JSON format.
                    </simpara>
                    <simpara>
                        For example, this command shows the renew-timer used for the second element of the list <varname>subnet4</varname> in the Dhcp4 module:
                        <command>config show Dhcp4/subnet4[1]/renew-timer</command>
                    </simpara>
                </listitem>
            </varlistentry>

            <varlistentry>
                <term>named set</term>
                <listitem>
                    <simpara>
                        Named sets are similar to lists, in that they are
                        sets of elements of the same type, but they are not
                        indexed by numbers, but by strings.
                    </simpara>
                    <simpara>
                        Values can be added with
                        <command>config add <replaceable>&lt;item name&gt; &lt;string&gt; [value]</replaceable></command>
                        where 'string' is the name of the element. If 'value'
                        is ommitted, default values will be used. Elements
                        can be removed with <command>config remove
                        <replaceable>&lt;item
                        name&gt; &lt;string&gt;</replaceable></command>
                    </simpara>
                    <simpara>
                        Elements in a named set can be addressed similarly
                        to maps.
                    </simpara>
                    <simpara>
                        For example, the <command>Init/components</command>
                        elements is a named set;
                        adding, showing, and then removing an element
                        can be done with the following three commands (note
                        the '/'-character versus the space before
                        'example_module'):
                    </simpara>
                    <simpara>
                        <command>config add Init/components example_module</command>
                    </simpara>
                    <simpara>
                        <command>config show Init/components/example_module</command>
                    </simpara>
                    <simpara>
                        <command>config remove Init/components example_module</command>
                    </simpara>
                </listitem>
            </varlistentry>
            <varlistentry>
                <term>any</term>
                <listitem>
                    <simpara>
                        The 'any' type is a special type that can have any
                        form. Apart from that, it must consist of elements as
                        described in this chapter, there is no restriction
                        on which element types are used. This type is used
                        in places where different data formats could be
                        used. Element modification commands depend on the
                        actual type of the value. For instance, if the value
                        of an 'any' element is a list, <command>config add
                        </command> and <command>config remove</command> work
                        as for other lists.
                    </simpara>
                </listitem>
            </varlistentry>
        </variablelist>
      </section>
    </section>

    <section>
        <title>The execute command</title>
        The <command>execute</command> command executes a set of commands,
        either from a file
        or from a pre-defined set. Currently, there are no pre-defined sets
        available.

        <screen>&gt; <userinput>execute file /tmp/example_commands</userinput></screen>

        The optional <command>show</command> argument may be used when
        executing a script from a file; for example:

        <screen>&gt; <userinput>execute file /tmp/example_commands show</userinput></screen>

        <section id="bindctl_execute_directives">
            <title>Execute directives</title>
            Within sets of commands to be run with the <command>execute</command>
            command, a number of directives are supported:
            <variablelist>
              <varlistentry>
                <term>!echo <replaceable>&lt;string&gt;</replaceable></term>
                <listitem>
                  <simpara>
                      Prints the given string to <command>bindctl</command>'s
                      output.
                  </simpara>
                </listitem>
              </varlistentry>
              <varlistentry>
                <term>!verbose on</term>
                <listitem>
                  <simpara>
                      Enables verbose mode; all following commands that are to
                      be executed are also printed.
                  </simpara>
                </listitem>
              </varlistentry>
              <varlistentry>
                <term>!verbose off</term>
                <listitem>
                  <simpara>
                      Disables verbose mode; following commands that are to
                      be executed are no longer printed.
                  </simpara>
                </listitem>
              </varlistentry>
            </variablelist>
        </section>

        <section id="bindctl_execute_notes">
            <title>Notes on execute scripts</title>
            Within scripts, you can add or remove modules with the normal
            configuration commands for <command>Init/components</command>.
            However, as module
            configuration and commands do not show up until the module is
            running, it is currently not possible to add a module and set
            its configuration in one script. This will be addressed in the
            future, but for now the only option is to add and configure
            modules in separate commands and execute scripts.
        </section>
    </section>
  </chapter>

  <chapter id="bind10.config">
    <title>bind10 Control and Configuration</title>

    <para>
      This chapter explains how to control and configure the
      <command>b10-init</command> parent.
      The startup of this resident process that runs the BIND 10
      daemons is covered in <xref linkend="bind10"/>.
    </para>

    <section id="bind10.shutdown">
      <title>Stopping bind10</title>
      <para>
        The BIND 10 suite may be shut down by stopping the
        parent <command>b10-init</command> process. This may be done
        by running the <userinput>Init shutdown</userinput> command
        at the <command>bindctl</command> prompt.
      </para>
    </section>

    <section id="kea.components">
      <title>Configuration to start processes</title>

      <para>
	The processes to be used can be configured for
	<command>b10-init</command> to start, with the exception
	of the required <command>b10-sockcreator</command>,
	<command>b10-msgq</command> and <command>b10-cfgmgr</command>
	components.
	The configuration is in the <varname>Init/components</varname>
	section. Each element represents one component, which is
	an abstraction of a process.
      </para>

      <para>
	To add a process to the set, let's say the DHCPv6 server (which
	is not started by default), you would do this:
        <screen>&gt; <userinput>config add Init/components b10-dhcp6</userinput>
&gt; <userinput>config set Init/components/b10-dhcp6/kind needed</userinput>
&gt; <userinput>config set Init/components/b10-dhcp6/priority 10</userinput>
&gt; <userinput>config commit</userinput></screen></para>

      <para>
	Now, what it means. We add an entry called
	<quote>b10-dhcp6</quote>. It is both a name used to
	reference this component in the configuration and the name
	of the process to start. Then we set some parameters on
	how to start it.
      </para>

      <para>
        The <varname>special</varname> (not used in the example above), was introduced
        to be used for the components which require some kind of special care
        during startup. One such component is the b10-cmdctl, which is always started
        by default. No other components use this setting and it should be left unset
        for them.
      </para>

      <para>
	The <varname>kind</varname> specifies how a failure of the
	component should be handled.  If it is set to
	<quote>dispensable</quote> (the default unless you set
	something else), it will get started again if it fails. If
	it is set to <quote>needed</quote> and it fails at startup,
	the whole <command>b10-init</command> shuts down and exits
	with an error exit code. But if it fails some time later, it
	is just started again. If you set it to <quote>core</quote>,
	you indicate that the system is not usable without the
	component and if such component fails, the system shuts
	down no matter when the failure happened.  This is the
	behavior of the core components (the ones you can't turn
	off), but you can declare any other components as core as
	well if you wish (but you can turn these off, they just
	can't fail).
      </para>

      <para>
	The <varname>priority</varname> defines order in which the
	components should start.  The ones with higher numbers are
	started sooner than the ones with lower ones. If you don't
	set it, 0 (zero) is used as the priority.  Usually, leaving
	it at the default is enough.
      </para>

      <para>
        There are other parameters we didn't use in our example.
        One of them is <varname>address</varname>. It is the address
        used by the component on the <command>b10-msgq</command>
        message bus. The special components already know their
        address, but the usual ones don't. The address is by
        convention the thing after <emphasis>b10-</emphasis>, with
        the first letter capitalized (eg. <command>b10-stats</command>
        would have <quote>Stats</quote> as its address).
<!-- TODO: this should be simplified so we don't even have to document it -->
      </para>

<!-- TODO: what does "The special components already know their
address, but the usual ones don't." mean? -->

<!-- TODO: document params when is enabled -->

      <para>
	The last one is <varname>process</varname>. It is the name
	of the process to be started.  It defaults to the name of
	the component if not set, but you can use this to override
	it. (The special components also already know their
        executable name.)
      </para>

      <!-- TODO Add parameters when they work, not implemented yet-->

      <note>
        <para>
          The configuration is quite powerful, but that includes
          a lot of space for mistakes. You could turn off the
          <command>b10-cmdctl</command>, but then you couldn't
          change it back the usual way, as it would require it to
          be running (you would have to find and edit the configuration
          directly).
        </para>
        <para>
          In short, you should think twice before disabling something here.
        </para>
      </note>
      <para>
        The running processes started by <command>b10-init</command>
        may be listed by running <userinput>Init show_processes</userinput>
        using <command>bindctl</command>.
      </para>

    </section>
  </chapter>

  <chapter id="dhcp">
  <title>DHCP</title>
     <para>The Dynamic Host Configuration Protocol for IPv4 (DHCP or
    DHCPv4) and Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
    are protocols that allow one node (server) to provision
    configuration parameters to many hosts and devices (clients). To
    ease deployment in larger networks, additional nodes (relays) may
    be deployed that facilitate communication between servers and
    clients. Even though principles of both DHCPv4 and DHCPv6 are
    somewhat similar, these are two radically different
    protocols. Kea offers two server implementations, one for DHCPv4
    and one for DHCPv6. The DHCPv4 component is colloquially referred to
    as Kea4 and its DHCPv6 counterpart is called Kea6.</para>
    <para> In addition to providing lease management services, both Kea4 and
    Kea6 can provide dynamic DNS (DDNS) updates driven by the lease changes they
    make.   These updates are carried out with the assistance of the
    DHCP-DDNS server, colloquially referred to as D2.    When configured
    to do so,  Kea servers will notify D2 of  lease changes.  D2 will match
    them to the appropriate DNS servers and instruct those severs to add or
    delete the requisite DNS entries.
    </para>
    <para>This chapter covers those parts of Kea that are common to
    both servers.  DHCPv4-specific details are covered in <xref linkend="dhcp4"/>,
    while those details specific to DHCPv6 are described in <xref linkend="dhcp6"/>.
    The DHCP-DDNS server details are covered in <xref linkend="dhcp-ddns-server"/>
    </para>


    <section id="dhcp-config-backend">
      <title>Selecting configuration backend</title>
      <para>Kea 0.9 introduces configuration backends that are switchable during
      compilation phase. There is a new parameter for configure script:
      --with-kea-config. It currently supports two values: BIND10 and
      JSON. This is currently only supported by DHCPv6 component.</para>

      <variablelist>

        <varlistentry>
          <term>BIND10</term>
          <listitem>
            <simpara>BIND10 (which is the default value as of April 2014) means
            that Kea6 is linked with the BIND10 configuration backend that
            connects to the BIND10 framework and in general works exactly the
            same as Kea 0.8 and earlier versions. The benefits of that backend
            are uniform integration with BIND10 framework, easy on-line
            reconfiguration using bindctl, available RESTful API. On the other
            hand, it requires the whole heavy BIND10 framework that requires
            Python3 to be present. That backend is likely to go away with the
            release of Kea 0.9.</simpara>
          </listitem>
        </varlistentry>

        <varlistentry>
          <term>JSON</term>
          <listitem>
            <simpara>JSON is a new configuration backend that causes Kea to read
            JSON configuration file from disk. It does not require any framework
            and thus is considered more lightweight. It will allow dynamic
            on-line reconfiguration, but will lack remote capabilities (i.e. no
            RESTful API). This configuration backend is expected to be the
            default for upcoming Kea 0.9.</simpara>
          </listitem>
        </varlistentry>
      </variablelist>

    </section>

    <section id="dhcp-install-configure">
      <title>DHCP Database Installation and Configuration</title>
      <para>
        Kea stores its leases in a lease database.  The software has been written in
        a way that makes it possible to choose which database product should be used to
        store the lease information.  At present, Kea supports 3 database backends: MySQL,
        PostgreSQL and Memfile. To limit external dependencies, both MySQL and PostgreSQL
        support are disabled by default and only Memfile (which is implemented in pure C++)
        is available. Support for a given database backend must be explicitly included when
        Kea is built.  This section covers the building of Kea with MySQL and/or PostgreSQL
        and the creation of the lease database.
      </para>
      <section>
        <title>Building with MySQL support</title>
        <para>
          Install MySQL according to the instructions for your system.  The client development
          libraries must be installed.
        </para>
        <para>
          Build and install Kea as described in <xref linkend="installation"/>, with
          the following modification: to enable the MySQL database code, at the
          "configure" step (see <xref linkend="configure"/>), specify the location of the
          MySQL configuration program "mysql_config" with the "--with-dhcp-mysql" switch,
          i.e.
          <screen><userinput>./configure [other-options] --with-dhcp-mysql</userinput></screen>
          ...if MySQL was installed in the default location, or:
          <screen><userinput>./configure [other-options] --with-dhcp-mysql=<replaceable>path-to-mysql_config</replaceable></userinput></screen>
          ...if not.
        </para>
      </section>
      <section id="dhcp-mysql-database-create">
        <title>Create MySQL Database and Kea User</title>
        <para>
          The next task is to create both the lease database and the user under which the servers will
          access it. A number of steps are required:
        </para>
        <para>
          1. Log into MySQL as "root":
          <screen>$ <userinput>mysql -u root -p</userinput>
Enter password:<userinput/>
   :<userinput/>
mysql></screen>
        </para>
        <para>
          2. Create the database:
          <screen>mysql> <userinput>CREATE DATABASE <replaceable>database-name</replaceable>;</userinput></screen>
          ... <replaceable>database-name</replaceable> is the name you have chosen for the database.
        </para>
         <para>
          3. Create the database tables:
          <screen>mysql> <userinput>CONNECT <replaceable>database-name</replaceable>;</userinput>
mysql> <userinput>SOURCE <replaceable>path-to-bind10</replaceable>/share/bind10/dhcpdb_create.mysql</userinput></screen>
        </para>
         <para>
          4. Create the user under which BIND 10 will access the database (and give it a password), then grant it access to the database tables:
          <screen>mysql> <userinput>CREATE USER '<replaceable>user-name</replaceable>'@'localhost' IDENTIFIED BY '<replaceable>password</replaceable>';</userinput>
mysql> <userinput>GRANT ALL ON <replaceable>database-name</replaceable>.* TO '<replaceable>user-name</replaceable>'@'localhost';</userinput></screen>
        </para>
        <para>
          5. Exit MySQL:
          <screen>mysql> <userinput>quit</userinput>
Bye<userinput/>
$</screen>
       </para>
     </section>


      <section>
        <title>Building with PostgreSQL support</title>
        <para>
          Install PostgreSQL according to the instructions for your system.  The client development
          libraries must be installed. Client development libraries are often packaged as &quot;libpq&quot;.
        </para>
        <para>
          Build and install Kea as described in <xref linkend="installation"/>, with
          the following modification: to enable the PostgreSQL database code, at the
          "configure" step (see <xref linkend="configure"/>), specify the location of the
          PostgreSQL configuration program "pg_config" with the "--with-dhcp-pgsql" switch,
          i.e.
          <screen><userinput>./configure [other-options] --with-dhcp-pgsql</userinput></screen>
          ...if PostgreSQL was installed in the default location, or:
          <screen><userinput>./configure [other-options] --with-dhcp-pgsql=<replaceable>path-to-pg_config</replaceable></userinput></screen>
          ...if not.
        </para>
      </section>
      <section id="dhcp-pgsql-database-create">
        <title>Create PostgreSQL Database and Kea User</title>
        <para>
          The next task is to create both the lease database and the user under which the servers will
          access it. A number of steps are required:
        </para>
        <para>
          1. Log into PostgreSQL as "root":
          <screen>$ <userinput>sudo -u postgres psql postgres</userinput>
Enter password:<userinput/>
   :<userinput/>
postgres=#</screen>
        </para>
        <para>
          2. Create the database:
<screen>
postgres=#<userinput> CREATE DATABASE <replaceable>database-name</replaceable>;</userinput>
CREATE DATABASE
postgres=#
</screen>
          ... <replaceable>database-name</replaceable> is the name you have chosen for the database.
        </para>
         <para>
          3. Create the user under which Kea will access the database (and give it a password), then grant it access to the database:
<screen>postgres=#<userinput> CREATE USER <replaceable>user-name</replaceable> WITH PASSWORD '<replaceable>password</replaceable>';</userinput>
CREATE ROLE
postgres=#
postgres=#<userinput> GRANT ALL PRIVILEGES ON DATABASE <replaceable>database-name</replaceable> TO <replaceable>user-name</replaceable>;</userinput>
GRANT
postgres=#
</screen>
        </para>
         <para>
          4. Exit PostgreSQL:
          <screen>postgres=# <userinput>\q</userinput>
Bye<userinput/>
$</screen>
       </para>
       <para>
        5. Create the database tables using the new user's credentials.
        After entering the following command, you will be prompted for the new
        user's password. When the command completes you will be returned to
        the shell prompt. You should see output similar to following:
<screen>$ <userinput>psql -d <replaceable>database-name</replaceable> -U <replaceable>user-name</replaceable> -f <replaceable>path-to-bind10</replaceable>/share/bind10/dhcpdb_create.pgsql</userinput>
Password for user <replaceable>user-name</replaceable>:
CREATE TABLE
CREATE INDEX
CREATE INDEX
CREATE TABLE
CREATE INDEX
CREATE TABLE
START TRANSACTION
INSERT 0 1
INSERT 0 1
INSERT 0 1
COMMIT
CREATE TABLE
START TRANSACTION
INSERT 0 1
COMMIT
$
</screen>
  </para>
  <para>
  If instead you encounter an error such as shown below:
  </para>
<screen>
psql: FATAL:  no pg_hba.conf entry for host "[local]", user "<replaceable>user-name</replaceable>", database "<replaceable>database-name</replaceable>", SSL off
</screen>
  <para>
  This indicates that the PostgreSQL configuration needs to be modified.
  Kea uses password authentication when connecting to the database and must
  have the appropriate entries added to PostgreSQL's pg_hba.conf file.  This
  file is normally located in the primary data directory for your PostgreSQL
  server. The precise path may vary but the default location for PostgreSQL 9.3
  on Centos 6.5 is:
  <filename>/var/lib/pgsql/9.3/data/pg_hba.conf</filename>.
  Assuming Kea is running on the same host as PostgreSQL, adding lines similar
  to following should be sufficient to provide password-authenticated access to
  Kea's database:
  </para>
<screen>
local   <replaceable>database-name</replaceable>    <replaceable>user-name</replaceable>                                 password
host    <replaceable>database-name</replaceable>    <replaceable>user-name</replaceable>          127.0.0.1/32           password
host    <replaceable>database-name</replaceable>    <replaceable>user-name</replaceable>          ::1/128                password
</screen>
  <para>
  Please consult your PostgreSQL user manual before making these changes as they
  may expose your other databases that you run on the same system.
  </para>
      </section>
   </section>

  </chapter>

  <chapter id="dhcp4">
    <title>The DHCPv4 Server</title>

    <section id="dhcp4-start-stop">
      <title>Starting and Stopping the DHCPv4 Server</title>

      <para>
        <command>b10-dhcp4</command> is the Kea DHCPv4 server and is configured
        through the <command>bindctl</command> program.
      </para>
      <para>
        After starting <command>bind10</command> and entering bindctl, the first step
        in configuring the server is to add it to the list of running services.
<screen>
&gt; <userinput>config add Init/components b10-dhcp4</userinput>
&gt; <userinput>config set Init/components/b10-dhcp4/kind dispensable</userinput>
&gt; <userinput>config commit</userinput>
</screen>
      </para>
      <para>
         To remove <command>b10-dhcp4</command> from the set of running services,
         the <command>b10-dhcp4</command> is removed from list of Init components:
<screen>
&gt; <userinput>config remove Init/components b10-dhcp4</userinput>
&gt; <userinput>config commit</userinput>
</screen>
      </para>
      <para>
        Note that the server was only removed from the list, so BIND10 will not
        restart it, but the server itself is still running. Hence it is usually
        desired to stop it:
<screen>
&gt; <userinput>Dhcp4 shutdown</userinput>
</screen>
      </para>

      <para>
        On start-up, the server will detect available network interfaces
        and will attempt to open UDP sockets on all interfaces that
        are up, running, are not loopback, and have IPv4 address
        assigned.

        The server will then listen to incoming traffic. Currently
        supported client messages are DISCOVER and REQUEST. The server
        will respond to them with OFFER and ACK, respectively.

        Since the DHCPv4 server opens privileged ports, it requires root
        access. Make sure you run this daemon as root.
      </para>

    </section>

    <section id="dhcp4-configuration">
      <title>Configuring the DHCPv4 Server</title>
      <para>
        Once the server is started, it can be configured. To view the
        current configuration, use the following command in <command>bindctl</command>:
        <screen>
&gt; <userinput>config show Dhcp4</userinput></screen>
        When starting the DHCPv4 daemon for the first time, the default configuration
        will be available. It will look similar to this:
<screen>
&gt; <userinput>config show Dhcp4</userinput>
Dhcp4/hooks-libraries	[]	list	(default)
Dhcp4/interfaces/	list
Dhcp4/renew-timer	1800	integer
Dhcp4/rebind-timer	2000	integer	(default)
Dhcp4/valid-lifetime	4000	integer	(default)
Dhcp4/next-server	""	string	(default)
Dhcp4/echo-client-id	true	boolean	(default)
Dhcp4/option-def	[]	list	(default)
Dhcp4/option-data	[]	list	(default)
Dhcp4/lease-database/type	""	string	(default)
Dhcp4/lease-database/name	""	string	(default)
Dhcp4/lease-database/user	""	string	(default)
Dhcp4/lease-database/host	""	string	(default)
Dhcp4/lease-database/password	""	string	(default)
Dhcp4/subnet4/	list
Dhcp4/dhcp-ddns/enable-updates	true	boolean
Dhcp4/dhcp-ddns/server-ip	"127.0.0.1"	string
Dhcp4/dhcp-ddns/server-port	53001	integer
Dhcp4/dhcp-ddns/sender-ip	""	string
Dhcp4/dhcp-ddns/sender-port	0	integer
Dhcp4/dhcp-ddns/max-queue-size	1024	integer
Dhcp4/dhcp-ddns/ncr-protocol	"UDP"	string
Dhcp4/dhcp-ddns/ncr-format	"JSON"	string
Dhcp4/dhcp-ddns/override-no-update	false	boolean
Dhcp4/dhcp-ddns/override-client-update	false	boolean
Dhcp4/dhcp-ddns/replace-client-name	false	boolean
Dhcp4/dhcp-ddns/generated-prefix	"myhost"	string
Dhcp4/dhcp-ddns/qualifying-suffix	"example.com"	string
</screen>
      </para>

      <para>
        To change one of the parameters, simply follow
        the usual <command>bindctl</command> procedure. For example, to make the
        leases longer, change their valid-lifetime parameter:
        <screen>
&gt; <userinput>config set Dhcp4/valid-lifetime 7200</userinput>
&gt; <userinput>config commit</userinput></screen>
        Please note that most Dhcp4 parameters are of global scope
        and apply to all defined subnets, unless they are overridden on a
        per-subnet basis.
      </para>
      <para>
        The renew-timer and rebind-timer are optional. If they are not specified,
        the DHCPv4 options 58 and 59 are not sent in the server's response to the
        client.
      </para>

      <section>
      <title>Default storage for leases</title>
      <para>
        The server is able to store lease data in different repositories. Larger deployments
        may elect to store leases in a database.
        <xref linkend="database-configuration4"/> describes one way to do it.
        By default, the server will use a CSV file rather than a database to store
        lease information. One of the advantages of using a file is that it eliminates
        dependency on third party database software.
      </para>
      <para>
        The configuration of the file backend (Memfile)
        is controlled through the Dhcp4/lease-database parameters. When default
        parameters are used, the Memfile backend will write leases to a disk in the
        [bind10-install-dir]/var/bind10/kea-leases4.csv.
      </para>
      <para>
        It is possible to alter the default location of the lease file. The following
        configuration:
<screen>
&gt; <userinput>config set Dhcp4/lease-database/type "memfile"</userinput>
&gt; <userinput>config set Dhcp4/lease-database/persist true</userinput>
&gt; <userinput>config set Dhcp4/lease-database/name "/tmp/kea-leases4.csv"</userinput>
&gt; <userinput>config commit</userinput>
</screen>
        will change the default location of the lease file to /tmp/kea-leases4.csv.
      </para>
      <para>
        The "persist" parameter controls whether the leases are written to disk.
        It is strongly recommended that this parameter is set to "true" at all times
        during the normal operation of the server
      </para>
      </section>

      <section id="database-configuration4">
      <title>Database Configuration</title>
      <para>
      All leases issued by the server are stored in the lease database.  Currently
      there are 3 database backends available: MySQL, PostgreSQL and memfile.
      <footnote>
      <para>
      The server comes with an in-memory database ("memfile") configured as the default
      database. This is used for internal testing and is not supported.  In addition,
      it does not store lease information on disk: lease information will be lost if the
      server is restarted.
      </para>
      </footnote>, and so the server must be configured to
      access the correct database with the appropriate credentials.
      </para>
        <note>
            <para>
            Database access information must be configured for the DHCPv4 server, even if
            it has already been configured for the DHCPv6 server.  The servers store their
            information independently, so each server can use a separate
            database or both servers can use the same database.
            </para>
        </note>
      <para>
      Database configuration is controlled through the Dhcp4/lease-database parameters.
      The type of the database must be set to "mysql", "postgresql" or "memfile":
<screen>
&gt; <userinput>config set Dhcp4/lease-database/type "mysql"</userinput>
</screen>
      Next, the name of the database is to hold the leases must be set: this is the
      name used when the lease database was created (see <xref linkend="dhcp-mysql-database-create"/>
      or <xref linkend="dhcp-pgsql-database-create"/>).
<screen>
&gt; <userinput>config set Dhcp4/lease-database/name "<replaceable>database-name</replaceable>"</userinput>
</screen>
      If the database is located on a different system to the DHCPv4 server, the
      database host name must also be specified (although note that this configuration
      may have a severe impact on server performance):
<screen>
&gt; <userinput>config set Dhcp4/lease-database/host "<replaceable>remote-host-name</replaceable>"</userinput>
</screen>
      The usual state of affairs will be to have the database on the same machine as the
      DHCPv4 server.  In this case, set the value to the empty string (this is the default):
<screen>
&gt; <userinput>config set Dhcp4/lease-database/host ""</userinput>
</screen>
      </para>
      <para>
      Finally, the credentials of the account under which the server will access the database
      should be set:
<screen>
&gt; <userinput>config set Dhcp4/lease-database/user "<replaceable>user-name</replaceable>"</userinput>
&gt; <userinput>config set Dhcp4/lease-database/password "<replaceable>password</replaceable>"</userinput>
</screen>
      If there is no password to the account, set the password to the empty string "". (This is also the default.)
      </para>
      <note>
      <para>The password is echoed when entered and is stored in clear text in the configuration
      database.  Improved password security will be added in a future version of Kea.</para>
      </note>
      </section>

      <section id="dhcp4-interface-selection">
      <title>Interface selection</title>
      <para>
        When DHCPv4 server starts up, by default it will listen to the DHCP
        traffic and respond to it on all interfaces detected during startup.
        However, in many cases it is desired to configure the server to listen and
        respond on selected interfaces only. The sample commands in this section
        show how to make interface selection using bindctl.
      </para>
      <para>
        The default configuration can be presented with the following command:
        <screen>
&gt; <userinput>config show Dhcp4/interfaces</userinput>
<userinput>Dhcp4/interfaces[0] "*" string</userinput></screen>
        An asterisk sign plays a role of the wildcard and means "listen on all interfaces".
      </para>
      <para>
        In order to override the default configuration, the existing entry can be replaced
        with the actual interface name:
        <screen>
&gt; <userinput>config set Dhcp4/interfaces[0] eth1</userinput>
&gt; <userinput>config commit</userinput></screen>
        Other interface names can be added on one-by-one basis:
        <screen>
&gt; <userinput>config add Dhcp4/interfaces eth2</userinput>
&gt; <userinput>config commit</userinput></screen>
        Configuration will now contain two interfaces which can be presented as follows:
        <screen>
&gt; <userinput>config show Dhcp4/interfaces</userinput>
<userinput>Dhcp4/interfaces[0]	"eth1"	string</userinput>
<userinput>Dhcp4/interfaces[1]	"eth2"	string</userinput></screen>
        When configuration gets committed, the server will start to listen on
        eth1 and eth2 interfaces only.
      </para>
      <para>
        It is possible to use wildcard interface name (asterisk) concurrently with explicit
        interface names:
        <screen>
&gt; <userinput>config add Dhcp4/interfaces *</userinput>
&gt; <userinput>config commit</userinput></screen>
        This will result in the following configuration:
        <screen>
&gt; <userinput>config show Dhcp4/interfaces</userinput>
<userinput>Dhcp4/interfaces[0]	"eth1"	string</userinput>
<userinput>Dhcp4/interfaces[1]	"eth2"	string</userinput>
<userinput>Dhcp4/interfaces[2]	"*"	string</userinput></screen>
        The presence of the wildcard name implies that server will listen on all interfaces.
        In order to fall back to the previous configuration when server listens on eth1 and eth2:
        <screen>
&gt; <userinput>config remove Dhcp4/interfaces[2]</userinput>
&gt; <userinput>config commit</userinput></screen>
      </para>
      </section>

      <section id="ipv4-subnet-id">
      <title>IPv4 Subnet Identifier</title>
      <para>
        Subnet identifier is a unique number associated with a particular subnet.
        In principle, it is used to associate clients' leases with respective subnets.
        When subnet identifier is not specified for a subnet being configured, it will
        be automatically assigned by the configuration mechanism. The identifiers
        are assigned from 1 and are monotonically increased for each subsequent
        subnet: 1, 2, 3 ....
      </para>
      <para>
       If there are multiple subnets configured with auto-generated identifiers and
       one of them is removed, the subnet identifiers may be renumbered. For example:
       if there are 4 subnets and 3rd is removed the last subnet will be assigned
       identifier that the 3rd subnet had before removal. As a result, the leases
       stored in the lease database for subnet 3 are now associated with the
       subnet 4, which may have unexpected consequences. In the future it is planned
       to implement the mechanism to preserve auto-generated subnet ids upon removal
       of one of the subnets. Currently, the only remedy for this issue is to
       manually specify the unique subnet identifier for each subnet.
      </para>
      <para>
        The following configuration:
        <screen>
&gt; <userinput>config add Dhcp4/subnet4</userinput>
&gt; <userinput>config set Dhcp4/subnet4[0]/subnet "192.0.2.0/24"</userinput>
&gt; <userinput>config set Dhcp4/subnet4[0]/id 1024</userinput>
&gt; <userinput>config commit</userinput>
        </screen>
        will assign the arbitrary subnet identifier to the newly configured subnet.
        This identifier will not change for this subnet until "id" parameter is
        removed or set to 0. The value of 0 forces auto-generation of subnet
        identifier.
      </para>
      </section>

      <section id="dhcp4-address-config">
      <title>Configuration of IPv4 Address Pools</title>
      <para>
        The essential role of DHCPv4 server is address assignment. The server
        has to be configured with at least one subnet and one pool of dynamic
        addresses to be managed. For example, assume that the server
        is connected to a network segment that uses the 192.0.2.0/24
        prefix. The Administrator of that network has decided that addresses from range
        192.0.2.10 to 192.0.2.20 are going to be managed by the Dhcp4
        server. Such a configuration can be achieved in the following way:
        <screen>
&gt; <userinput>config add Dhcp4/subnet4</userinput>
&gt; <userinput>config set Dhcp4/subnet4[0]/subnet "192.0.2.0/24"</userinput>
&gt; <userinput>config set Dhcp4/subnet4[0]/pool [ "192.0.2.10 - 192.0.2.20" ]</userinput>
&gt; <userinput>config commit</userinput></screen>
        Note that subnet is defined as a simple string, but the pool parameter
        is actually a list of pools: for this reason, the pool definition is
        enclosed in square brackets, even though only one range of addresses
        is specified.</para>
        <para>It is possible to define more than one pool in a
        subnet: continuing the previous example, further assume that
        192.0.2.64/26 should be also be managed by the server. It could be written as
        192.0.2.64 to 192.0.2.127. Alternatively, it can be expressed more simply as
        192.0.2.64/26. Both formats are supported by Dhcp4 and can be mixed in the pool list.
        For example, one could define the following pools:
        <screen>
&gt; <userinput>config set Dhcp4/subnet4[0]/pool [ "192.0.2.10-192.0.2.20", "192.0.2.64/26" ]</userinput>
&gt; <userinput>config commit</userinput></screen>
        The number of pools is not limited, but for performance reasons it is recommended to
        use as few as possible. Space and tabulations in pool definitions are ignored, so
        spaces before and after hyphen are optional. They can be used to improve readability.
      </para>
      <para>
         The server may be configured to serve more than one subnet. To add a second subnet,
         use a command similar to the following:
        <screen>
&gt; <userinput>config add Dhcp4/subnet4</userinput>
&gt; <userinput>config set Dhcp4/subnet4[1]/subnet "192.0.3.0/24"</userinput>
&gt; <userinput>config set Dhcp4/subnet4[1]/pool [ "192.0.3.0/24" ]</userinput>
&gt; <userinput>config commit</userinput></screen>
        Arrays are counted from 0. subnet[0] refers to the subnet defined in the
        previous example.  The <command>config add Dhcp4/subnet4</command> command adds
        another (second) subnet. It can be referred to as
        <command>Dhcp4/subnet4[1]</command>. In this example, we allow server to
        dynamically assign all addresses available in the whole subnet.
      </para>
      <para>
        When configuring a DHCPv4 server using prefix/length notation, please pay
        attention to the boundary values. When specifying that the server should use
        a given pool, it will be able to allocate also first (typically network
        address) and the last (typically broadcast address) address from that pool.
        In the aforementioned example of pool 192.0.3.0/24, both 192.0.3.0 and
        192.0.3.255 addresses may be assigned as well. This may be invalid in some
        network configurations. If you want to avoid this, please use the "min-max" notation.
      </para>
      </section>

    <section id="dhcp4-std-options">
      <title>Standard DHCPv4 options</title>
      <para>
        One of the major features of DHCPv4 server is to provide configuration
        options to clients. Although there are several options that require
        special behavior, most options are sent by the server only if the client
        explicitly requested them.  The following example shows how to
        configure DNS servers, which is one of the most frequently used
        options. Options specified in this way are considered global and apply
        to all configured subnets.

        <screen>
&gt; <userinput>config add Dhcp4/option-data</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/name "domain-name-servers"</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/code 6</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/space "dhcp4"</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/csv-format true</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/data "192.0.3.1, 192.0.3.2"</userinput>
&gt; <userinput>config commit</userinput>
</screen>
      </para>
    <para>
      The first line creates new entry in option-data table. It
      contains information on all global options that the server is
      supposed to configure in all subnets. The second line specifies
      option name. For a complete list of currently supported names,
      see <xref linkend="dhcp4-std-options-list"/> below.
      The third line specifies option code, which must match one of the
      values from that list. Line 4 specifies option space, which must always
      be set to "dhcp4" as these are standard DHCPv4 options. For
      other option spaces, including custom option spaces, see <xref
      linkend="dhcp4-option-spaces"/>. The fifth line specifies the format in
      which the data will be entered: use of CSV (comma
      separated values) is recommended. The sixth line gives the actual value to
      be sent to clients. Data is specified as a normal text, with
      values separated by commas if more than one value is
      allowed.
    </para>

    <para>
      Options can also be configured as hexadecimal values. If csv-format is
      set to false, option data must be specified as a hex string. The
      following commands configure the domain-name-servers option for all
      subnets with the following addresses: 192.0.3.1 and 192.0.3.2.
      Note that csv-format is set to false.
      <screen>
&gt; <userinput>config add Dhcp4/option-data</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/name "domain-name-servers"</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/code 6</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/space "dhcp4"</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/csv-format false</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/data "C0 00 03 01 C0 00 03 02"</userinput>
&gt; <userinput>config commit</userinput>
        </screen>
      </para>

      <para>
        It is possible to override options on a per-subnet basis.  If
        clients connected to most of your subnets are expected to get the
        same values of a given option, you should use global options: you
        can then override specific values for a small number of subnets.
        On the other hand, if you use different values in each subnet,
        it does not make sense to specify global option values
        (Dhcp4/option-data), rather you should set only subnet-specific values
        (Dhcp4/subnet[X]/option-data[Y]).
      </para>
      <para>
        The following commands override the global
        DNS servers option for a particular subnet, setting a single DNS
        server with address 192.0.2.3.
        <screen>
&gt; <userinput>config add Dhcp4/subnet4[0]/option-data</userinput>
&gt; <userinput>config set Dhcp4/subnet4[0]/option-data[0]/name "domain-name-servers"</userinput>
&gt; <userinput>config set Dhcp4/subnet4[0]/option-data[0]/code 6</userinput>
&gt; <userinput>config set Dhcp4/subnet4[0]/option-data[0]/space "dhcp4"</userinput>
&gt; <userinput>config set Dhcp4/subnet4[0]/option-data[0]/csv-format true</userinput>
&gt; <userinput>config set Dhcp4/subnet4[0]/option-data[0]/data "192.0.2.3"</userinput>
&gt; <userinput>config commit</userinput></screen>
      </para>

      <note>
        <para>In a future version of Kea, it will not be necessary to specify
        the option code, space and csv-format fields as they will be set
        automatically.</para>
      </note>

      <para>
        The currently supported standard DHCPv4 options are
        listed in <xref linkend="dhcp4-std-options-list"/>
        and <xref linkend="dhcp4-std-options-list-part2"/>.
        The "Name" and "Code"
        are the values that should be used as a name in the option-data
        structures. "Type" designates the format of the data: the meanings of
        the various types is given in <xref linkend="dhcp-types"/>.
      </para>
      <para>
        Some options are designated as arrays, which means that more than one
        value is allowed in such an option. For example the option time-servers
        allows the specification of more than one IPv4 address, so allowing
        clients to obtain the the addresses of multiple NTP servers.
      </para>
      <!-- @todo: describe record types -->

      <para>
        The <xref linkend="dhcp4-custom-options"/> describes the configuration
        syntax to create custom option definitions (formats). It is generally not
        allowed to create custom definitions for standard options, even if the
        definition being created matches the actual option format defined in the
        RFCs. There is an exception from this rule for standard options for which
        Kea does not provide a definition yet. In order to use such options,
        a server administrator must create a definition as described in
        <xref linkend="dhcp4-custom-options"/> in the 'dhcp4' option space. This
        definition should match the option format described in the relevant
        RFC but configuration mechanism would allow any option format as it has
        no means to validate it at the moment.
      </para>

      <para>
        <table frame="all" id="dhcp4-std-options-list">
          <title>List of standard DHCPv4 options</title>
          <tgroup cols='4'>
          <colspec colname='name'/>
          <colspec colname='code'/>
          <colspec colname='type'/>
          <colspec colname='array'/>
          <thead>
            <row>
              <entry>Name</entry>
              <entry>Code</entry>
              <entry>Type</entry>
              <entry>Array?</entry>
            </row>
          </thead>
          <tbody>
<row><entry>subnet-mask</entry><entry>1</entry><entry>ipv4-address</entry><entry>false</entry></row>
<row><entry>time-offset</entry><entry>2</entry><entry>int32</entry><entry>false</entry></row>
<row><entry>routers</entry><entry>3</entry><entry>ipv4-address</entry><entry>true</entry></row>
<row><entry>time-servers</entry><entry>4</entry><entry>ipv4-address</entry><entry>true</entry></row>
<row><entry>name-servers</entry><entry>5</entry><entry>ipv4-address</entry><entry>false</entry></row>
<row><entry>domain-name-servers</entry><entry>6</entry><entry>ipv4-address</entry><entry>true</entry></row>
<row><entry>log-servers</entry><entry>7</entry><entry>ipv4-address</entry><entry>true</entry></row>
<row><entry>cookie-servers</entry><entry>8</entry><entry>ipv4-address</entry><entry>true</entry></row>
<row><entry>lpr-servers</entry><entry>9</entry><entry>ipv4-address</entry><entry>true</entry></row>
<row><entry>impress-servers</entry><entry>10</entry><entry>ipv4-address</entry><entry>true</entry></row>
<row><entry>resource-location-servers</entry><entry>11</entry><entry>ipv4-address</entry><entry>true</entry></row>
<row><entry>host-name</entry><entry>12</entry><entry>string</entry><entry>false</entry></row>
<row><entry>boot-size</entry><entry>13</entry><entry>uint16</entry><entry>false</entry></row>
<row><entry>merit-dump</entry><entry>14</entry><entry>string</entry><entry>false</entry></row>
<row><entry>domain-name</entry><entry>15</entry><entry>fqdn</entry><entry>false</entry></row>
<row><entry>swap-server</entry><entry>16</entry><entry>ipv4-address</entry><entry>false</entry></row>
<row><entry>root-path</entry><entry>17</entry><entry>string</entry><entry>false</entry></row>
<row><entry>extensions-path</entry><entry>18</entry><entry>string</entry><entry>false</entry></row>
<row><entry>ip-forwarding</entry><entry>19</entry><entry>boolean</entry><entry>false</entry></row>
<row><entry>non-local-source-routing</entry><entry>20</entry><entry>boolean</entry><entry>false</entry></row>
<row><entry>policy-filter</entry><entry>21</entry><entry>ipv4-address</entry><entry>true</entry></row>
<row><entry>max-dgram-reassembly</entry><entry>22</entry><entry>uint16</entry><entry>false</entry></row>
<row><entry>default-ip-ttl</entry><entry>23</entry><entry>uint8</entry><entry>false</entry></row>
<row><entry>path-mtu-aging-timeout</entry><entry>24</entry><entry>uint32</entry><entry>false</entry></row>
<row><entry>path-mtu-plateau-table</entry><entry>25</entry><entry>uint16</entry><entry>true</entry></row>
<row><entry>interface-mtu</entry><entry>26</entry><entry>uint16</entry><entry>false</entry></row>
<row><entry>all-subnets-local</entry><entry>27</entry><entry>boolean</entry><entry>false</entry></row>
<row><entry>broadcast-address</entry><entry>28</entry><entry>ipv4-address</entry><entry>false</entry></row>
<row><entry>perform-mask-discovery</entry><entry>29</entry><entry>boolean</entry><entry>false</entry></row>
<row><entry>mask-supplier</entry><entry>30</entry><entry>boolean</entry><entry>false</entry></row>
<row><entry>router-discovery</entry><entry>31</entry><entry>boolean</entry><entry>false</entry></row>
<row><entry>router-solicitation-address</entry><entry>32</entry><entry>ipv4-address</entry><entry>false</entry></row>
<row><entry>static-routes</entry><entry>33</entry><entry>ipv4-address</entry><entry>true</entry></row>
<row><entry>trailer-encapsulation</entry><entry>34</entry><entry>boolean</entry><entry>false</entry></row>
<row><entry>arp-cache-timeout</entry><entry>35</entry><entry>uint32</entry><entry>false</entry></row>
<row><entry>ieee802-3-encapsulation</entry><entry>36</entry><entry>boolean</entry><entry>false</entry></row>
<row><entry>default-tcp-ttl</entry><entry>37</entry><entry>uint8</entry><entry>false</entry></row>
<row><entry>tcp-keepalive-internal</entry><entry>38</entry><entry>uint32</entry><entry>false</entry></row>
<row><entry>tcp-keepalive-garbage</entry><entry>39</entry><entry>boolean</entry><entry>false</entry></row>

          </tbody>
          </tgroup>
        </table>
      </para>

      <para>
        <table frame="all" id="dhcp4-std-options-list-part2">
          <title>List of standard DHCPv4 options (continued)</title>
          <tgroup cols='4'>
          <colspec colname='name'/>
          <colspec colname='code'/>
          <colspec colname='type'/>
          <colspec colname='array'/>
          <thead>
            <row>
              <entry>Name</entry>
              <entry>Code</entry>
              <entry>Type</entry>
              <entry>Array?</entry>
            </row>
          </thead>
          <tbody>

<row><entry>nis-domain</entry><entry>40</entry><entry>string</entry><entry>false</entry></row>
<row><entry>nis-servers</entry><entry>41</entry><entry>ipv4-address</entry><entry>true</entry></row>
<row><entry>ntp-servers</entry><entry>42</entry><entry>ipv4-address</entry><entry>true</entry></row>
<row><entry>vendor-encapsulated-options</entry><entry>43</entry><entry>empty</entry><entry>false</entry></row>
<row><entry>netbios-name-servers</entry><entry>44</entry><entry>ipv4-address</entry><entry>true</entry></row>
<row><entry>netbios-dd-server</entry><entry>45</entry><entry>ipv4-address</entry><entry>true</entry></row>
<row><entry>netbios-node-type</entry><entry>46</entry><entry>uint8</entry><entry>false</entry></row>
<row><entry>netbios-scope</entry><entry>47</entry><entry>string</entry><entry>false</entry></row>
<row><entry>font-servers</entry><entry>48</entry><entry>ipv4-address</entry><entry>true</entry></row>
<row><entry>x-display-manager</entry><entry>49</entry><entry>ipv4-address</entry><entry>true</entry></row>
<row><entry>dhcp-requested-address</entry><entry>50</entry><entry>ipv4-address</entry><entry>false</entry></row>
<!-- Lease time should not be configured by a user.
<row><entry>dhcp-lease-time</entry><entry>51</entry><entry>uint32</entry><entry>false</entry></row>
-->
<row><entry>dhcp-option-overload</entry><entry>52</entry><entry>uint8</entry><entry>false</entry></row>
<!-- Message Type, Server Identifier and Parameter Request List should not be configured by a user.
<row><entry>dhcp-message-type</entry><entry>53</entry><entry>uint8</entry><entry>false</entry></row>
<row><entry>dhcp-server-identifier</entry><entry>54</entry><entry>ipv4-address</entry><entry>false</entry></row>
<row><entry>dhcp-parameter-request-list</entry><entry>55</entry><entry>uint8</entry><entry>true</entry></row>
-->
<row><entry>dhcp-message</entry><entry>56</entry><entry>string</entry><entry>false</entry></row>
<row><entry>dhcp-max-message-size</entry><entry>57</entry><entry>uint16</entry><entry>false</entry></row>
<!-- Renewal and rebinding time should not be configured by a user.
<row><entry>dhcp-renewal-time</entry><entry>58</entry><entry>uint32</entry><entry>false</entry></row>
<row><entry>dhcp-rebinding-time</entry><entry>59</entry><entry>uint32</entry><entry>false</entry></row>
-->
<row><entry>vendor-class-identifier</entry><entry>60</entry><entry>binary</entry><entry>false</entry></row>
<!-- Client identifier should not be configured by a user.
<row><entry>dhcp-client-identifier</entry><entry>61</entry><entry>binary</entry><entry>false</entry></row>
-->
<row><entry>nwip-domain-name</entry><entry>62</entry><entry>string</entry><entry>false</entry></row>
<row><entry>nwip-suboptions</entry><entry>63</entry><entry>binary</entry><entry>false</entry></row>
<row><entry>tftp-server-name</entry><entry>66</entry><entry>string</entry><entry>false</entry></row>
<row><entry>boot-file-name</entry><entry>67</entry><entry>string</entry><entry>false</entry></row>
<row><entry>user-class</entry><entry>77</entry><entry>binary</entry><entry>false</entry></row>
<row><entry>fqdn</entry><entry>81</entry><entry>record</entry><entry>false</entry></row>
<row><entry>dhcp-agent-options</entry><entry>82</entry><entry>empty</entry><entry>false</entry></row>
<row><entry>authenticate</entry><entry>90</entry><entry>binary</entry><entry>false</entry></row>
<row><entry>client-last-transaction-time</entry><entry>91</entry><entry>uint32</entry><entry>false</entry></row>
<row><entry>associated-ip</entry><entry>92</entry><entry>ipv4-address</entry><entry>true</entry></row>
<row><entry>subnet-selection</entry><entry>118</entry><entry>ipv4-address</entry><entry>false</entry></row>
<row><entry>domain-search</entry><entry>119</entry><entry>binary</entry><entry>false</entry></row>
<row><entry>vivco-suboptions</entry><entry>124</entry><entry>binary</entry><entry>false</entry></row>
<row><entry>vivso-suboptions</entry><entry>125</entry><entry>binary</entry><entry>false</entry></row>
          </tbody>
          </tgroup>
        </table>

      </para>
      <para>
        <table frame="all" id="dhcp-types">
          <title>List of standard DHCP option types</title>
          <tgroup cols='2'>
          <colspec colname='name'/>
          <colspec colname='meaning'/>
          <thead>
            <row><entry>Name</entry><entry>Meaning</entry></row>
          </thead>
          <tbody>
            <row><entry>binary</entry><entry>An arbitrary string of bytes, specified as a set of hexadecimal digits.</entry></row>
            <row><entry>boolean</entry><entry>Boolean value with allowed values true or false</entry></row>
            <row><entry>empty</entry><entry>No value, data is carried in suboptions</entry></row>
            <row><entry>fqdn</entry><entry>Fully qualified domain name (e.g. www.example.com)</entry></row>
            <row><entry>ipv4-address</entry><entry>IPv4 address in the usual dotted-decimal notation (e.g. 192.0.2.1)</entry></row>
            <row><entry>ipv6-address</entry><entry>IPv6 address in the usual colon notation (e.g. 2001:db8::1)</entry></row>
            <row><entry>record</entry><entry>Structured data that may comprise any types (except "record" and "empty")</entry></row>
            <row><entry>string</entry><entry>Any text</entry></row>
            <row><entry>uint8</entry><entry>8 bit unsigned integer with allowed values 0 to 255</entry></row>
            <row><entry>uint16</entry><entry>16 bit unsinged integer with allowed values 0 to 65535</entry></row>
            <row><entry>uint32</entry><entry>32 bit unsigned integer with allowed values 0 to 4294967295</entry></row>
          </tbody>
          </tgroup>
       </table>
      </para>
    </section>

    <section id="dhcp4-custom-options">
      <title>Custom DHCPv4 options</title>
      <para>It is also possible to define options other than the standard ones.
      Assume that we want to define a new DHCPv4 option called "foo" which will have
      code 222 and will convey a single unsigned 32 bit integer value. We can define
      such an option by using the following commands:
      <screen>
&gt; <userinput>config add Dhcp4/option-def</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/name "foo"</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/code 222</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/type "uint32"</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/array false</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/record-types ""</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/space "dhcp4"</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/encapsulate ""</userinput>
&gt; <userinput>config commit</userinput></screen>
      The "false" value of the "array" parameter determines that the option
      does NOT comprise an array of "uint32" values but rather a single value.
      Two other parameters have been left blank: "record-types" and "encapsulate".
      The former specifies the comma separated list of option data fields if the
      option comprises a record of data fields. The "record-fields" value should
      be non-empty if the "type" is set to "record". Otherwise it must be left
      blank. The latter parameter specifies the name of the option space being
      encapsulated by the particular option. If the particular option does not
      encapsulate any option space it should be left blank.
      Note that the above set of comments define the format of the new option and do not
      set its values.
      </para>
      <note>
        <para>
          In the current release the default values are not propagated to the
          parser when the new configuration is being set. Therefore, all
          parameters must be specified at all times, even if their values are
          left blank.
        </para>
      </note>

      <para>Once the new option format is defined, its value is set
      in the same way as for a standard option. For example the following
      commands set a global value that applies to all subnets.
        <screen>
&gt; <userinput>config add Dhcp4/option-data</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/name "foo"</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/code 222</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/space "dhcp4"</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/csv-format true</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/data "12345"</userinput>
&gt; <userinput>config commit</userinput></screen>
      </para>

      <para>New options can take more complex forms than simple use of
      primitives (uint8, string, ipv4-address etc): it is possible to
      define an option comprising a number of existing primitives.
      </para>
      <para>Assume we want to define a new option that will consist of
      an IPv4 address, followed by unsigned 16 bit integer, followed by
      a boolean value, followed by a text string. Such an option could
      be defined in the following way:
<screen>
&gt; <userinput>config add Dhcp4/option-def</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/name "bar"</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/code 223</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/space "dhcp4"</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/type "record"</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/array false</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/record-types "ipv4-address, uint16, boolean, string"</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/encapsulate ""</userinput>
</screen>
      The "type" is set to "record" to indicate that the option contains
      multiple values of different types.  These types are given as a comma-separated
      list in the "record-types" field and should be those listed in <xref linkend="dhcp-types"/>.
      </para>
      <para>
      The values of the option are set as follows:
<screen>
&gt; <userinput>config add Dhcp4/option-data</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/name "bar"</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/space "dhcp4"</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/code 223</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/csv-format true</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/data "192.0.2.100, 123, true, Hello World"</userinput>
&gt; <userinput>config commit</userinput></screen>
      "csv-format" is set "true" to indicate that the "data" field comprises a command-separated
      list of values.  The values in the "data" must correspond to the types set in
      the "record-types" field of the option definition.
     </para>
     <note>
       <para>
         It is recommended that boolean values are specified using "true" and "false"
         strings. This helps to prevent errors when typing multiple comma separated
         values, as it make it easier to identify the type of the value being typed,
         and compare it with the order of data fields. Nevertheless, it is possible
         to use integer values: "1" and "0", instead of "true" and "false"
         accordingly. If other integer value is specified, the configuration is
         rejected.
       </para>
     </note>
    </section>

    <section id="dhcp4-vendor-opts">
      <title>DHCPv4 vendor specific options</title>
      <para>
      Currently there are three option spaces defined: dhcp4 (to
      be used in DHCPv4 daemon) and dhcp6 (for the DHCPv6 daemon); there
      is also vendor-encapsulated-options-space, which is empty by default, but options
      can be defined in it. Those options are called vendor-specific
      information options. The following examples show how to define
      an option "foo" with code 1 that consists of an IPv4 address, an
      unsigned 16 bit integer and a string. The "foo" option is conveyed
      in a vendor specific information option.
      </para>
      <para>
      The first step is to define the format of the option:
<screen>
&gt; <userinput>config add Dhcp4/option-def</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/name "foo"</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/code 1</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/space "vendor-encapsulated-options-space"</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/type "record"</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/array false</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/record-types "ipv4-address, uint16, string"</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/encapsulates ""</userinput>
&gt; <userinput>config commit</userinput>
</screen>
     (Note that the option space is set to "vendor-encapsulated-options-space".)
     Once the option format is defined, the next step is to define actual values
     for that option:
     <screen>
&gt; <userinput>config add Dhcp4/option-data</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/name "foo"</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/space "vendor-encapsulated-options-space"</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/code 1</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/csv-format true</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/data "192.0.2.3, 123, Hello World"</userinput>
&gt; <userinput>config commit</userinput></screen>
    We also set up a dummy value for vendor-opts, the option that conveys our sub-option "foo".
    This is required else the option will not be included in messages sent to the client.
     <screen>
&gt; <userinput>config add Dhcp4/option-data</userinput>
&gt; <userinput>config set Dhcp4/option-data[1]/name "vendor-encapsulated-options"</userinput>
&gt; <userinput>config set Dhcp4/option-data[1]/space "dhcp4"</userinput>
&gt; <userinput>config set Dhcp4/option-data[1]/code 43</userinput>
&gt; <userinput>config set Dhcp4/option-data[1]/csv-format false</userinput>
&gt; <userinput>config set Dhcp4/option-data[1]/data ""</userinput>
&gt; <userinput>config commit</userinput></screen>
      </para>

      <note>
        <para>
          With this version of Kea, the "vendor-encapsulated-options" option
          must be specified in the configuration although it has no configurable
          parameters. If it is not specified, the server will assume that it is
          not configured and will not send it to a client. In the future there
          will be no need to include this option in the configuration.
        </para>
      </note>

    </section>

    <section id="dhcp4-option-spaces">

      <title>Nested DHCPv4 options (custom option spaces)</title>
      <para>It is sometimes useful to define completely new option
      space. This is the case when user creates new option in the
      standard option space ("dhcp4 or "dhcp6") and wants this option
      to convey sub-options. Thanks to being in the separate space,
      sub-option codes will have a separate numbering scheme and may
      overlap with codes of standard options.
      </para>
      <para>Note that creation of a new option space when defining
      sub-options for a standard option is not required, because it is
      created by default if the standard option is meant to convey any
      sub-options (see <xref linkend="dhcp4-vendor-opts"/>).
      </para>
      <para>
      Assume that we want to have a DHCPv4 option called "container" with
      code 222 that conveys two sub-options with codes 1 and 2.
      First we need to define the new sub-options:
<screen>
&gt; <userinput>config add Dhcp4/option-def</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/name "subopt1"</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/code 1</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/space "isc"</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/type "ipv4-address"</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/record-types ""</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/array false</userinput>
&gt; <userinput>config set Dhcp4/option-def[0]/encapsulate ""</userinput>
&gt; <userinput>config commit</userinput>

&gt; <userinput>config add Dhcp4/option-def</userinput>
&gt; <userinput>config set Dhcp4/option-def[1]/name "subopt2"</userinput>
&gt; <userinput>config set Dhcp4/option-def[1]/code 2</userinput>
&gt; <userinput>config set Dhcp4/option-def[1]/space "isc"</userinput>
&gt; <userinput>config set Dhcp4/option-def[1]/type "string"</userinput>
&gt; <userinput>config set Dhcp4/option-def[1]/record-types ""</userinput>
&gt; <userinput>config set Dhcp4/option-def[1]/array false</userinput>
&gt; <userinput>config set Dhcp4/option-def[1]/encapsulate ""</userinput>
&gt; <userinput>config commit</userinput>
</screen>
    Note that we have defined the options to belong to a new option space
    (in this case, "isc").
    </para>
    <para>
    The next step is to define a regular DHCPv4 option with our desired
    code and specify that it should include options from the new option space:
<screen>
&gt; <userinput>add Dhcp4/option-def</userinput>
&gt; <userinput>set Dhcp4/option-def[2]/name "container"</userinput>
&gt; <userinput>set Dhcp4/option-def[2]/code 222</userinput>
&gt; <userinput>set Dhcp4/option-def[2]/space "dhcp4"</userinput>
&gt; <userinput>set Dhcp4/option-def[2]/type "empty"</userinput>
&gt; <userinput>set Dhcp4/option-def[2]/array false</userinput>
&gt; <userinput>set Dhcp4/option-def[2]/record-types ""</userinput>
&gt; <userinput>set Dhcp4/option-def[2]/encapsulate "isc"</userinput>
&gt; <userinput>commit</userinput>
</screen>
    The name of the option space in which the sub-options are defined
    is set in the "encapsulate" field. The "type" field is set to "empty"
    to indicate that this option does not carry any data other than
    sub-options.
    </para>
    <para>
    Finally, we can set values for the new options:
<screen>
&gt; <userinput>config add Dhcp4/option-data</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/name "subopt1"</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/space "isc"</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/code 1</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/csv-format true</userinput>
&gt; <userinput>config set Dhcp4/option-data[0]/data "192.0.2.3"</userinput>
&gt; <userinput>config commit</userinput>
<userinput></userinput>
&gt; <userinput>config add Dhcp4/option-data</userinput>
&gt; <userinput>config set Dhcp4/option-data[1]/name "subopt2"</userinput>
&gt; <userinput>config set Dhcp4/option-data[1]/space "isc"</userinput>
&gt; <userinput>config set Dhcp4/option-data[1]/code 2</userinput>
&gt; <userinput>config set Dhcp4/option-data[1]/csv-format true</userinput>
&gt; <userinput>config set Dhcp4/option-data[1]/data "Hello world"</userinput>
&gt; <userinput>config commit</userinput>
<userinput></userinput>
&gt; <userinput>config add Dhcp4/option-data</userinput>
&gt; <userinput>config set Dhcp4/option-data[2]/name "container"</userinput>
&gt; <userinput>config set Dhcp4/option-data[2]/space "dhcp4"</userinput>
&gt; <userinput>config set Dhcp4/option-data[2]/code 222</userinput>
&gt; <userinput>config set Dhcp4/option-data[2]/csv-format true</userinput>
&gt; <userinput>config set Dhcp4/option-data[2]/data ""</userinput>
&gt; <userinput>config commit</userinput>
</screen>
    Even though the "container" option does not carry any data except
    sub-options, the "data" field must be explicitly set to an empty value.
    This is required because in the current version of BIND 10 DHCP, the
    default configuration values are not propagated to the configuration parsers:
    if the "data" is not set the parser will assume that this
    parameter is not specified and an error will be reported.
    </para>
    <para>Note that it is possible to create an option which carries some data
    in addition to the sub-options defined in the encapsulated option space.  For example,
    if the "container" option from the previous example was required to carry an uint16
    value as well as the sub-options, the "type" value would have to be set to "uint16" in
    the option definition. (Such an option would then have the following
    data structure: DHCP header, uint16 value, sub-options.) The value specified
    with the "data" parameter - which should be a valid integer enclosed in quotes,
    e.g. "123" - would then be assigned to the uint16 field in the "container" option.
    </para>
    </section>

    <section id="dhcp4-client-classifier">
      <title>Client Classification in DHCPv4</title>
      <note>
      <para>
        DHCPv4 server has been extended to support limited client classification.
        Although the current capability is modest, it is expected to be expanded
        in the future. It is envisaged that the majority of client classification
        extensions will be using hooks extensions.
      </para>
      </note>
      <para>In certain cases it is useful to differentiate between different
      types of clients and treat them differently. The process of doing
      classification is conducted in two steps. The first step is to assess
      incoming packet and assign it to zero or more classes. This classification
      is currently simple, but is expected to grow in capability soon. Currently
      the server checks whether incoming packet has vendor class identifier
      option (60). If it has, content of that option is prepended with
      &quot;VENDOR_CLASS_&quot; then is interpreted as a class. For example,
      modern cable modems will send this option with value &quot;docsis3.0&quot;
      and as a result the packet will belong to class &quot;VENDOR_CLASS_docsis3.0&quot;.
      </para>

      <para>It is envisaged that the client classification will be used for changing
      behavior of almost any part of the DHCP message processing, including assigning
      leases from different pools, assigning different option (or different values of
      the same options) etc. For now, there are only two mechanisms that are taking
      advantage of client classification: specific processing for cable modems and
      subnet selection.</para>

      <para>
        For clients that belong to the VENDOR_CLASS_docsis3.0 class, the siaddr
        field is set to the value of next-server (if specified in a subnet). If
        there is boot-file-name option specified, its value is also set in the
        file field in the DHCPv4 packet. For eRouter1.0 class, the siaddr is
        always set to 0.0.0.0. That capability is expected to be moved to
        external hook library that will be dedicated to cable modems.
      </para>

      <para>
        Kea can be instructed to limit access to given subnets based on class information.
        This is particularly useful for cases where two types of devices share the
        same link and are expected to be served from two different subnets. The
        primary use case for such a scenario is cable networks. There are two
        classes of devices: cable modem itself, which should be handled a lease
        from subnet A and all other devices behind modems that should get a lease
        from subnet B. That segregation is essential to prevent overly curious
        users from playing with their cable modems. For details on how to set up
        class restrictions on subnets, see <xref linkend="dhcp4-subnet-class"/>.
      </para>

    </section>

    <section id="dhcp4-subnet-class">
      <title>Limiting access to IPv4 subnet to certain classes</title>
      <para>
        In certain cases it beneficial to restrict access to certain subnets
        only to clients that belong to a given subnet. For details on client
        classes, see <xref linkend="dhcp4-client-classifier"/>. This is an
        extension of a previous example from <xref linkend="dhcp4-address-config"/>.
        Let's assume that the server is connected to a network segment that uses
        the 192.0.2.0/24 prefix. The Administrator of that network has decided
        that addresses from range 192.0.2.10 to 192.0.2.20 are going to be
        managed by the Dhcp4 server. Only clients belonging to client class
        VENDOR_CLASS_docsis3.0 are allowed to use this subnet. Such a
        configuration can be achieved in the following way:
        <screen>
&gt; <userinput>config add Dhcp4/subnet4</userinput>
&gt; <userinput>config set Dhcp4/subnet4[0]/subnet "192.0.2.0/24"</userinput>
&gt; <userinput>config set Dhcp4/subnet4[0]/pool [ "192.0.2.10 - 192.0.2.20" ]</userinput>
&gt; <userinput>config set Dhcp4/subnet4[0]/client-class "VENDOR_CLASS_docsis3.0"</userinput>
&gt; <userinput>config commit</userinput></screen>
      </para>

      <para>
        Care should be taken with client classification as it is easy to prevent
        clients that do not meet class criteria to be denied any service altogether.
      </para>
    </section>
    <section id="dhcp4-ddns-config">
      <title>Configuring DHCPv4 for DDNS</title>
      <para>
      As mentioned earlier, b10-dhcp4 can be configured to generate requests to the
      DHCP-DDNS server to update DNS entries.  These requests are known as
      NameChangeRequests or NCRs.  Each NCR contains the following information:
      <orderedlist>
      <listitem><para>
      Whether it is a request to add (update) or remove DNS entries
      </para></listitem>
      <listitem><para>
      Whether the change requests forward DNS updates (A records), reverse
      DNS updates (PTR records), or both.
      </para></listitem>
      <listitem><para>
      The FQDN, lease address, and DHCID
      </para></listitem>
      </orderedlist>
      The parameters for controlling the generation of NCRs for submission to D2
      are contained in the "dhcp-ddns" section of the b10-dhcp4 server
      configuration. The default values for this section appears as follows:
<screen>
&gt; <userinput>config show Dhcp4/dhcp-ddns</userinput>
Dhcp4/dhcp-ddns/enable-updates	true	boolean
Dhcp4/dhcp-ddns/server-ip	"127.0.0.1"	string
Dhcp4/dhcp-ddns/server-port	53001	integer
Dhcp4/dhcp-ddns/sender-ip	""	string
Dhcp4/dhcp-ddns/sender-port	0	integer
Dhcp4/dhcp-ddns/max-queue-size	1024	integer
Dhcp4/dhcp-ddns/ncr-protocol	"UDP"	string
Dhcp4/dhcp-ddns/ncr-format	"JSON"	string
Dhcp4/dhcp-ddns/override-no-update	false	boolean
Dhcp4/dhcp-ddns/override-client-update	false	boolean
Dhcp4/dhcp-ddns/replace-client-name	false	boolean
Dhcp4/dhcp-ddns/generated-prefix	"myhost"	string
Dhcp4/dhcp-ddns/qualifying-suffix	"example.com"	string
</screen>
      </para>
      <para>
      The "enable-updates" parameter determines whether or not b10-dhcp4 will
      generate NCRs.  By default, this value is false hence DDNS updates are
      disabled.  To enable DDNS updates set this value to true:
      </para>
<screen>
&gt; <userinput>config set Dhcp4/dhcp-ddns/enable-updates true</userinput>
&gt; <userinput>config commit</userinput>
</screen>
      <section id="dhcpv4-d2-io-config">
      <title>DHCP-DDNS Server Connectivity</title>
      <para>
      In order for NCRs to reach the D2 server, b10-dhcp4 must be able
      to communicate with it.  b10-dhcp4 uses the following configuration
      parameters to control how it communications with D2:
      <orderedlist>
      <listitem><para>
      server-ip - IP address on which D2 listens for requests. The default is
      the local loopback interface at address 127.0.0.1. You may specify
      either an IPv4 or IPv6 address.
      </para></listitem>
      <listitem><para>
      server-port - port on which D2 listens for requests.  The default value
      is 53001.
      </para></listitem>
      <listitem><para>
      sender-ip - IP address which b10-dhcp4 should use to send requests to D2.
      The default value is blank which instructs b10-dhcp4 to select a suitable
      address.
      </para></listitem>
      <listitem><para>
      sender-port - port which b10-dhcp4 should use to send requests to D2. The
      default value of 0 instructs b10-dhcp4 to select suitable port.
      </para></listitem>
      <listitem><para>
      ncr-format - Socket protocol use when sending requests to D2.  Currently
      only UDP is supported.  TCP may be available in an upcoming release.
      </para></listitem>
      <listitem><para>
      ncr-protocol - Packet format to use when sending requests to D2.
      Currently only JSON format is supported.  Other formats may be available
      in future releases.
      </para></listitem>
      <listitem><para>
      max-queue-size - maximum number of requests allowed to queue waiting to
      be sent to D2. This value guards against requests accumulating
      uncontrollably if they are being generated faster than they can be
      delivered.  If the number of requests queued for transmission reaches
      this value, DDNS updating will be turned off until the queue backlog has
      been sufficiently reduced.  The intent is allow the b10-dhcp4 server to
      continue lease operations.  The default value is 1024.
      </para></listitem>
      </orderedlist>
      By default, D2 is assumed to running on the same machine as b10-dhcp4, and
      all of the default values mentioned above should be sufficient.
      If, however, D2 has been configured to listen on a different address or
      port, these values must altered accordingly. For example, if D2 has been
      configured to listen on 198.162.1.10 port 900, the following commands
      would be required:
<screen>
&gt; <userinput>config set Dhcp4/dhcp-ddns/server-ip "198.162.1.10"</userinput>
&gt; <userinput>config set Dhcp4/dhcp-ddns/server-port 900</userinput>
&gt; <userinput>config commit</userinput>
</screen>
      </para>
      </section>
      <section id="dhcpv4-d2-rules-config">
      <title>When does the b10-dhcp4 server generate DDNS requests?</title>
      b10-dhcp4 follows the behavior prescribed for DHCP servers in RFC 4702.
      It is important to keep in mind that b10-dhcp4 provides the initial decision
      making of when and what to update and forwards that information to D2 in
      the form of NCRs. Carrying out the actual DNS updates and dealing with
      such things as conflict resolution are the purview of D2 (<xref linkend="dhcp-ddns-server"/>).
      <para>
      This section describes when b10-dhcp4 will generate NCRs and the
      configuration parameters that can be used to influence this decision.
      It assumes that the "enable-updates" parameter is true.
      </para>
      <para>
      In general, b10-dhcp4 will generate DDNS update requests when:
      <orderedlist>
      <listitem><para>
      A new lease is granted in response to a DHCP REQUEST
      </para></listitem>
      <listitem><para>
      An existing lease is renewed but the FQDN associated with it has
      changed.
      </para></listitem>
      <listitem><para>
      An existing lease is released in response to a DHCP RELEASE
      </para></listitem>
      </orderedlist>
      In the second case, lease renewal, two  DDNS requests will be issued: one
      request to remove entries for the previous FQDN and a second request to
      add entries for the new FQDN.  In the last case, a lease release, a
      single DDNS request to remove its entries will be made.  The decision
      making involved when granting a new lease (the first case) is more
      involved and is discussed next.
      </para>
      <para>
      When a new lease is granted, b10-dhcp4 will generate a DDNS
      update request if the DHCP REQUEST contains either the FQDN option
      (code 81) or the Host Name option (code 12). If both are present,
      the server will use the FQDN option. By default b10-dhcp4
      will respect the FQDN N and S flags specified by the client as shown
      in the following table:
      </para>
        <table id="fqdn-flag-table">
          <title>Default FQDN Flag Behavior</title>
          <tgroup cols='4' align='left'>
          <colspec colname='cflags'/>
          <colspec colname='meaning'/>
          <colspec colname='response'/>
          <colspec colname='sflags'/>
          <thead>
              <row>
                <entry>Client Flags:N-S</entry>
                <entry>Client Intent</entry>
                <entry>Server Response</entry>
                <entry>Server Flags:N-S-O</entry>
              </row>
          </thead>
          <tbody>
            <row>
                <entry>0-0</entry>
                <entry>
                Client wants to do forward updates, server should do reverse updates
                </entry>
                <entry>Server generates reverse-only request</entry>
                <entry>1-0-0</entry>
            </row>
            <row>
                <entry>0-1</entry>
                <entry>Server should do both forward and reverse updates</entry>
                <entry>Server generates request to update both directions</entry>
                <entry>0-1-0</entry>
            </row>
            <row>
                <entry>1-0</entry>
                <entry>Client wants no updates done</entry>
                <entry>Server does not generate a request</entry>
                <entry>1-0-0</entry>
            </row>
          </tbody>
          </tgroup>
        </table>
      <para>
      The first row in the table above represents "client delegation". Here
      the DHCP client states that it intends to do the forward DNS updates and
      the server should do the reverse updates.  By default, b10-dhcp4 will honor
      the client's wishes and generate a DDNS request to D2 to update only
      reverse DNS data.  The parameter, "override-client-update", can be used
      to instruct the server to override client delegation requests.  When
      this parameter is true, b10-dhcp4 will disregard requests for client
      delegation and generate a DDNS request to update both forward and
      reverse DNS data.  In this case, the N-S-O flags in the server's
      response to the client will be 0-1-1 respectively.
      </para>
      <para>
      (Note that the flag combination N=1, S=1 is prohibited according to
      RFC 4702. If such a combination is received from the client, the packet
      will be dropped by the b10-dhcp4.)
      </para>
      <para>
      To override client delegation, issue the following commands:
      </para>
<screen>
&gt; <userinput>config set Dhcp4/dhcp-ddns/override-client-update true</userinput>
&gt; <userinput>config commit</userinput>
</screen>
      <para>
      The third row in the table above describes the case in which the client
      requests that no DNS updates be done. The parameter, "override-no-update",
      can be used to instruct the server to disregard the client's wishes. When
      this parameter is true, b10-dhcp4 will generate DDNS update request to D2
      even if the client requests no updates be done.  The N-S-O flags in the
      server's response to the client will be 0-1-1.
      </para>
      <para>
      To override client delegation, issue the following commands:
      </para>
<screen>
&gt; <userinput>config set Dhcp4/dhcp-ddns/override-no-update true</userinput>
&gt; <userinput>config commit</userinput>
</screen>
      <para>
      b10-dhcp4 will always generate DDNS update requests if the client request
      only contains the Host Name option. In addition it will include an FQDN
      option in the response to the client with the FQDN N-S-O flags set to
      0-1-0 respectively. The domain name portion of the FQDN option will be
      the name submitted to D2 in the DDNS update request.
      </para>
      </section>
      <section id="dhcpv4-fqdn-name-generation">
      <title>b10-dhcp4 name generation for DDNS update requests</title>
      Each NameChangeRequest must of course include the fully qualified domain
      name whose DNS entries are to be affected.  b10-dhcp4 can be configured to
      supply a portion or all of that name based upon what it receives from
      the client in the DHCP REQUEST.
      <para>
      The rules for determining the FQDN option are as follows:
      <orderedlist>
      <listitem><para>
      If configured to do, so ignore the REQUEST contents and generate a
      FQDN using a configurable prefix and suffix.
      </para></listitem>
      <listitem><para>
      If the REQUEST contains the client FQDN option, the candidate
      name is taken from there, otherwise it is taken from the Host Name option.
      The candiate name may then be modified:
      <orderedlist>
      <listitem><para>
      If the candidate name is a fully qualified domain name, use it.
      </para></listitem>
      <listitem><para>
      If the candidate name is a partial (i.e. unqualified) name then
      add a configurable suffix to the name and use the result as the FQDN.
      </para></listitem>
      <listitem><para>
      If the candidate name is a empty, generate a FQDN using a
      configurable prefix and suffix.
      </para></listitem>
      </orderedlist>
      </para></listitem>
      </orderedlist>
      To instruct b10-dhcp4 to always generate the FQDN for a client, set the
      parameter "replace-client-name" to true as follows:
      </para>
<screen>
&gt; <userinput>config set Dhcp4/dhcp-ddns/replace-client-name true</userinput>
&gt; <userinput>config commit</userinput>
</screen>
      <para>
      The prefix used in the generation of a FQDN is specified by the
      "generated-prefix" parameter.  The default value is "myhost".  To alter
      its value simply set it to the desired string:
      </para>
<screen>
&gt; <userinput>config set Dhcp4/dhcp-ddns/generated-prefix "another.host"</userinput>
&gt; <userinput>config commit</userinput>
</screen>
      <para>
      The suffix used when generating a FQDN or when qualifying a partial
      name is specified by the "qualifying-suffix" parameter.  The default
      value is "example.com".  To alter its value simply set it to the desired
      string:
      </para>
<screen>
&gt; <userinput>config set Dhcp4/dhcp-ddns/generated-prefix "our.net"</userinput>
&gt; <userinput>config commit</userinput>
</screen>
      </section>
      <para>
      When generating a name, b10-dhcp4 will construct name of the format:
      </para>
      <para>
        [generated-prefix]-[address-text].[qualifying-suffix].
      </para>
      <para>
      where address-text is simply the lease IP address converted to a
      hyphenated string.  For example, if lease address is 172.16.1.10 and
      assuming default values for generated-prefix and qualifying-suffix, the
      generated FQDN would be:
      </para>
      <para>
        myhost-172-16-1-10.example.com.
      </para>
    </section>

  </section> <!-- end of configuring b10-dhcp4 server section with many subsections -->

    <section id="dhcp4-serverid">
      <title>Server Identifier in DHCPv4</title>
      <para>
        The DHCPv4 protocol uses a "server identifier" for clients to be able
        to discriminate between several servers present on the same link: this
        value is an IPv4 address of the server. The server chooses the IPv4 address
        of the interface on which the message from the client (or relay) has been
        received. A single server instance will use multiple server identifiers
        if it is receiving queries on multiple interfaces.
      </para>
      <para>
        Currently there is no mechanism to override the default server identifiers
        by an administrator. In the future, the configuration mechanism will be used
        to specify the custom server identifier.
      </para>
    </section>


    <section id="dhcp4-next-server">
      <title>Next server (siaddr)</title>
      <para>In some cases, clients want to obtain configuration from the TFTP server.
      Although there is a dedicated option for it, some devices may use siaddr field
      in the DHCPv4 packet for that purpose. That specific field can be configured
      using next-server directive. It is possible to define it in global scope or
      for a given subnet only. If both are defined, subnet value takes precedence.
      The value in subnet can be set to 0.0.0.0, which means that next-server should
      not be sent. It may also be set to empty string, which means the same as if
      it was not defined at all - use global value.
      </para>

<screen>
&gt; <userinput>config add Dhcp4/next-server</userinput>
&gt; <userinput>config set Dhcp4/next-server "192.0.2.123"</userinput>
&gt; <userinput>config commit</userinput>
<userinput></userinput>
&gt; <userinput>config add Dhcp4/subnet[0]/next-server</userinput>
&gt; <userinput>config set Dhcp4/subnet[0]/next-server "192.0.2.234"</userinput>
&gt; <userinput>config commit</userinput>
</screen>

    </section>

    <section id="dhcp4-echo-client-id">
      <title>Echoing client-id (RFC6842)</title>
      <para>Original DHCPv4 spec (RFC2131) states that the DHCPv4
      server must not send back client-id options when responding to
      clients. However, in some cases that confused clients that did
      not have MAC address or client-id. See RFC6842 for details. That
      behavior has changed with the publication of RFC6842 which
      updated RFC2131. That update now states that the server must
      send client-id if client sent it. That is the default behaviour
      that Kea offers. However, in some cases older devices that do
      not support RFC6842 may refuse to accept responses that include
      client-id option. To enable backward compatibility, an optional
      configuration parameter has been introduced. To configure it,
      use the following commands:</para>

<screen>
&gt; <userinput>config add Dhcp4/echo-client-id</userinput>
&gt; <userinput>config set Dhcp4/echo-client-id False</userinput>
&gt; <userinput>config commit</userinput>
</screen>

    </section>

    <section id="dhcp4-subnet-selection">
      <title>How DHCPv4 server selects subnet for a client</title>
      <para>
        The DHCPv4 server differentiates between the directly connected clients,
        clients trying to renew leases and clients sending their messages through
        relays. For the directly connected clients the server will check the
        configuration of the interface on which the message has been received, and
        if the server configuration doesn't match any configured subnet the
        message is discarded.</para>
        <para>Assuming that the server's interface is configured with the 192.0.2.3
        IPv4 address, the server will only process messages received through
        this interface from the directly connected client, if there is a subnet
        configured, to which this IPv4 address belongs, e.g. 192.0.2.0/24.
        The server will use this subnet to assign IPv4 address for the client.
      </para>
      <para>
        The rule above does not apply when the client unicasts its message, i.e.
        is trying to renew its lease. Such message is accepted through any
        interface. The renewing client sets ciaddr to the currently used IPv4
        address. The server uses this address to select the subnet for the client
        (in particular, to extend the lease using this address).
      </para>
      <para>
        If the message is relayed it is accepted through any interface. The giaddr
        set by the relay agent is used to select the subnet for the client.
      </para>
      <para>
	It is also possible to specify a relay IPv4 address for a given subnet. It
	can be used to match incoming packets into a subnet in uncommon configurations,
	e.g. shared subnets. See <xref linkend="dhcp4-relay-override"/> for details.
      </para>
      <note>
        <para>The subnet selection mechanism described in this section is based
        on the assumption that client classification is not used. The classification
        mechanism alters the way in which subnet is selected for the client,
        depending on the classes that the client belongs to.</para>
      </note>
    </section>

    <section id="dhcp4-relay-override">
      <title>Using specific relay agent for a subnet</title>
      <para>
        The relay has to have an interface connected to the link on which
        the clients are being configured. Typically the relay has an IPv4
        address configured on that interface that belongs to the subnet that
        the server will assign addresses from. In such typical case, the
        server is able to use IPv4 address inserted by the relay (in GIADDR
        field of the DHCPv4 packet) to select appropriate subnet.
      </para>
      <para>
        However, that is not always the case. In certain uncommon, but
        valid deployments, the relay address may not match the subnet. This
        usually means that there is more than one subnet allocated for a given
        link. Two most common examples where this is the case are long lasting
        network renumbering (where both old and new address space is still being
        used) and a cable network. In a cable network both cable modems and the
        devices behind them are physically connected to the same link, yet
        they use distinct addressing. In such case, the DHCPv4 server needs
        additional information (IPv4 address of the relay) to properly select
        an appropriate subnet.
      </para>
      <para>
        The following example assumes that there is a subnet 192.0.2.0/24
        that is accessible via relay that uses 10.0.0.1 as its IPv4 address.
        The server will be able to select this subnet for any incoming packets
        that came from a relay that has an address in 192.0.2.0/24 subnet.
        It will also select that subnet for a relay with address 10.0.0.1.
        <screen>
&gt; <userinput>config add Dhcp4/subnet4</userinput>
&gt; <userinput>config set Dhcp4/subnet4[0]/subnet "192.0.2.0/24"</userinput>
&gt; <userinput>config set Dhcp4/subnet4[0]/pool [ "192.0.2.10 - 192.0.2.20" ]</userinput>
&gt; <userinput>config set Dhcp4/subnet4[0]/relay/ip-address "10.0.0.1"</userinput>
&gt; <userinput>config commit</userinput></screen>
      </para>

    </section>

      <section id="dhcp4-srv-example-client-class-relay">
        <title>Segregating IPv4 clients in a cable network</title>
        <para>
          In certain cases, it is useful to mix relay address information,
          introduced in <xref linkend="dhcp4-relay-override"/> with client
          classification, explained in <xref linkend="dhcp4-subnet-class"/>.
          One specific example is cable network, where typically modems
          get addresses from a different subnet than all devices connected
          behind them.
        </para>
        <para>
          Let's assume that there is one CMTS (Cable Modem Termination System)
          with one CM MAC (a physical link that modems are connected to).
          We want the modems to get addresses from the 10.1.1.0/24 subnet, while
          everything connected behind modems should get addresses from another
          subnet (192.0.2.0/24). The CMTS that acts as a relay an uses address
          10.1.1.1. The following configuration can serve that configuration:
        <screen>
&gt; <userinput>config add Dhcp4/subnet4</userinput>
&gt; <userinput>config set Dhcp4/subnet4[0]/subnet "10.1.1.0/24"</userinput>
&gt; <userinput>config set Dhcp4/subnet4[0]/pool [ "10.1.1.2 - 10.1.1.20" ]</userinput>
&gt; <userinput>config set Dhcp4/subnet4[0]/client-class "docsis3.0"</userinput>
&gt; <userinput>config set Dhcp4/subnet4[0]/relay/ip-address "10.1.1.1"</userinput>
&gt; <userinput>config add Dhcp4/subnet4</userinput>
&gt; <userinput>config set Dhcp4/subnet4[1]/subnet "192.0.2.0/24"</userinput>
&gt; <userinput>config set Dhcp4/subnet4[1]/pool [ "192.0.2.10 - 192.0.2.20" ]</userinput>
&gt; <userinput>config set Dhcp4/subnet4[1]/relay/ip-address "10.1.1.1"</userinput>
&gt; <userinput>config commit</userinput></screen>
      </para>
      </section>

    <section id="dhcp4-std">
      <title>Supported Standards</title>
      <para>The following standards and draft standards are currently
      supported:</para>
      <itemizedlist>
          <listitem>
            <simpara><ulink url="http://tools.ietf.org/html/rfc2131">RFC 2131</ulink>: Supported messages are DISCOVER, OFFER,
            REQUEST, RELEASE, ACK, and NAK.</simpara>
          </listitem>
          <listitem>
            <simpara><ulink url="http://tools.ietf.org/html/rfc2132">RFC 2132</ulink>:
            Supported options are: PAD (0),
            END(255), Message Type(53), DHCP Server Identifier (54),
            Domain Name (15), DNS Servers (6), IP Address Lease Time
            (51), Subnet mask (1), and Routers (3).</simpara>
          </listitem>
          <listitem>
            <simpara><ulink url="http://tools.ietf.org/html/rfc3046">RFC 3046</ulink>:
            Relay Agent Information option is supported.</simpara>
          </listitem>
          <listitem>
            <simpara><ulink url="http://tools.ietf.org/html/rfc3925">RFC 3925</ulink>:
            Vendor-Identifying Vendor Class and Vendor-Identifying Vendor-Specific
            Information option are supported.</simpara>
          </listitem>
          <listitem>
            <simpara><ulink url="http://tools.ietf.org/html/rfc6842">RFC 6842</ulink>:
            Server by default sends back client-id option. That capability may be
            disabled. See <xref linkend="dhcp4-echo-client-id"/> for details.
            </simpara>
          </listitem>
      </itemizedlist>
    </section>

    <section id="dhcp4-limit">
      <title>DHCPv4 Server Limitations</title>
      <para>These are the current limitations of the DHCPv4 server
      software. Most of them are reflections of the current stage of
      development and should be treated as <quote>not implemented
      yet</quote>, rather than actual limitations.</para>
      <itemizedlist>
          <listitem> <!-- see tickets #3234, #3281 -->
            <simpara>
              Removal of a subnet during server reconfiguration may cause renumbering
              of auto-generated subnet identifiers, as described in section
              <xref linkend="ipv4-subnet-id"/>.
            </simpara>
          </listitem>
          <listitem>
            <simpara>
              BOOTP (<ulink url="http://tools.ietf.org/html/rfc951">RFC 951</ulink>)
              is not supported.
            </simpara>
          </listitem>
          <listitem>
            <simpara>Raw sockets operation is working on Linux
            only. See <xref linkend="iface-detect"/> for details.</simpara>
          </listitem>
          <listitem>
            <simpara>The DHCPv4 server does not  verify that
            assigned address is unused. According to <ulink url="http://tools.ietf.org/html/rfc2131">RFC 2131</ulink>, the
            allocating server should verify that address is not used by
            sending ICMP echo request.</simpara>
          </listitem>
          <listitem>
            <simpara>Address duplication report (DECLINE) is not supported yet.</simpara>
          </listitem>
          <listitem>
            <simpara>
              The server doesn't act upon expired leases. In particular,
              when a lease expires, the server doesn't request the removal
              of the DNS records associated with it.
            </simpara>
          </listitem>
      </itemizedlist>
    </section>

    <!--
    <section id="dhcp4-srv-examples">
      <title>Kea DHCPv4 server examples</title>

      <para>
        This section provides easy to use example. Each example can be read
        separately. It is not intended to be read sequentially as there will
        be many repetitions between examples. They are expected to serve as
        easy to use copy-paste solutions to many common deployments.
      </para>

      @todo: add simple configuration for direct clients
      @todo: add configuration for relayed clients
      @todo: add client classification example

    </section> -->

  </chapter>

  <chapter id="dhcp6">
    <title>The DHCPv6 Server</title>

    <section id="dhcp6-start-stop">
      <title>Starting and Stopping the DHCPv6 Server</title>

      <para>
        <command>b10-dhcp6</command> is the Kea DHCPv6 server and is configured
        through the <command>bindctl</command> program.
      </para>
      <para>
        After starting <command>bind10</command> and starting <command>bindctl</command>, the first step
        in configuring the server is to add <command>b10-dhcp6</command> to the list of running services.
<screen>
&gt; <userinput>config add Init/components b10-dhcp6</userinput>
&gt; <userinput>config set Init/components/b10-dhcp6/kind dispensable</userinput>
&gt; <userinput>config commit</userinput>
</screen>
      </para>
      <para>
         To remove <command>b10-dhcp6</command> from the set of running services,
         the <command>b10-dhcp6</command> is removed from list of Init components:
<screen>
&gt; <userinput>config remove Init/components b10-dhcp6</userinput>
&gt; <userinput>config commit</userinput>
</screen>
      </para>

      <para>
        Note that the server was only removed from the list, so BIND10 will not
        restart it, but the server itself is still running. Hence it is usually
        desired to stop it:
<screen>
&gt; <userinput>Dhcp6 shutdown</userinput>
</screen>
      </para>

      <para>
        During start-up the server will detect available network interfaces
        and will attempt to open UDP sockets on all interfaces that
        are up, running, are not loopback, are multicast-capable, and
        have IPv6 address assigned. It will then listen to incoming traffic.
      </para>


    </section>

    <section id="dhcp6-configuration">
      <title>DHCPv6 Server Configuration</title>
      <para>
        Once the server has been started, it can be configured. To view the
        current configuration, use the following command in <command>bindctl</command>:
        <screen>&gt; <userinput>config show Dhcp6</userinput></screen>
        When starting the Dhcp6 daemon for the first time, the default configuration
        will be available. It will look similar to this:
<screen>
&gt; <userinput>config show Dhcp6</userinput>
Dhcp6/hooks-libraries   []  list    (default)
Dhcp6/interfaces/   list    (default)
Dhcp6/renew-timer   1000    integer (default)
Dhcp6/rebind-timer  2000    integer (default)
Dhcp6/preferred-lifetime    3000    integer (default)
Dhcp6/valid-lifetime    4000    integer (default)
Dhcp6/option-def    []  list    (default)
Dhcp6/option-data   []  list    (default)
Dhcp6/lease-database/type   ""  string  (default)
Dhcp6/lease-database/name   ""  string  (default)
Dhcp6/lease-database/user   ""  string  (default)
Dhcp6/lease-database/host   ""  string  (default)
Dhcp6/lease-database/password   ""  string  (default)
Dhcp6/subnet6/  list
Dhcp6/dhcp-ddns/enable-updates  true    boolean
Dhcp6/dhcp-ddns/server-ip   "127.0.0.1" string
Dhcp6/dhcp-ddns/server-port 53001   integer
Dhcp6/dhcp-ddns/sender-ip	""	string
Dhcp6/dhcp-ddns/sender-port	0	integer
Dhcp6/dhcp-ddns/max-queue-size	1024  integer
Dhcp6/dhcp-ddns/ncr-protocol    "UDP"   string
Dhcp6/dhcp-ddns/ncr-format  "JSON"  string
Dhcp6/dhcp-ddns/always-include-fqdn false   boolean
Dhcp6/dhcp-ddns/override-no-update  false   boolean
Dhcp6/dhcp-ddns/override-client-update  false   boolean
Dhcp6/dhcp-ddns/replace-client-name false   boolean
Dhcp6/dhcp-ddns/generated-prefix    "myhost"    string
Dhcp6/dhcp-ddns/qualifying-suffix   "example.com"   string
</screen>
      </para>
      <para>
        To change one of the parameters, simply follow
        the usual <command>bindctl</command> procedure. For example, to make the
        leases longer, change their valid-lifetime parameter:
        <screen>
&gt; <userinput>config set Dhcp6/valid-lifetime 7200</userinput>
&gt; <userinput>config commit</userinput></screen>
        Most Dhcp6 parameters are of global scope
        and apply to all defined subnets, unless they are overridden on a
        per-subnet basis.
      </para>
      <note>
        <para>
          With this version of Kea, there are a number of known limitations
          and problems in the DHCPv6 server. See <xref linkend="dhcp6-limit"/>.
        </para>
      </note>

      <section>
      <title>Default storage for leases</title>
      <para>
        The server is able to store lease data in different repositories. Larger deployments
        may elect to store leases in a database.
        <xref linkend="database-configuration6"/> describes one way to do it.
        By default, the server will use a CSV file rather than a database to store
        lease information. One of the advantages of using a file is that it eliminates
        dependency on third party database software.
      </para>
      <para>
        The configuration of the file backend (Memfile)
        is controlled through the Dhcp6/lease-database parameters. When default
        parameters are left, the Memfile backend will write leases to a disk in the
        [bind10-install-dir]/var/bind10/kea-leases6.csv.
      </para>
      <para>
        It is possible to alter the default location of the lease file. The following
        configuration:
<screen>
&gt; <userinput>config set Dhcp4/lease-database/type "memfile"</userinput>
&gt; <userinput>config set Dhcp4/lease-database/persist true</userinput>
&gt; <userinput>config set Dhcp4/lease-database/leasefile "/tmp/kea-leases6.csv"</userinput>
&gt; <userinput>config commit</userinput>
</screen>
        will change the default location of the lease file to /tmp/kea-leases6.csv.
      </para>
      <para>
        The "persist" parameter controls whether the leases are written to disk.
        It is strongly recommended that this parameter is set to "true" at all times
        during the normal operation of the server.
      </para>
      </section>

      <section id="database-configuration6">
      <title>Database Configuration</title>
      <para>
      All leases issued by the server are stored in the lease database. Currently
      there are 3 database backends available: MySQL, PostgreSQL and memfile.
      <footnote>
      <para>
      The server comes with an in-memory database ("memfile") configured as the default
      database. This is used for internal testing and is not supported.  In addition,
      it does not store lease information on disk: lease information will be lost if the
      server is restarted.
      </para>
      </footnote>, and so the server must be configured to
      access the correct database with the appropriate credentials.
      </para>
      <note>
        <para>
            Database access information must be configured for the DHCPv6 server, even if
            it has already been configured for the DHCPv4 server.  The servers store their
            information independently, so each server can use a separate
            database or both servers can use the same database.
          </para>
        </note>
      <para>
      Database configuration is controlled through the Dhcp6/lease-database parameters.
      The type of the database must be set to "mysql", "postgresql" or "memfile":
<screen>
&gt; <userinput>config set Dhcp6/lease-database/type "mysql"</userinput>
</screen>
      Next, the name of the database is to hold the leases must be set: this is the
      name used when the lease database was created (see <xref linkend="dhcp-mysql-database-create"/>
      or <xref linkend="dhcp-pgsql-database-create"/>).
<screen>
&gt; <userinput>config set Dhcp6/lease-database/name "<replaceable>database-name</replaceable>"</userinput>
</screen>
      If the database is located on a different system to the DHCPv6 server, the
      database host name must also be specified (although note that this configuration
      may have a severe impact on server performance):
<screen>
&gt; <userinput>config set Dhcp6/lease-database/host "<replaceable>remote-host-name</replaceable>"</userinput>
</screen>
      The usual state of affairs will be to have the database on the same machine as the
      DHCPv6 server.  In this case, set the value to the empty string (this is the default):
<screen>
&gt; <userinput>config set Dhcp6/lease-database/host ""</userinput>
</screen>
      </para>
      <para>
      Finally, the credentials of the account under which the server will access the database
      should be set:
<screen>
&gt; <userinput>config set Dhcp6/lease-database/user "<replaceable>user-name</replaceable>"</userinput>
&gt; <userinput>config set Dhcp6/lease-database/password "<replaceable>password</replaceable>"</userinput>
</screen>
      If there is no password to the account, set the password to the empty string "". (This is also the default.)
      </para>
      <note>
      <para>The password is echoed when entered and is stored in clear text in the configuration
      database.  Improved password security will be added in a future version of Kea.</para>
      </note>
      </section>

      <section id="dhcp6-interface-selection">
      <title>Interface selection</title>
      <para>
        When DHCPv6 server starts up, by default it will listen to the DHCP
        traffic and respond to it on all interfaces detected during startup.
        However, in many cases it is desired to configure the server to listen and
        respond on selected interfaces only. The sample commands in this section
        show how to make interface selection using bindctl.
      </para>
      <para>
        The default configuration can be presented with the following command:
        <screen>
&gt; <userinput>config show Dhcp6/interfaces</userinput>
<userinput>Dhcp6/interfaces[0] "*" string</userinput></screen>
        An asterisk sign plays a role of the wildcard and means "listen on all interfaces".
      </para>
      <para>
        In order to override the default configuration, the existing entry can be replaced
        with the actual interface name:
        <screen>
&gt; <userinput>config set Dhcp6/interfaces[0] eth1</userinput>
&gt; <userinput>config commit</userinput></screen>
        Other interface names can be added on one-by-one basis:
        <screen>
&gt; <userinput>config add Dhcp6/interfaces eth2</userinput>
&gt; <userinput>config commit</userinput></screen>
        Configuration will now contain two interfaces which can be presented as follows:
        <screen>
&gt; <userinput>config show Dhcp6/interfaces</userinput>
<userinput>Dhcp6/interfaces[0]	"eth1"	string</userinput>
<userinput>Dhcp6/interfaces[1]	"eth2"	string</userinput></screen>
        When configuration gets committed, the server will start to listen on
        eth1 and eth2 interfaces only.
      </para>
      <para>
        It is possible to use wildcard interface name (asterisk) concurrently with explicit
        interface names:
        <screen>
&gt; <userinput>config add Dhcp6/interfaces *</userinput>
&gt; <userinput>config commit</userinput></screen>
        This will result in the following configuration:
        <screen>
&gt; <userinput>config show Dhcp6/interfaces</userinput>
<userinput>Dhcp6/interfaces[0]	"eth1"	string</userinput>
<userinput>Dhcp6/interfaces[1]	"eth2"	string</userinput>
<userinput>Dhcp6/interfaces[2]	"*"	string</userinput></screen>
        The presence of the wildcard name implies that server will listen on all interfaces.
        In order to fall back to the previous configuration when server listens on eth1 and eth2:
        <screen>
&gt; <userinput>config remove Dhcp6/interfaces[2]</userinput>
&gt; <userinput>config commit</userinput></screen>
      </para>
    </section>

    <section id="ipv6-subnet-id">
      <title>IPv6 Subnet Identifier</title>
      <para>
        Subnet identifier is a unique number associated with a particular subnet.
        In principle, it is used to associate clients' leases with respective subnets.
        When subnet identifier is not specified for a subnet being configured, it will
        be automatically assigned by the configuration mechanism. The identifiers
        are assigned from 1 and are monotonically increased for each subsequent
        subnet: 1, 2, 3 ....
      </para>
      <para>
       If there are multiple subnets configured with auto-generated identifiers and
       one of them is removed, the subnet identifiers may be renumbered. For example:
       if there are 4 subnets and 3rd is removed the last subnet will be assigned
       identifier that the 3rd subnet had before removal. As a result, the leases
       stored in the lease database for subnet 3 are now associated with the
       subnet 4, which may have unexpected consequences. In the future it is planned
       to implement the mechanism to preserve auto-generated subnet ids upon removal
       of one of the subnets. Currently, the only remedy for this issue is to
       manually specify the unique subnet identifier for each subnet.
      </para>
      <para>
        The following configuration:
        <screen>
&gt; <userinput>config add Dhcp6/subnet6</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/subnet "2001:db8:1::/64"</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/id 1024</userinput>
&gt; <userinput>config commit</userinput>
        </screen>
        will assign the arbitrary subnet identifier to the newly configured subnet.
        This identifier will not change for this subnet until "id" parameter is
        removed or set to 0. The value of 0 forces auto-generation of subnet
        identifier.
      </para>
    </section>

    <section id="dhcp6-unicast">
      <title>Unicast traffic support</title>
      <para>
        When DHCPv6 server starts up, by default it listens to the DHCP traffic
        sent to multicast address ff02::1:2 on each interface that it is
        configured to listen on (see <xref linkend="dhcp6-interface-selection"/>).
        In some cases it is useful to configure a server to handle incoming
        traffic sent to the global unicast addresses as well. The most common
        reason for that is to have relays send their traffic to the server
        directly. To configure server to listen on specific unicast address, a
        notation to specify interfaces has been extended. Interface name can be
        optionally followed by a slash, followed by global unicast address that
        server should listen on. That will be done in addition to normal
        link-local binding + listening on ff02::1:2 address. The sample commands
        listed below show how to listen on 2001:db8::1 (a global address)
        configured on the eth1 interface.
      </para>
      <para>
        <screen>
&gt; <userinput>config set Dhcp6/interfaces[0] eth1/2001:db8::1</userinput>
&gt; <userinput>config commit</userinput></screen>
        When configuration gets committed, the server will start to listen on
        eth1 on link-local address, multicast group (ff02::1:2) and 2001:db8::1.
      </para>
      <para>
        It is possible to mix interface names, wildcards and interface name/addresses
        on the Dhcp6/interface list. It is not possible to specify more than one
        unicast address on a given interface.
      </para>
      <para>
        Care should be taken to specify proper unicast addresses. The server will
        attempt to bind to those addresses specified, without any additional checks.
        That approach is selected on purpose, so in the software can be used to
        communicate over uncommon addresses if the administrator desires so.
      </para>
    </section>

    <section id="dhcp6-address-config">
      <title>Subnet and Address Pool</title>
      <para>
        The essential role of a DHCPv6 server is address assignment. For this,
        the server has to be configured with at least one subnet and one pool of dynamic
        addresses to be managed. For example, assume that the server
        is connected to a network segment that uses the 2001:db8:1::/64
        prefix. The Administrator of that network has decided that addresses from range
        2001:db8:1::1 to 2001:db8:1::ffff are going to be managed by the Dhcp6
        server. Such a configuration can be achieved in the following way:
        <screen>
&gt; <userinput>config add Dhcp6/subnet6</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/subnet "2001:db8:1::/64"</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/pool [ "2001:db8:1::0 - 2001:db8:1::ffff" ]</userinput>
&gt; <userinput>config commit</userinput></screen>
        Note that subnet is defined as a simple string, but the pool parameter
        is actually a list of pools: for this reason, the pool definition is
        enclosed in square brackets, even though only one range of addresses
        is specified.</para>
        <para>It is possible to define more than one pool in a
        subnet: continuing the previous example, further assume that
        2001:db8:1:0:5::/80 should be also be managed by the server. It could be written as
        2001:db8:1:0:5:: to 2001:db8:1::5:ffff:ffff:ffff, but typing so many 'f's
        is cumbersome. It can be expressed more simply as 2001:db8:1:0:5::/80. Both
        formats are supported by Dhcp6 and can be mixed in the pool list.
        For example, one could define the following pools:
        <screen>
&gt; <userinput>config set Dhcp6/subnet6[0]/pool [ "2001:db8:1::1 - 2001:db8:1::ffff", "2001:db8:1:0:5::/80" ]</userinput>
&gt; <userinput>config commit</userinput></screen>
        The number of pools is not limited, but for performance reasons it is recommended to
        use as few as possible.
      </para>
      <para>
         The server may be configured to serve more than one subnet. To add a second subnet,
         use a command similar to the following:
        <screen>
&gt; <userinput>config add Dhcp6/subnet6</userinput>
&gt; <userinput>config set Dhcp6/subnet6[1]/subnet "2001:db8:beef::/48"</userinput>
&gt; <userinput>config set Dhcp6/subnet6[1]/pool [ "2001:db8:beef::/48" ]</userinput>
&gt; <userinput>config commit</userinput></screen>
        Arrays are counted from 0. subnet[0] refers to the subnet defined in the
        previous example.  The <command>config add Dhcp6/subnet6</command> command adds
        another (second) subnet. It can be referred to as
        <command>Dhcp6/subnet6[1]</command>. In this example, we allow server to
        dynamically assign all addresses available in the whole subnet. Although
        very wasteful, it is certainly a valid configuration to dedicate the
        whole /48 subnet for that purpose.
      </para>
      <para>
        When configuring a DHCPv6 server using prefix/length notation, please pay
        attention to the boundary values. When specifying that the server should use
        a given pool, it will be able to allocate also first (typically network
        address) address from that pool. For example for pool 2001:db8::/64 the
        2001:db8:: address may be assigned as well. If you want to avoid this,
        please use the "min-max" notation.
      </para>
    </section>

    <section>
<!-- @todo: add real meat to the prefix delegation config this is just place holder stuff -->
      <title>Subnet and Prefix Delegation Pools</title>
      <para>
        Subnets may also be configured to delegate address prefixes....
        A subnet may have one or more prefix delegation pools.  Each pool has
        a prefixed address, which is specified as a prefix and a prefix length,
        as well as a delegated prefix length.  A sample configuration is shown
        below:
      <screen>
&gt; <userinput>config add Dhcp6/subnet6</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/subnet "2001:db8:1::/64"</userinput>
&gt; <userinput>config show Dhcp6/subnet6[0]</userinput>
&gt; <userinput>config add Dhcp6/subnet6[0]/pd-pools</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/pd-pools[0]/prefix "2001:db8:1::"</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/pd-pools[0]/prefix-len 64</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/pd-pools[0]/delegated-len 96</userinput>
&gt; <userinput>config commit</userinput></screen>
      </para>
    </section>

    <section id="dhcp6-std-options">
      <title>Standard DHCPv6 options</title>
      <para>
        One of the major features of DHCPv6 server is to provide configuration
        options to clients. Although there are several options that require
        special behavior, most options are sent by the server only if the client
        explicitly requested them.  The following example shows how to
        configure DNS servers, which is one of the most frequently used
        options. Numbers in the first column are added for easier reference and
        will not appear on screen. Options specified in this way are considered
        global and apply to all configured subnets.

        <screen>
1. &gt; <userinput>config add Dhcp6/option-data</userinput>
2. &gt; <userinput>config set Dhcp6/option-data[0]/name "dns-servers"</userinput>
3. &gt; <userinput>config set Dhcp6/option-data[0]/code 23</userinput>
4. &gt; <userinput>config set Dhcp6/option-data[0]/space "dhcp6"</userinput>
5. &gt; <userinput>config set Dhcp6/option-data[0]/csv-format true</userinput>
6. &gt; <userinput>config set Dhcp6/option-data[0]/data "2001:db8::cafe, 2001:db8::babe"</userinput>
7. &gt; <userinput>config commit</userinput>
</screen>
      </para>
    <para>
      The first line creates new entry in option-data table. It
      contains information on all global options that the server is
      supposed to configure in all subnets. The second line specifies
      option name. For a complete list of currently supported names,
      see <xref linkend="dhcp6-std-options-list"/>.
      The third line specifies option code, which must match one of the
      values from that
      list. Line 4 specifies option space, which must always
      be set to "dhcp6" as these are standard DHCPv6 options. For
      other name spaces, including custom option spaces, see <xref
      linkend="dhcp6-option-spaces"/>. The fifth line specifies the format in
      which the data will be entered: use of CSV (comma
      separated values) is recommended. The sixth line gives the actual value to
      be sent to clients. Data is specified as a normal text, with
      values separated by commas if more than one value is
      allowed.
    </para>

    <para>
      Options can also be configured as hexadecimal values. If csv-format is
      set to false, the option data must be specified as a string of hexadecimal
      numbers. The
      following commands configure the DNS-SERVERS option for all
      subnets with the following addresses: 2001:db8:1::cafe and
      2001:db8:1::babe.
      <screen>
&gt; <userinput>config add Dhcp6/option-data</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/name "dns-servers"</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/code 23</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/space "dhcp6"</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/csv-format false</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/data "2001 0DB8 0001 0000 0000 0000</userinput>
        <userinput>0000 CAFE 2001 0DB8 0001 0000 0000 0000 0000 BABE"</userinput>
&gt; <userinput>config commit</userinput>
        </screen>
       (The value for the setting of the "data" element is split across two
        lines in this document for clarity: when entering the command, the
        whole string should be entered on the same line.)
      </para>

    <para>
      It is possible to override options on a per-subnet basis.  If
      clients connected to most of your subnets are expected to get the
      same values of a given option, you should use global options: you
      can then override specific values for a small number of subnets.
      On the other hand, if you use different values in each subnet,
      it does not make sense to specify global option values
      (Dhcp6/option-data), rather you should set only subnet-specific values
      (Dhcp6/subnet[X]/option-data[Y]).
     </para>
     <para>
      The following commands override the global
      DNS servers option for a particular subnet, setting a single DNS
      server with address 2001:db8:1::3.
      <screen>
&gt; <userinput>config add Dhcp6/subnet6[0]/option-data</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/option-data[0]/name "dns-servers"</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/option-data[0]/code 23</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/option-data[0]/space "dhcp6"</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/option-data[0]/csv-format true</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/option-data[0]/data "2001:db8:1::3"</userinput>
&gt; <userinput>config commit</userinput></screen>
    </para>

    <note>
      <para>
        In future versions of BIND 10 DHCP, it will not be necessary to specify
        option code, space and csv-format fields, as those fields will be set
        automatically.
      </para>
    </note>


    <para>
      The currently supported standard DHCPv6 options are
      listed in <xref linkend="dhcp6-std-options-list"/>.
      The "Name" and "Code"
      are the values that should be used as a name in the option-data
      structures. "Type" designates the format of the data: the meanings of
      the various types is given in <xref linkend="dhcp-types"/>.
    </para>
    <para>
      Some options are designated as arrays, which means that more than one
      value is allowed in such an option. For example the option dns-servers
      allows the specification of more than one IPv6 address, so allowing
      clients to obtain the the addresses of multiple DNS servers.
    </para>

<!-- @todo: describe record types -->

      <para>
        The <xref linkend="dhcp6-custom-options"/> describes the configuration
        syntax to create custom option definitions (formats). It is generally not
        allowed to create custom definitions for standard options, even if the
        definition being created matches the actual option format defined in the
        RFCs. There is an exception from this rule for standard options for which
        Kea does not provide a definition yet. In order to use such options,
        a server administrator must create a definition as described in
        <xref linkend="dhcp6-custom-options"/> in the 'dhcp6' option space. This
        definition should match the option format described in the relevant
        RFC but configuration mechanism would allow any option format as it has
        no means to validate it at the moment.
      </para>


    <para>
      <table frame="all" id="dhcp6-std-options-list">
        <title>List of standard DHCPv6 options</title>
        <tgroup cols='4'>
        <colspec colname='name'/>
        <colspec colname='code'/>
        <colspec colname='type'/>
        <colspec colname='array'/>
        <thead>
          <row><entry>Name</entry><entry>Code</entry><entry>Type</entry><entry>Array?</entry></row>
        </thead>
        <tbody>
<!-- Our engine uses those options on its own, admin must not configure them on his own
<row><entry>clientid</entry><entry>1</entry><entry>binary</entry><entry>false</entry></row>
<row><entry>serverid</entry><entry>2</entry><entry>binary</entry><entry>false</entry></row>
<row><entry>ia-na</entry><entry>3</entry><entry>record</entry><entry>false</entry></row>
<row><entry>ia-ta</entry><entry>4</entry><entry>uint32</entry><entry>false</entry></row>
<row><entry>iaaddr</entry><entry>5</entry><entry>record</entry><entry>false</entry></row>
<row><entry>oro</entry><entry>6</entry><entry>uint16</entry><entry>true</entry></row> -->
<row><entry>preference</entry><entry>7</entry><entry>uint8</entry><entry>false</entry></row>

<!-- Our engine uses those options on its own, admin must not configure them on his own
<row><entry>elapsed-time</entry><entry>8</entry><entry>uint16</entry><entry>false</entry></row>
<row><entry>relay-msg</entry><entry>9</entry><entry>binary</entry><entry>false</entry></row>
<row><entry>auth</entry><entry>11</entry><entry>binary</entry><entry>false</entry></row>
<row><entry>unicast</entry><entry>12</entry><entry>ipv6-address</entry><entry>false</entry></row>
<row><entry>status-code</entry><entry>13</entry><entry>record</entry><entry>false</entry></row>
<row><entry>rapid-commit</entry><entry>14</entry><entry>empty</entry><entry>false</entry></row>
<row><entry>user-class</entry><entry>15</entry><entry>binary</entry><entry>false</entry></row>
<row><entry>vendor-class</entry><entry>16</entry><entry>record</entry><entry>false</entry></row>
<row><entry>vendor-opts</entry><entry>17</entry><entry>uint32</entry><entry>false</entry></row>
<row><entry>interface-id</entry><entry>18</entry><entry>binary</entry><entry>false</entry></row>
<row><entry>reconf-msg</entry><entry>19</entry><entry>uint8</entry><entry>false</entry></row>
<row><entry>reconf-accept</entry><entry>20</entry><entry>empty</entry><entry>false</entry></row> -->
<row><entry>sip-server-dns</entry><entry>21</entry><entry>fqdn</entry><entry>true</entry></row>
<row><entry>sip-server-addr</entry><entry>22</entry><entry>ipv6-address</entry><entry>true</entry></row>
<row><entry>dns-servers</entry><entry>23</entry><entry>ipv6-address</entry><entry>true</entry></row>
<row><entry>domain-search</entry><entry>24</entry><entry>fqdn</entry><entry>true</entry></row>
<!-- <row><entry>ia-pd</entry><entry>25</entry><entry>record</entry><entry>false</entry></row> -->
<!-- <row><entry>iaprefix</entry><entry>26</entry><entry>record</entry><entry>false</entry></row> -->
<row><entry>nis-servers</entry><entry>27</entry><entry>ipv6-address</entry><entry>true</entry></row>
<row><entry>nisp-servers</entry><entry>28</entry><entry>ipv6-address</entry><entry>true</entry></row>
<row><entry>nis-domain-name</entry><entry>29</entry><entry>fqdn</entry><entry>true</entry></row>
<row><entry>nisp-domain-name</entry><entry>30</entry><entry>fqdn</entry><entry>true</entry></row>
<row><entry>sntp-servers</entry><entry>31</entry><entry>ipv6-address</entry><entry>true</entry></row>
<row><entry>information-refresh-time</entry><entry>32</entry><entry>uint32</entry><entry>false</entry></row>
<row><entry>bcmcs-server-dns</entry><entry>33</entry><entry>fqdn</entry><entry>true</entry></row>
<row><entry>bcmcs-server-addr</entry><entry>34</entry><entry>ipv6-address</entry><entry>true</entry></row>
<row><entry>geoconf-civic</entry><entry>36</entry><entry>record</entry><entry>false</entry></row>
<row><entry>remote-id</entry><entry>37</entry><entry>record</entry><entry>false</entry></row>
<row><entry>subscriber-id</entry><entry>38</entry><entry>binary</entry><entry>false</entry></row>
<row><entry>client-fqdn</entry><entry>39</entry><entry>record</entry><entry>false</entry></row>
<row><entry>pana-agent</entry><entry>40</entry><entry>ipv6-address</entry><entry>true</entry></row>
<row><entry>new-posix-timezone</entry><entry>41</entry><entry>string</entry><entry>false</entry></row>
<row><entry>new-tzdb-timezone</entry><entry>42</entry><entry>string</entry><entry>false</entry></row>
<row><entry>ero</entry><entry>43</entry><entry>uint16</entry><entry>true</entry></row>
<row><entry>lq-query</entry><entry>44</entry><entry>record</entry><entry>false</entry></row>
<row><entry>client-data</entry><entry>45</entry><entry>empty</entry><entry>false</entry></row>
<row><entry>clt-time</entry><entry>46</entry><entry>uint32</entry><entry>false</entry></row>
<row><entry>lq-relay-data</entry><entry>47</entry><entry>record</entry><entry>false</entry></row>
<row><entry>lq-client-link</entry><entry>48</entry><entry>ipv6-address</entry><entry>true</entry></row>
        </tbody>
        </tgroup>
      </table>
    </para>
    </section>

    <section id="dhcp6-custom-options">
      <title>Custom DHCPv6 options</title>
      <para>It is also possible to define options other than the standard ones.
      Assume that we want to define a new DHCPv6 option called "foo" which will have
      code 100 and will convey a single unsigned 32 bit integer value. We can define
      such an option by using the following commands:
      <screen>
&gt; <userinput>config add Dhcp6/option-def</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/name "foo"</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/code 100</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/type "uint32"</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/array false</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/record-types ""</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/space "dhcp6"</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/encapsulate ""</userinput>
&gt; <userinput>config commit</userinput></screen>
      The "false" value of the "array" parameter determines that the option
      does NOT comprise an array of "uint32" values but rather a single value.
      Two other parameters have been left blank: "record-types" and "encapsulate".
      The former specifies the comma separated list of option data fields if the
      option comprises a record of data fields. The "record-fields" value should
      be non-empty if the "type" is set to "record". Otherwise it must be left
      blank. The latter parameter specifies the name of the option space being
      encapsulated by the particular option. If the particular option does not
      encapsulate any option space it should be left blank.
      Note that the above set of comments define the format of the new option and do not
      set its values.
      </para>
      <para>Once the new option format is defined, its value is set
      in the same way as for a standard option. For example the following
      commands set a global value that applies to all subnets.
        <screen>
&gt; <userinput>config add Dhcp6/option-data</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/name "foo"</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/code 100</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/space "dhcp6"</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/csv-format true</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/data "12345"</userinput>
&gt; <userinput>config commit</userinput></screen>
      </para>

      <para>New options can take more complex forms than simple use of
      primitives (uint8, string, ipv6-address etc): it is possible to
      define an option comprising a number of existing primitives.
      </para>
      <para>
      Assume we want to define a new option that will consist of an IPv6
      address, followed by an unsigned 16 bit integer, followed by a
      boolean value, followed by a text string. Such an option could
      be defined in the following way:
<screen>
&gt; <userinput>config add Dhcp6/option-def</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/name "bar"</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/code 101</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/space "dhcp6"</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/type "record"</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/array false</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/record-types "ipv6-address, uint16, boolean, string"</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/encapsulate ""</userinput>
</screen>
      The "type" is set to "record" to indicate that the option contains
      multiple values of different types.  These types are given as a comma-separated
      list in the "record-types" field and should be those listed in <xref linkend="dhcp-types"/>.
      </para>
      <para>
      The values of the option are set as follows:
<screen>
&gt; <userinput>config add Dhcp6/option-data</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/name "bar"</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/space "dhcp6"</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/code 101</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/csv-format true</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/data "2001:db8:1::10, 123, false, Hello World"</userinput>
&gt; <userinput>config commit</userinput></screen>
      "csv-format" is set "true" to indicate that the "data" field comprises a command-separated
      list of values.  The values in the "data" must correspond to the types set in
      the "record-types" field of the option definition.
      </para>
      <note>
        <para>
          It is recommended that boolean values are specified using "true" and "false"
          strings. This helps to prevent errors when typing multiple comma separated
          values, as it make it easier to identify the type of the value being typed,
          and compare it with the order of data fields. Nevertheless, it is possible
          to use integer values: "1" and "0", instead of "true" and "false"
          accordingly. If other integer value is specified, the configuration is
          rejected.
        </para>
      </note>
    </section>

    <section id="dhcp6-vendor-opts">
      <title>DHCPv6 vendor specific options</title>
      <para>
      Currently there are three option spaces defined: dhcp4 (to be used
      in DHCPv4 daemon) and dhcp6 (for the DHCPv6 daemon); there is also
      vendor-opts-space, which is empty by default, but options can be
      defined in it. Those options are called vendor-specific information
      options. The following examples show how to define an option "foo"
      with code 1 that consists of an IPv6 address, an unsigned 16 bit integer
      and a string. The "foo" option is conveyed in a vendor specific
      information option. This option comprises a single uint32 value
      that is set to "12345". The sub-option "foo" follows the data
      field holding this value.
      <screen>
&gt; <userinput>config add Dhcp6/option-def</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/name "foo"</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/code 1</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/space "vendor-opts-space"</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/type "record"</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/array false</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/record-types "ipv6-address, uint16, string"</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/encapsulates ""</userinput>
&gt; <userinput>config commit</userinput>
</screen>
     (Note that the option space is set to "vendor-opts-space".)
     Once the option format is defined, the next step is to define actual values
     for that option:
     <screen>
&gt; <userinput>config add Dhcp6/option-data</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/name "foo"</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/space "vendor-opts-space"</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/code 1</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/csv-format true</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/data "2001:db8:1::10, 123, Hello World"</userinput>
&gt; <userinput>config commit</userinput></screen>
    We should also define values for the vendor-opts, that will convey our option foo.
     <screen>
&gt; <userinput>config add Dhcp6/option-data</userinput>
&gt; <userinput>config set Dhcp6/option-data[1]/name "vendor-opts"</userinput>
&gt; <userinput>config set Dhcp6/option-data[1]/space "dhcp6"</userinput>
&gt; <userinput>config set Dhcp6/option-data[1]/code 17</userinput>
&gt; <userinput>config set Dhcp6/option-data[1]/csv-format true</userinput>
&gt; <userinput>config set Dhcp6/option-data[1]/data "12345"</userinput>
&gt; <userinput>config commit</userinput></screen>
      </para>
    </section>

    <section id="dhcp6-option-spaces">
      <title>Nested DHCPv6 options (custom option spaces)</title>
      <para>It is sometimes useful to define completely new option
      spaces.  This is useful if the user wants his new option to
      convey sub-options that use separate numbering scheme, for
      example sub-options with codes 1 and 2. Those option codes
      conflict with standard DHCPv6 options, so a separate option
      space must be defined.
      </para>
      <para>Note that it is not required to create new option space when
      defining sub-options for a standard option because it is by
      default created if the standard option is meant to convey
      any sub-options (see <xref linkend="dhcp6-vendor-opts"/>).
      </para>
      <para>
      Assume that we want to have a DHCPv6 option called "container"
      with code 102 that conveys two sub-options with codes 1 and 2.
      First we need to define the new sub-options:
<screen>
&gt; <userinput>config add Dhcp6/option-def</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/name "subopt1"</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/code 1</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/space "isc"</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/type "ipv6-address"</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/record-types ""</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/array false</userinput>
&gt; <userinput>config set Dhcp6/option-def[0]/encapsulate ""</userinput>
&gt; <userinput>config commit</userinput>
&gt; <userinput></userinput>
&gt; <userinput>config add Dhcp6/option-def</userinput>
&gt; <userinput>config set Dhcp6/option-def[1]/name "subopt2"</userinput>
&gt; <userinput>config set Dhcp6/option-def[1]/code 2</userinput>
&gt; <userinput>config set Dhcp6/option-def[1]/space "isc"</userinput>
&gt; <userinput>config set Dhcp6/option-def[1]/type "string"</userinput>
&gt; <userinput>config set Dhcp6/option-def[1]/record-types ""</userinput>
&gt; <userinput>config set Dhcp6/option-def[1]/array false</userinput>
&gt; <userinput>config set Dhcp6/option-def[1]/encapsulate ""</userinput>
&gt; <userinput>config commit</userinput>
</screen>
    Note that we have defined the options to belong to a new option space
    (in this case, "isc").
    </para>
    <para>
The next step is to define a regular DHCPv6 option and specify that it
should include options from the isc option space:
<screen>
&gt; <userinput>config add Dhcp6/option-def</userinput>
&gt; <userinput>config set Dhcp6/option-def[2]/name "container"</userinput>
&gt; <userinput>config set Dhcp6/option-def[2]/code 102</userinput>
&gt; <userinput>config set Dhcp6/option-def[2]/space "dhcp6"</userinput>
&gt; <userinput>config set Dhcp6/option-def[2]/type "empty"</userinput>
&gt; <userinput>config set Dhcp6/option-def[2]/array false</userinput>
&gt; <userinput>config set Dhcp6/option-def[2]/record-types ""</userinput>
&gt; <userinput>config set Dhcp6/option-def[2]/encapsulate "isc"</userinput>
&gt; <userinput>config commit</userinput>
</screen>
    The name of the option space in which the sub-options are defined
    is set in the "encapsulate" field. The "type" field is set to "empty"
    which imposes that this option does not carry any data other than
    sub-options.
    </para>
    <para>
    Finally, we can set values for the new options:
<screen>
&gt; <userinput>config add Dhcp6/option-data</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/name "subopt1"</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/space "isc"</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/code 1</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/csv-format true</userinput>
&gt; <userinput>config set Dhcp6/option-data[0]/data "2001:db8::abcd"</userinput>
&gt; <userinput>config commit</userinput>
&gt; <userinput></userinput>
&gt; <userinput>config add Dhcp6/option-data</userinput>
&gt; <userinput>config set Dhcp6/option-data[1]/name "subopt2"</userinput>
&gt; <userinput>config set Dhcp6/option-data[1]/space "isc"</userinput>
&gt; <userinput>config set Dhcp6/option-data[1]/code 2</userinput>
&gt; <userinput>config set Dhcp6/option-data[1]/csv-format true</userinput>
&gt; <userinput>config set Dhcp6/option-data[1]/data "Hello world"</userinput>
&gt; <userinput>config commit</userinput>
&gt; <userinput></userinput>
&gt; <userinput>config add Dhcp6/option-data</userinput>
&gt; <userinput>config set Dhcp6/option-data[2]/name "container"</userinput>
&gt; <userinput>config set Dhcp6/option-data[2]/space "dhcp6"</userinput>
&gt; <userinput>config set Dhcp6/option-data[2]/code 102</userinput>
&gt; <userinput>config set Dhcp6/option-data[2]/csv-format true</userinput>
&gt; <userinput>config set Dhcp6/option-data[2]/data ""</userinput>
&gt; <userinput>config commit</userinput>
</screen>
    Even though the "container" option does not carry any data except
    sub-options, the "data" field must be explicitly set to an empty value.
    This is required because in the current version of BIND 10 DHCP, the
    default configuration values are not propagated to the configuration parsers:
    if the "data" is not set the parser will assume that this
    parameter is not specified and an error will be reported.
    </para>
    <para>Note that it is possible to create an option which carries some data
    in addition to the sub-options defined in the encapsulated option space.  For example,
    if the "container" option from the previous example was required to carry an uint16
    value as well as the sub-options, the "type" value would have to be set to "uint16" in
    the option definition. (Such an option would then have the following
    data structure: DHCP header, uint16 value, sub-options.) The value specified
    with the "data" parameter - which should be a valid integer enclosed in quotes,
    e.g. "123" - would then be assigned to the uint16 field in the "container" option.
    </para>
    </section>

      <section id="dhcp6-config-subnets">
        <title>IPv6 Subnet Selection</title>
          <para>
          The DHCPv6 server may receive requests from local (connected to the
          same subnet as the server) and remote (connecting via relays) clients.
          As server may have many subnet configurations defined, it must select
          appropriate subnet for a given request.
          </para>
          <para>
          The server can not assume which of configured subnets are local. It is
          possible in IPv4, where there is reasonable expectation that the
          server will have a (global) IPv4 address configured on the interface,
          and can use that information to detect whether a subnet is local or
          not. That assumption is not true in IPv6, as the DHCPv6 must be able
          to operate with having link-local addresses only. Therefore an optional
          &quot;interface&quot; parameter is available within a subnet definition
          to designate that a given subnet is local, i.e. reachable directly over
          specified interface. For example the server that is intended to serve
          a local subnet over eth0 may be configured as follows:
<screen>
&gt; <userinput>config add Dhcp6/subnet6</userinput>
&gt; <userinput>config set Dhcp6/subnet6[1]/subnet "2001:db8:beef::/48"</userinput>
&gt; <userinput>config set Dhcp6/subnet6[1]/pool [ "2001:db8:beef::/48" ]</userinput>
&gt; <userinput>config set Dhcp6/subnet6[1]/interface "eth0"</userinput>
&gt; <userinput>config commit</userinput>
</screen>
        </para>
      </section>

      <section id="dhcp6-relays">
        <title>DHCPv6 Relays</title>
        <para>
          A DHCPv6 server with multiple subnets defined must select the
          appropriate subnet when it receives a request from client.  For clients
          connected via relays, two mechanisms are used:
        </para>
        <para>
          The first uses the linkaddr field in the RELAY_FORW message. The name
          of this field is somewhat misleading in that it does not contain a link-layer
          address: instead, it holds an address (typically a global address) that is
          used to identify a link. The DHCPv6 server checks if the address belongs
          to a defined subnet and, if it does, that subnet is selected for the client's
          request.
        </para>
        <para>
          The second mechanism is based on interface-id options. While forwarding a client's
          message, relays may insert an interface-id option into the message that
          identifies the interface on the relay that received the message. (Some
          relays allow configuration of that parameter, but it is sometimes
          hardcoded and may range from the very simple (e.g. "vlan100") to the very cryptic:
          one example seen on real hardware was "ISAM144|299|ipv6|nt:vp:1:110"). The
          server can use this information to select the appropriate subnet.
          The information is also returned to the relay which then knows the
          interface to use to transmit the response to the client. In order for
          this to work successfully, the relay interface IDs must be unique within
          the network and the server configuration must match those values.
        </para>
        <para>
          When configuring the DHCPv6 server, it should be noted that two
          similarly-named parameters can be configured for a subnet:
          <itemizedlist>
            <listitem><simpara>
              "interface" defines which local network interface can be used
              to access a given subnet.
            </simpara></listitem>
            <listitem><simpara>
              "interface-id" specifies the content of the interface-id option
              used by relays to identify the interface on the relay to which
              the response packet is sent.
            </simpara></listitem>
          </itemizedlist>
          The two are mutually exclusive: a subnet cannot be both reachable locally
          (direct traffic) and via relays (remote traffic). Specifying both is a
          configuration error and the DHCPv6 server will refuse such a configuration.
        </para>

        <para>
          To specify interface-id with value "vlan123", the following commands can
          be used:
          <screen>
&gt; <userinput>config add Dhcp6/subnet6</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/subnet "2001:db8:beef::/48"</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/pool [ "2001:db8:beef::/48" ]</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/interface-id "vland123"</userinput>
&gt; <userinput>config commit</userinput>
</screen>
        </para>
      </section>

    <section id="dhcp6-client-classifier">
      <title>Client Classification in DHCPv6</title>
      <note>
      <para>
        DHCPv6 server has been extended to support limited client classification.
        Although the current capability is modest, it is expected to be expanded
        in the future. It is envisaged that the majority of client classification
        extensions will be using hooks extensions.
      </para>
      </note>
      <para>In certain cases it is useful to differentiate between different types
      of clients and treat them differently. The process of doing classification
      is conducted in two steps. The first step is to assess incoming packet and
      assign it to zero or more classes. This classification is currently simple,
      but is expected to grow in capability soon. Currently the server checks whether
      incoming packet has vendor class option (16). If it has, content
      of that option is prepended with &quot;VENDOR_CLASS_&quot; interpreted as a
      class. For example, modern cable modems will send this option with value
      &quot;docsis3.0&quot; and as a result the packet will belong to class
      &quot;VENDOR_CLASS_docsis3.0&quot;.
      </para>

      <para>It is envisaged that the client classification will be used for changing
      behavior of almost any part of the DHCP engine processing, including assigning
      leases from different pools, assigning different option (or different values of
      the same options) etc. For now, there is only one mechanism that is taking
      advantage of client classification: subnet selection.</para>

      <para>
        Kea can be instructed to limit access to given subnets based on class information.
        This is particularly useful for cases where two types of devices share the
        same link and are expected to be served from two different subnets. The
        primary use case for such a scenario are cable networks. There are two
        classes of devices: cable modem itself, which should be handled a lease
        from subnet A and all other devices behind modems that should get a lease
        from subnet B. That segregation is essential to prevent overly curious
        users from playing with their cable modems. For details on how to set up
        class restrictions on subnets, see <xref linkend="dhcp6-subnet-class"/>.
      </para>

    </section>

    <section id="dhcp6-subnet-class">
      <title>Limiting access to IPv6 subnet to certain classes</title>
      <para>
        In certain cases it beneficial to restrict access to certains subnets
        only to clients that belong to a given subnet. For details on client
        classes, see <xref linkend="dhcp6-client-classifier"/>. This is an
        extension of a previous example from <xref linkend="dhcp6-address-config"/>.

        Let's assume that the server is connected to a network segment that uses
        the 2001:db8:1::/64 prefix. The Administrator of that network has
        decided that addresses from range 2001:db8:1::1 to 2001:db8:1::ffff are
        going to be managed by the Dhcp6 server. Only clients belonging to the
        eRouter1.0 client class are allowed to use that pool. Such a
        configuration can be achieved in the following way:

        <screen>
&gt; <userinput>config add Dhcp6/subnet6</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/subnet "2001:db8:1::/64"</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/pool [ "2001:db8:1::0 - 2001:db8:1::ffff" ]</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/client-class "eRouter1.0"</userinput>
&gt; <userinput>config commit</userinput></screen>
      </para>

      <para>
        Care should be taken with client classification as it is easy to prevent
        clients that do not meet class criteria to be denied any service altogether.
      </para>
    </section>


    <section id="dhcp6-ddns-config">
      <title>Configuring DHCPv6 for DDNS</title>
      <para>
      As mentioned earlier, b10-dhcp6 can be configured to generate requests to
      the DHCP-DDNS server (referred to here as the "D2" server) to update
      DNS entries.  These requests are known as NameChangeRequests or NCRs.
      Each NCR contains the following information:
      <orderedlist>
      <listitem><para>
      Whether it is a request to add (update) or remove DNS entries
      </para></listitem>
      <listitem><para>
      Whether the change requests forward DNS updates (AAAA records), reverse
      DNS updates (PTR records), or both.
      </para></listitem>
      <listitem><para>
      The FQDN, lease address, and DHCID
      </para></listitem>
      </orderedlist>
      The parameters controlling the generation of NCRs for submission to D2
      are contained in the "dhcp-ddns" section of b10-dhcp6
      configuration. The default values for this section appears as follows:
<screen>
&gt; <userinput>config show Dhcp6/dhcp-ddns</userinput>
Dhcp6/dhcp-ddns/enable-updates	true	boolean
Dhcp6/dhcp-ddns/server-ip	"127.0.0.1"	string
Dhcp6/dhcp-ddns/server-port	53001	integer
Dhcp6/dhcp-ddns/sender-ip	""	string
Dhcp6/dhcp-ddns/sender-port	0	integer
Dhcp6/dhcp-ddns/max-queue-size	1024 integer
Dhcp6/dhcp-ddns/ncr-protocol	"UDP"	string
Dhcp6/dhcp-ddns/ncr-format	"JSON"	string
Dhcp6/dhcp-ddns/override-no-update	false	boolean
Dhcp6/dhcp-ddns/override-client-update	false	boolean
Dhcp6/dhcp-ddns/replace-client-name	false	boolean
Dhcp6/dhcp-ddns/generated-prefix	"myhost"	string
Dhcp6/dhcp-ddns/qualifying-suffix	"example.com"	string
</screen>
      </para>
      <para>
      The "enable-updates" parameter determines whether or not b10-dhcp6 will
      generate NCRs.  By default, this value is false hence DDNS updates are
      disabled.  To enable DDNS updates set this value to true as follows:
      </para>
<screen>
&gt; <userinput>config set Dhcp6/dhcp-ddns/enable-updates true</userinput>
&gt; <userinput>config commit</userinput>
</screen>
      <section id="dhcpv6-d2-io-config">
      <title>DHCP-DDNS Server Connectivity</title>
      <para>
      In order for NCRs to reach the D2 server, b10-dhcp6 must be able
      to communicate with it.  b10-dhcp6 uses the following configuration
      parameters to control how it communications with D2:
      <orderedlist>
      <listitem><para>
      server-ip - IP address on which D2 listens for requests. The default is
      the local loopback interface at address 127.0.0.1. You may specify
      either an IPv4 or IPv6 address.
      </para></listitem>
      <listitem><para>
      server-port - port on which D2 listens for requests.  The default value
      is 53001.
      </para></listitem>
      <listitem><para>
      sender-ip - IP address which b10-dhcp6 should use to send requests to D2.
      The default value is blank which instructs b10-dhcp6 to select a suitable
      address.
      </para></listitem>
      <listitem><para>
      sender-port - port which b10-dhcp6 should use to send requests to D2. The
      default value of 0 instructs b10-dhcp6 to select suitable port.
      </para></listitem>
      <listitem><para>
      ncr-format - Socket protocol use when sending requests to D2.  Currently
      only UDP is supported.  TCP may be available in an upcoming release.
      </para></listitem>
      <listitem><para>
      ncr-protocol - Packet format to use when sending requests to D2.
      Currently only JSON format is supported.  Other formats may be available
      in future releases.
      </para></listitem>
      <listitem><para>
      max-queue-size - maximum number of requests allowed to queue waiting to
      be sent to D2. This value guards against requests accumulating
      uncontrollably if they are being generated faster than they can be
      delivered.  If the number of requests queued for transmission reaches
      this value, DDNS updating will be turned off until the queue backlog has
      been sufficiently reduced.  The intent is allow b10-dhcp6 to
      continue lease operations.  The default value is 1024.
      </para></listitem>
      </orderedlist>
      By default, D2 is assumed to running on the same machine as b10-dhcp6, and
      all of the default values mentioned above should be sufficient.
      If, however, D2 has been configured to listen on a different address or
      port, these values must altered accordingly. For example, if D2 has been
      configured to listen on 3001::5 port 900, the following commands
      would be required:
<screen>
&gt; <userinput>config set Dhcp6/dhcp-ddns/server-ip "3001::5"</userinput>
&gt; <userinput>config set Dhcp6/dhcp-ddns/server-port 900</userinput>
&gt; <userinput>config commit</userinput>
</screen>
      </para>
      </section>
      <section id="dhcpv6-d2-rules-config">
      <title>When does b10-dhcp6 generate DDNS request</title>
      b10-dhcp6 follows the behavior prescribed for DHCP servers in RFC 4704.
      It is important to keep in mind that b10-dhcp6 provides the initial decision
      making of when and what to update and forwards that information to D2 in
      the form of NCRs. Carrying out the actual DNS updates and dealing with
      such things as conflict resolution are the purview of D2 (<xref linkend="dhcp-ddns-server"/>).
      <para>
      This section describes when b10-dhcp6 will generate NCRs and the
      configuration parameters that can be used to influence this decision.
      It assumes that the "enable-updates" parameter is true.
      </para>
      <note>
        <para>
        Currently the interface between b10-dhcp6 and D2 only supports requests
        which update DNS entries for a single IP address.  If a lease grants
        more than one address, b10-dhcp6 will create the DDNS update request for
        only the first of these addresses.  Support for multiple address
        mappings may be provided in a future release.
        </para>
      </note>
      <para>
      In general, b10-dhcp6 will generate DDNS update requests when:
      <orderedlist>
      <listitem><para>
      A new lease is granted in response to a DHCP REQUEST
      </para></listitem>
      <listitem><para>
      An existing lease is renewed but the FQDN associated with it has
      changed.
      </para></listitem>
      <listitem><para>
      An existing lease is released in response to a DHCP RELEASE
      </para></listitem>
      </orderedlist>
      In the second case, lease renewal, two  DDNS requests will be issued: one
      request to remove entries for the previous FQDN and a second request to
      add entries for the new FQDN.  In the last case, a lease release, a
      single DDNS request to remove its entries will be made.  The decision
      making involved when granting a new lease is more involved and is
      discussed next.
      </para>
      <para>
      b10-dhcp6 will generate a DDNS update request only if the DHCP REQUEST
      contains the FQDN option (code 39). By default b10-dhcp6 will
      respect the FQDN N and S flags specified by the client as shown in the
      following table:
      </para>
        <table id="dhcp6-fqdn-flag-table">
          <title>Default FQDN Flag Behavior</title>
          <tgroup cols='4' align='left'>
          <colspec colname='cflags'/>
          <colspec colname='meaning'/>
          <colspec colname='response'/>
          <colspec colname='sflags'/>
          <thead>
              <row>
                <entry>Client Flags:N-S</entry>
                <entry>Client Intent</entry>
                <entry>Server Response</entry>
                <entry>Server Flags:N-S-O</entry>
              </row>
          </thead>
          <tbody>
            <row>
                <entry>0-0</entry>
                <entry>
                Client wants to do forward updates, server should do reverse updates
                </entry>
                <entry>Server generates reverse-only request</entry>
                <entry>1-0-0</entry>
            </row>
            <row>
                <entry>0-1</entry>
                <entry>Server should do both forward and reverse updates</entry>
                <entry>Server generates request to update both directions</entry>
                <entry>0-1-0</entry>
            </row>
            <row>
                <entry>1-0</entry>
                <entry>Client wants no updates done</entry>
                <entry>Server does not generate a request</entry>
                <entry>1-0-0</entry>
            </row>
          </tbody>
          </tgroup>
        </table>
      <para>
      The first row in the table above represents "client delegation". Here
      the DHCP client states that it intends to do the forward DNS updates and
      the server should do the reverse updates.  By default, b10-dhcp6 will honor
      the client's wishes and generate a DDNS request to D2 to update only
      reverse DNS data.  The parameter, "override-client-update", can be used
      to instruct the server to override client delegation requests.  When
      this parameter is true, b10-dhcp6 will disregard requests for client
      delegation and generate a DDNS request to update both forward and
      reverse DNS data.  In this case, the N-S-O flags in the server's
      response to the client will be 0-1-1 respectively.
      </para>
      <para>
      (Note that the flag combination N=1, S=1 is prohibited according to
      RFC 4702. If such a combination is received from the client, the packet
      will be dropped by b10-dhcp6.)
      </para>
      <para>
      To override client delegation, issue the following commands:
      </para>
<screen>
&gt; <userinput>config set Dhcp6/dhcp-ddns/override-client-update true</userinput>
&gt; <userinput>config commit</userinput>
</screen>
      <para>
      The third row in the table above describes the case in which the client
      requests that no DNS updates be done. The parameter, "override-no-update",
      can be used to instruct the server to disregard the client's wishes. When
      this parameter is true, b10-dhcp6 will generate DDNS update request to D2
      even if the client requests no updates be done.  The N-S-O flags in the
      server's response to the client will be 0-1-1.
      </para>
      <para>
      To override client delegation, issue the following commands:
      </para>
<screen>
&gt; <userinput>config set Dhcp6/dhcp-ddns/override-no-update true</userinput>
&gt; <userinput>config commit</userinput>
</screen>
      </section>
      <section id="dhcpv6-fqdn-name-generation">
      <title>b10-dhcp6 name generation for DDNS update requests</title>
      Each NameChangeRequest must of course include the fully qualified domain
      name whose DNS entries are to be affected.  b10-dhcp6 can be configured to
      supply a portion or all of that name based upon what it receives from
      the client in the DHCP REQUEST.
      <para>
      The rules for determining the FQDN option are as follows:
      <orderedlist>
      <listitem><para>
      If configured to do so ignore the REQUEST contents and generate a
      FQDN using a configurable prefix and suffix.
      </para></listitem>
      <listitem><para>
      Otherwise, using is the domain name value from the client FQDN option as
      the candidate name:
      <orderedlist>
      <listitem><para>
      If the candidate name is a fully qualified domain name then use it.
      </para></listitem>
      <listitem><para>
      If the candidate name is a partial (i.e. unqualified) name then
      add a configurable suffix to the name and use the result as the FQDN.
      </para></listitem>
      <listitem><para>
      If the candidate name is a empty then generate a FQDN using a
      configurable prefix and suffix.
      </para></listitem>
      </orderedlist>
      </para></listitem>
      </orderedlist>
      To instruct b10-dhcp6 to always generate a FQDN, set the parameter
      "replace-client-name" to true:
      </para>
<screen>
&gt; <userinput>config set Dhcp6/dhcp-ddns/replace-client-name true</userinput>
&gt; <userinput>config commit</userinput>
</screen>
      <para>
      The prefix used when generating a FQDN is specified by the
      "generated-prefix" parameter.  The default value is "myhost".  To alter
      its value, simply set it to the desired string:
      </para>
<screen>
&gt; <userinput>config set Dhcp6/dhcp-ddns/generated-prefix "another.host"</userinput>
&gt; <userinput>config commit</userinput>
</screen>
      <para>
      The suffix used when generating a FQDN or when qualifying a partial
      name is specified by the "qualifying-suffix" parameter.  The default
      value is "example.com".  To alter its value simply set it to the desired
      string:
      </para>
<screen>
&gt; <userinput>config set Dhcp6/dhcp-ddns/generated-prefix "our.net"</userinput>
&gt; <userinput>config commit</userinput>
</screen>
      </section>
      <para>
      When qualifying a partial name, b10-dhcp6 will construct a name with the
      format:
      </para>
      <para>
        [candidate-name].[qualifying-suffix].
      </para>
      <para>
      where candidate-name is the partial name supplied in the REQUEST.
      For example, if FQDN domain name value was "some-computer" and assuming
      the default value for qualifying-suffix, the generated FQDN would be:
      </para>
      <para>
        some-computer.example.com.
      </para>
      <para>
      When generating a the entire name, b10-dhcp6 will construct name of the
      format:
      </para>
      <para>
        [generated-prefix]-[address-text].[qualifying-suffix].
      </para>
      <para>
      where address-text is simply the lease IP address converted to a
      hyphenated string.  For example, if lease address is 3001:1::70E and
      assuming default values for generated-prefix and qualifying-suffix, the
      generated FQDN would be:
      </para>
      <para>
        myhost-3001-1--70E.example.com.
      </para>
    </section>

   </section>

    <section id="dhcp6-serverid">
      <title>Server Identifier in DHCPv6</title>
      <para>The DHCPv6 protocol uses a "server identifier" (also known
      as a DUID) for clients to be able to discriminate between several
      servers present on the same link.  There are several types of
      DUIDs defined, but <ulink url="http://tools.ietf.org/html/rfc3315">RFC 3315</ulink> instructs servers to use DUID-LLT if
      possible. This format consists of a link-layer (MAC) address and a
      timestamp. When started for the first time, the DHCPv6 server will
      automatically generate such a DUID and store the chosen value to
      a file.  That file is read by the server
      and the contained value used whenever the server is subsequently started.
      </para>
      <para>
        It is unlikely that this parameter should ever need to be changed.
        However, if such a need arises, stop the server, edit the file and restart
        the server. (The file is named b10-dhcp6-serverid and by default is
        stored in the "var" subdirectory of the directory in which BIND 10 is installed.
        This can be changed when BIND 10 is built by using "--localstatedir"
        on the "configure" command line.)  The file is a text file that contains
        double digit hexadecimal values
        separated by colons. This format is similar to typical MAC address
        format. Spaces are ignored. No extra characters are allowed in this
        file.
      </para>

    </section>

    <section id="dhcp6-relay-override">
      <title>Using specific relay agent for a subnet</title>
      <para>
        The relay has to have an interface connected to the link on which
        the clients are being configured. Typically the relay has a global IPv6
        address configured on that interface that belongs to the subnet that
        the server will assign addresses from. In such typical case, the
        server is able to use IPv6 address inserted by the relay (in link-addr
        field in RELAY-FORW message) to select appropriate subnet.
      </para>
      <para>
        However, that is not always the case. The relay
        address may not match the subnet in certain deployments. This
        usually means that there is more than one subnet allocated for a given
        link. Two most common examples where this is the case are long lasting
        network renumbering (where both old and new address space is still being
        used) and a cable network. In a cable network both cable modems and the
        devices behind them are physically connected to the same link, yet
        they use distinct addressing. In such case, the DHCPv6 server needs
        additional information (like the value of interface-id option or IPv6
        address inserted in the link-addr field in RELAY-FORW message) to
        properly select an appropriate subnet.
      </para>
      <para>
        The following example assumes that there is a subnet 2001:db8:1::/64
        that is accessible via relay that uses 3000::1 as its IPv6 address.
        The server will be able to select this subnet for any incoming packets
        that came from a relay that has an address in 2001:db8:1::/64 subnet.
        It will also select that subnet for a relay with address 3000::1.
        <screen>
&gt; <userinput>config add Dhcp6/subnet6</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/subnet "2001:db8:1::/64"</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/pool [ "2001:db8:1::2 - 2001:db8:1::ffff" ]</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/relay/ip-address "3000::1"</userinput>
&gt; <userinput>config commit</userinput></screen>
      </para>

    </section>

      <section id="dhcp6-client-class-relay">
        <title>Segregating IPv6 clients in a cable network</title>
        <para>
          In certain cases, it is useful to mix relay address information,
          introduced in <xref linkend="dhcp6-relay-override"/> with client
          classification, explained in <xref linkend="dhcp6-subnet-class"/>.
          One specific example is cable network, where typically modems
          get addresses from a different subnet than all devices connected
          behind them.
        </para>
        <para>
          Let's assume that there is one CMTS (Cable Modem Termination System)
          with one CM MAC (a physical link that modems are connected to).
          We want the modems to get addresses from the 3000::/64 subnet,
          while everything connected behind modems should get addresses from
          another subnet (2001:db8:1::/64). The CMTS that acts as a relay
          an uses address 3000::1. The following configuration can serve
          that configuration:
        <screen>
&gt; <userinput>config add Dhcp6/subnet6</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/subnet "3000::/64"</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/pool [ "3000::2 - 3000::ffff" ]</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/client-class "docsis3.0"</userinput>
&gt; <userinput>config set Dhcp6/subnet6[0]/relay/ip-address "3000::1"</userinput>
&gt; <userinput>config add Dhcp6/subnet6</userinput>
&gt; <userinput>config set Dhcp6/subnet6[1]/subnet "2001:db8:1::/64"</userinput>
&gt; <userinput>config set Dhcp6/subnet6[1]/pool [ "2001:db8:1::1 - 2001:db8:1::ffff" ]</userinput>
&gt; <userinput>config set Dhcp6/subnet6[1]/relay/ip-address "3000::1"</userinput>
&gt; <userinput>config commit</userinput></screen>
      </para>
      </section>


    <section id="dhcp6-std">
      <title>Supported Standards</title>
      <para>The following standards and draft standards are currently
      supported:</para>
      <itemizedlist>
          <listitem>
            <simpara><ulink url="http://tools.ietf.org/html/rfc3315">RFC 3315</ulink>: Supported messages are SOLICIT,
            ADVERTISE, REQUEST, RELEASE, RENEW, REBIND and REPLY.</simpara>
          </listitem>
          <listitem>
            <simpara><ulink url="http://tools.ietf.org/html/rfc3633">RFC 3633</ulink>: Supported options are IA_PD and
            IA_PREFIX. Also supported is the status code NoPrefixAvail.</simpara>
          </listitem>
          <listitem>
            <simpara><ulink url="http://tools.ietf.org/html/rfc3646">RFC 3646</ulink>: Supported option is DNS_SERVERS.</simpara>
          </listitem>
          <listitem>
            <simpara><ulink url="http://tools.ietf.org/html/rfc4704">RFC 4704</ulink>: Supported option is CLIENT_FQDN.</simpara>
          </listitem>
      </itemizedlist>
    </section>

    <section id="dhcp6-limit">
      <title>DHCPv6 Server Limitations</title>
      <para> These are the current limitations and known problems
      with the DHCPv6 server
      software. Most of them are reflections of the early stage of
      development and should be treated as <quote>not implemented
      yet</quote>, rather than actual limitations.</para>
      <itemizedlist>
          <listitem> <!-- see tickets #3234, #3281 -->
            <para>
              On-line configuration has some limitations. Adding new subnets or
              modifying existing ones work, as is removing the last subnet from
              the list. However, removing non-last (e.g. removing subnet 1,2 or 3 if
              there are 4 subnets configured) will cause issues. The problem is
              caused by simplistic subnet-id assignment. The subnets are always
              numbered, starting from 1. That subnet-id is then used in leases
              that are stored in the lease database. Removing non-last subnet will
              cause the configuration information to mismatch data in the lease
              database. It is possible to manually update subnet-id fields in
              MySQL or PostgreSQL database, but it is awkward and error prone
              process. A better reconfiguration support is planned.
            </para>
          </listitem>

        <listitem>
          <para>
            On startup, the DHCPv6 server does not get the full configuration from
            BIND 10.  To remedy this, after starting BIND 10, modify any parameter
            and commit the changes, e.g.
            <screen>
&gt; <userinput>config show Dhcp6/renew-timer</userinput>
Dhcp6/renew-timer	1000	integer	(default)
&gt; <userinput>config set Dhcp6/renew-timer 1001</userinput>
&gt; <userinput>config commit</userinput></screen>
          </para>
        </listitem>
        <listitem>
          <simpara>Temporary addresses are not supported.</simpara>
        </listitem>
        <listitem>
          <simpara>
            The server will allocate, renew or rebind a maximum of one lease
            for a particular IA option (IA_NA or IA_PD) sent by a client.
            <ulink url="http://tools.ietf.org/html/rfc3315">RFC 3315</ulink> and
            <ulink url="http://tools.ietf.org/html/rfc3633">RFC 3633</ulink> allow
            for multiple addresses or prefixes to be allocated for a single IA.
          </simpara>
        </listitem>
        <listitem>
          <simpara>Temporary addresses are not supported.</simpara>
        </listitem>
        <listitem>
          <simpara>
            Confirmation (CONFIRM), duplication report (DECLINE),
            stateless configuration (INFORMATION-REQUEST) and client
            reconfiguration (RECONFIGURE) are not yet supported.
          </simpara>
        </listitem>
          <listitem>
            <simpara>
              The server doesn't act upon expired leases. In particular,
              when a lease expires, the server doesn't request removal of
              the DNS records associated with it.
            </simpara>
          </listitem>
      </itemizedlist>
    </section>

    <!--
    <section id="dhcp6-srv-examples">
      <title>Kea DHCPv6 server examples</title>

      <para>
        This section provides easy to use example. Each example can be read
        separately. It is not intended to be read sequentially as there will
        be many repetitions between examples. They are expected to serve as
        easy to use copy-paste solutions to many common deployments.
      </para>

      @todo: add simple configuration for direct clients
      @todo: add configuration for relayed clients
      @todo: add client classification example

    </section> -->

  </chapter>

  <chapter id="dhcp-ddns-server">
    <title>The DHCP-DDNS Server</title>
    <para>
    The DHCP-DDNS Server (b10-dhcp-ddns, known informally as D2) conducts the client side of
    the DDNS protocol (defined in RFC 2136) on behalf of the DHCPv4 and DHCPv6
    servers (b10-dhcp4 and b10-dhcp6 respectively). The DHCP servers construct
    DDNS update requests, known as NameChangeRequests (NCRs), based upon DHCP
    lease change events and then post these to D2. D2 attempts to match
    each such request to the appropriate DNS server(s) and carry out the
    necessary conversation with those servers to update the DNS data.
    </para>
    <para>
    In order to match a request to appropriate DNS servers, D2 must have a
    catalog of servers from which to select. In fact, D2 has two such catalogs,
    one for forward DNS and one for reverse DNS; these catalogs are referred
    to as DDNS Domain Lists.  Each list consists of one or more named DDNS
    Domains. Further, each DDNS Domain has a list of of one or more DNS
    servers that publish the DNS data for that domain.
    </para>
    <para>
    When conducting forward domain matching, D2 will compare the FQDN in
    the request against the name of each forward DDNS Domain. The domain
    whose name matches the longest portion of the FQDN is considered the
    best match.  For example, if the FQDN is "myhost.sample.example.com.",
    and there are two forward domains in the catalog: "sample.example.com."
    and "example.com.", the former is regarded as the best match.  In some
    cases, it may not be possible to find a suitable match. Given the same two
    forward domains there would be no match for the FQDN, "bogus.net", so the
    request would be rejected.   Finally, if there are no forward DDNS Domains
    defined, D2 will simply disregard the forward update portion of requests.
    </para>
    <para>
    When conducting reverse domain matching, D2 constructs a reverse
    FQDN from the lease address in the request and compare that against
    the name of each reverse DDNS Domain. Again, the domain whose name matches
    the longest portion of the FQDN is considered the best match. For instance,
    if the lease address is "172.16.1.40" and there are two reverse domains in
    the catalog: "1.16.172.in-addr.arpa." and "16.172.in-addr.arpa", the
    former is the best match.  As with forward matching, it is possible to not
    find a suitable match.  Given the same two domains, there would be no
    match for the lease address, "192.168.1.50", and the request would be
    rejected. Finally, if there are no reverse DDNS Domains defined, D2 will
    simply disregard the reverse update portion of requests.
    </para>
    <section id="dhcp-ddns-server-start-stop">
      <title>Starting and Stopping the DHCP-DDNS Server</title>
      <para>
      <command>b10-dhcp-ddns</command> is the BIND 10 DHCP-DDNS server and,
      like other parts of BIND 10, is configured through the
      <command>bindctl</command> program.
      </para>
      <para>
      After starting BIND 10 and entering bindctl, the first step in
      configuring the server is to add it to the list of running BIND 10
      services.
<screen>
&gt; <userinput>config add Init/components b10-dhcp-ddns</userinput>
&gt; <userinput>config set Init/components/b10-dhcp-ddns/kind dispensable</userinput>
&gt; <userinput>config commit</userinput>
</screen>
      </para>
      <para>
      To remove <command>b10-dhcp-ddns</command> from the set of running services,
      the <command>b10-dhcp-ddns</command> is removed from list of Init components:
<screen>
&gt; <userinput>config remove Init/components b10-dhcp-ddns</userinput>
&gt; <userinput>config commit</userinput>
</screen>
      </para>
      <para>
      Note that the server was only removed from the list, so it will not be
      automatically restarted, but the server itself is still running. Hence it
      is usually desired to stop it:
      </para>
<screen>
&gt; <userinput>DhcpDdns shutdown</userinput>
</screen>
      <para>
      Upon start up the module will load its configuration and begin listening
      for NCRs based on that configuration.
      </para>
    </section> <!-- end start-stop -->
    <section id="d2-configuration">
      <title>Configuring the DHCP-DDNS Server</title>
      <para>
        Once the server is started, it can be configured. To view the
        current configuration, use the following command in <command>bindctl</command>:
        <screen>
&gt; <userinput>config show DhcpDdns</userinput></screen>
        When starting b10-dhcp-ddns module for the first time, the default
        configuration will be available. It will look similar to this:
<screen>
&gt; <userinput>config show DhcpDdns</userinput>
DhcpDdns/ip_address "127.0.0.1" string  (default)
DhcpDdns/port   53001   integer (default)
DhcpDdns/dns_server_timeout   100   integer (default)
DhcpDdns/ncr_protocol	"UDP"	string (default)
DhcpDdns/ncr_format	"JSON"	string (default)
DhcpDdns/tsig_keys  []  list    (default)
DhcpDdns/forward_ddns/ddns_domains  []  list    (default)
DhcpDdns/reverse_ddns/ddns_domains  []  list    (default)
</screen>
      <para>
      (While displayed, the parameter "interface" is not implemented, and
      will be removed in the near future.)
      </para>
      </para>
      <para>
      The configuration can be divided as follows, each of which is described
      in its own section:
      </para>
        <itemizedlist>
          <listitem>
            <simpara>
              <command>Global Server Parameters</command> &mdash;
              values which control connectivity and global server behavior
            </simpara>
          </listitem>
          <listitem>
            <simpara>
              <command>TSIG Key Info</command> &mdash;
              defines the TSIG keys used for secure traffic with DNS servers
            </simpara>
          </listitem>
          <listitem>
            <simpara>
              <command>Forward DDNS</command> &mdash;
              defines the catalog of Forward DDNS Domains
            </simpara>
          </listitem>
          <listitem>
            <simpara>
              <command>Reverse DDNS</command> &mdash;
              defines the catalog of Forward DDNS Domains
            </simpara>
          </listitem>
        </itemizedlist>
      <section id="d2-server-parameter-config">
        <title>Global Server Parameters</title>
      <orderedlist>
      <listitem><para>
      ip_address - IP address on which D2 listens for requests. The default is
      the local loopback interface at address 127.0.0.1. You may specify
      either an IPv4 or IPv6 address.
      </para></listitem>
      <listitem><para>
      port - Port on which D2 listens for requests.  The default value
      is 53001.
      </para></listitem>
      <listitem><para>
      ncr_format - Socket protocol to use when sending requests to D2.
      Currently only UDP is supported.  TCP may be available in an upcoming
      release.
      </para></listitem>
      <listitem><para>
      ncr_protocol - Packet format to use when sending requests to D2.
      Currently only JSON format is supported.  Other formats may be available
      in future releases.
      </para></listitem>
      <listitem><para>
      dns_server_timeout - The maximum amount of time in milliseconds, that
      D2 will wait for a response from a DNS server to a single DNS update
      message.
      </para></listitem>
      </orderedlist>
        <para>
        D2 must listen for change requests on a known address and port.  By
        default it listens at 127.0.0.1 on port 53001. The following example
        illustrates how to change D2's global parameters so it will listen
        at 192.168.1.10 port 900:
<screen>
&gt; <userinput>config set DhcpDdns/ip_address "192.168.1.10"</userinput>
&gt; <userinput>config set DhcpDdns/port 900</userinput>
&gt; <userinput>config commit</userinput>
</screen>
        </para>
        <warning>
          <simpara>
            When the DHCP-DDNS server is configured to listen at an address
            other than the loopback address (127.0.0.1 or ::1), it is possible
            for a malicious attacker to send bogus NameChangeRequests to it
            and change entries in the DNS. For this reason, addresses other
            than the IPv4 or IPv6 loopback addresses should only be used
            for testing purposes. A future version of Kea will implement
            authentication to guard against such attacks.
          </simpara>
        </warning>
<note>
<simpara>
If the ip_address and port are changed, it will be necessary to change the
corresponding values in the DHCP servers' "dhcp-ddns" configuration section.
</simpara>
</note>
      </section> <!-- "d2-server-parameter-config" -->

      <section id="d2-tsig-key-list-config">
        <title>TSIG Key List</title>
        <para>
        A DDNS protocol exchange can be conducted with or without TSIG
        (defined in <ulink url="http://tools.ietf/org/html/rfc2845">RFC
        2845</ulink>). This configuration section allows the administrator
        to define the set of TSIG keys that may be used in such
        exchanges.</para>

        <para>To use TSIG when updating entries in a DNS Domain,
        a key must be defined in the TSIG Key List and referenced by
        name in that domain's configuration entry.  When D2 matches a
        change request to a domain, it checks whether the domain has
        a TSIG key associated with it.  If so, D2 will use that key to
        sign DNS update messages sent to and verify repsonses received
        from the domain's DNS server(s). For each TSIG key required by
        the DNS servers that D2 will be working with there must be a
        corresponding TSIG key in the TSIG Key list.</para>

        <para>
        As one might gather from the name, the tsig_key section of the
        D2 configuration lists the TSIG keys.  Each entry describes a
        TSIG key used by one or more DNS servers to authenticate requests
        and sign responses.  Every entry in the list has three parameters:
        <itemizedlist>
          <listitem>
            <simpara>
              <command>name</command> &mdash;
              a unique text label used to identify this key within the
              list.  This value is used to specify which key (if any) should be
              used when updating a specific domain. So long as it is unique its
              content is arbitrary, although for clarity and ease of maintenance
              it is recommended that it match the name used on the DNS server(s).
              It cannot be blank.
            </simpara>
          </listitem>
          <listitem>
            <simpara>
              <command>algorithm</command> &mdash;
              specifies which hashing algorithm should be used with this
              key.  This value must specify the same algorithm used for the
              key on the DNS server(s). The supported algorithms are listed below:
              <itemizedlist>
                <listitem>
                   <command>HMAC-MD5</command>
                </listitem>
                <listitem>
                    <command>HMAC-SHA1</command>
                </listitem>
                <listitem>
                  <command>HMAC-SHA224</command>
              </listitem>
              <listitem>
                  <command>HMAC-SHA256</command>
              </listitem>
              <listitem>
                  <command>HMAC-SHA384</command>
                  </listitem>
              <listitem>
                  <command>HMAC-SHA512</command>
              </listitem>
              </itemizedlist>
              This value is not case sensitive.
            </simpara>
          </listitem>
          <listitem>
            <simpara>
              <command>secret</command> &mdash;
              is used to specify the shared secret key code for this key.  This value is
              case sensitive and must exactly match the value specified on the DNS server(s).
              It is a base64-encoded text value.
            </simpara>
          </listitem>
        </itemizedlist>
        </para>
        <para>
        As an example, suppose that a domain D2 will be updating is
        maintained by a BIND9 DNS server which requires dynamic updates
        to be secured with TSIG.  Suppose further that the entry for
        the TSIG key in BIND9's named.conf file looks like this:
<screen>
   :
   key "key.four.example.com." {
       algorithm hmac-sha224;
       secret "bZEG7Ow8OgAUPfLWV3aAUQ==";
   };
   :
</screen>
        By default, the TSIG Key list is empty:
<screen>
<userinput>> config show DhcpDdns/tsig_keys</userinput>
DhcpDdns/tsig_keys  []  list  (default)
</screen>
        We must first create a new key in the list:
<screen>
<userinput>> config add DhcpDdns/tsig_keys</userinput>
</screen>
        Displaying the new element, reveals:
<screen>
<userinput>> config show DhcpDdns/tsig_keys[0]</userinput>
DhcpDdns/tsig_keys[0]/name  ""  string  (default)
DhcpDdns/tsig_keys[0]/algorithm "HMAC-MD5"  string  (modified)
DhcpDdns/tsig_keys[0]/secret  ""  string  (default)
</screen>
        Now set all three values to match BIND9's key:
<screen>
<userinput>> config set DhcpDdns/tsig_keys[0]/name "key.four.example.com"</userinput>
<userinput>> config set DhcpDdns/tsig_keys[0]/algorithm "HMAC-SHA224"</userinput>
<userinput>> config set DhcpDdns/tsig_keys[0]/secret "bZEG7Ow8OgAUPfLWV3aAUQ=="</userinput>
<userinput>> config commit</userinput>
</screen>
        </para>
        These steps would be repeated for each TSIG key needed.  Note that the same TSIG key
        can be used with more than one domain.
      </section> <!-- "d2-tsig-key-list-config" -->

      <section id="d2-forward-ddns-config">
        <title>Forward DDNS</title>
        <para>
        The Forward DDNS section is used to configure D2's forward update
        behavior. Currently it contains a single parameter, the catalog of
        forward DDNS Domains:
<screen>
<userinput>> config show DhcpDdns/forward_ddns/</userinput>
DhcpDdns/forward_ddns/ddns_domains  [] list  (default)
</screen>
        By default, this list is empty, which will cause the server to ignore
        the forward update portions of requests.
        </para>
        <section id="add-forward-ddns-domain">
          <title>Adding Forward DDNS Domains</title>
          <para>
          A forward DDNS Domain maps a forward DNS zone to a set of DNS servers
          which maintain the forward DNS data for that zone.  You will need one
          forward DDNS Domain for each zone you wish to service.  It may very
          well be that some or all of your zones are maintained by the same
          servers. You will still need one DDNS Domain per zone. Remember that
          matching a request to the appropriate server(s) is done by zone and
          a DDNS Domain only defines a single zone.
          </para>
          <para>
          The section describes how to add Forward DDNS Domains. Repeat these
          steps for each Forward DDNS Domain desired.  Each Forward DDNS Domain
          has the following parameters:
          <itemizedlist>
            <listitem>
              <simpara>
              <command>name</command> &mdash;
              The fully qualified domain name (or zone) that this DDNS Domain
              can update.  This is value used to compare against the request
              FQDN during forward matching.  It must be unique within the
              catalog.
              </simpara>
            </listitem>
            <listitem>
              <simpara>
              <command>key_name</command> &mdash;
              If TSIG is used with this domain's servers, this
              value should be the name of the key from within the TSIG Key List
              to use.  If the value is blank (the default), TSIG will not be
              used in DDNS conversations with this domain's servers.  Currently
              TSIG has not been implemented, so this value is ignored.
              </simpara>
            </listitem>
            <listitem>
              <simpara>
              <command>dns_servers</command> &mdash;
              A list of one or more DNS servers which can conduct the server
              side of the DDNS protocol for this domain.  The servers
              are used in a first to last preference. In other words, when D2
              begins to process a request for this domain it will pick the
              first server in this list and attempt to communicate with it.
              If that attempt fails, it will move to next one in the list and
              so on until the it achieves success or the list is exhausted.
              </simpara>
            </listitem>
          </itemizedlist>
        To create a new forward DDNS Domain, one must first add a new domain
        element:
<screen>
<userinput>> config add DhcpDdns/forward_ddns/ddns_domains</userinput>
</screen>
        Displaying the DDNS Domain reveals this:
<screen>
<userinput>> config show DhcpDdns/forward_ddns/ddns_domains[0]</userinput>
DhcpDdns/forward_ddns/ddns_domains[0]/name  ""  string  (default)
DhcpDdns/forward_ddns/ddns_domains[0]/key_name  ""  string  (default)
DhcpDdns/forward_ddns/ddns_domains[0]/dns_servers   []  list    (default)
</screen>
        To set the domain's name to "other.example.com":
<screen>
<userinput>> config set DhcpDdns/forward_ddns/ddns_domains[1]/name "other.example.com"</userinput>
<userinput>> config commit</userinput>
</screen>
        It is permissible to add a domain without any servers. If that domain
        should be matched to a request, however, the request will fail.  In
        order to make the domain useful though, we must add at least one DNS
        server to it.
        </para>

        <section id="add-forward-dns-servers">
          <title>Adding Forward DNS Servers</title>
          <para>
          The section describes how to add DNS servers to a Forward DDNS Domain.
          Repeat them for as many servers as desired for a each domain.
          </para>
          <para>
          Forward DNS Server entries represent actual DNS servers which
          support the server side of the DDNS protocol. Each Forward DNS Server
          has the following parameters:
          <itemizedlist>
            <listitem>
              <simpara>
              <command>hostname</command> &mdash;
              The resolvable host name of the DNS server. This value is not
              yet implemented.
              </simpara>
            </listitem>
            <listitem>
              <simpara>
              <command>ip_address</command> &mdash;
              The IP address at which the server listens for DDNS requests.
              This may be either an IPv4 or an IPv6 address.
              </simpara>
            </listitem>
            <listitem>
              <simpara>
              <command>port</command> &mdash;
              The port on which the server listens for DDNS requests. It
              defaults to the standard DNS service port of 53.
              </simpara>
            </listitem>
          </itemizedlist>
          To create a new forward DNS Server, one must first add a new server
          element to the domain:
<screen>
<userinput>> config add DhcpDdns/forward_ddns/ddns_domains[0]/dns_servers</userinput>
</screen>
         Displaying the DNS Server element should appear as follows:
<screen>
<userinput>> config show DhcpDdns/forward_ddns/ddns_domains[0]/dns_servers[0]</userinput>
DhcpDdns/forward_ddns/ddns_domains[0]/dns_servers[0]/hostname   ""  string  (default)
DhcpDdns/forward_ddns/ddns_domains[0]/dns_servers[0]/ip_address ""  string  (default)
DhcpDdns/forward_ddns/ddns_domains[0]/dns_servers[0]/port   53  integer(default)
</screen>
        As stated earlier, "hostname" is not yet supported so, the parameter
        "ip_address" must be set to the address of the DNS server. If for
        example the service is running at "172.88.99.10", then set it as
        follows:
<screen>
<userinput>> config set DhcpDdns/forward_ddns/ddns_domains[0]/dns_servers[0]/ip_address "172.88.99.10"</userinput>
<userinput>> config commit</userinput>
</screen>
          </para>
        </section> <!-- "add-forward-dns-servers" -->

      </section> <!-- "add-forward-ddns-domains" -->

      </section> <!-- "d2-forward-ddns-config" -->

      <section id="d2-reverse-ddns-config">
        <title>Reverse DDNS</title>
        <para>
        The Reverse DDNS section is used to configure D2's reverse update
        behavior, and the concepts are the same as for the forward DDNS
        section. Currently it contains a single parameter, the catalog of
        reverse DDNS Domains:
<screen>
<userinput>> config show DhcpDdns/reverse_ddns/</userinput>
DhcpDdns/reverse_ddns/ddns_domains  [] list  (default)
</screen>
        By default, this list is empty, which will cause the server to ignore
        the reverse update portions of requests.
        </para>
        <section id="add-reverse-ddns-domain">
          <title>Adding Reverse DDNS Domains</title>
          <para>
          A reverse DDNS Domain maps a reverse DNS zone to a set of DNS servers
          which maintain the reverse DNS data for that zone.  You will need one
          reverse DDNS Domain for each zone you wish to service.  It may very
          well be that some or all of your zones are maintained by the same
          servers; even then, you will still need one DDNS Domain entry for each
          zone. Remember that
          matching a request to the appropriate server(s) is done by zone and
          a DDNS Domain only defines a single zone.
          </para>
          <para>
          The section describes how to add Reverse DDNS Domains. Repeat these
          steps for each Reverse DDNS Domain desired.  Each Reverse DDNS Domain
          has the following parameters:
          <itemizedlist>
            <listitem>
              <simpara>
              <command>name</command> &mdash;
              The fully qualified reverse zone that this DDNS Domain
              can update.  This is the value used during reverse matching
              which will compare it with a reversed version of the request's
              lease address. The zone name should follow the appropriate
              standards: for example, to to support the IPv4 subnet 172.16.1,
              the name should be. "1.16.172.in-addr.arpa.".  Similarly,
              to support an IPv6 subent of 2001:db8:1, the name should be
              "1.0.0.0.8.B.D.0.1.0.0.2.ip6.arpa."
              Whatever the name, it must be unique within the catalog.
              </simpara>
            </listitem>
            <listitem>
              <simpara>
              <command>key_name</command> &mdash;
              If TSIG should be used with this domain's servers, then this
              value should be the name of that key from the TSIG Key List.
              If the value is blank (the default), TSIG will not be
              used in DDNS conversations with this domain's servers.  Currently
              this value is not used as TSIG has not been implemented.
              </simpara>
            </listitem>
            <listitem>
              <simpara>
              <command>dns_servers</command> &mdash;
              a list of one or more DNS servers which can conduct the server
              side of the DDNS protocol for this domain.  Currently the servers
              are used in a first to last preference. In other words, when D2
              begins to process a request for this domain it will pick the
              first server in this list and attempt to communicate with it.
              If that attempt fails, it will move to next one in the list and
              so on until the it achieves success or the list is exhausted.
              </simpara>
            </listitem>
          </itemizedlist>
        To create a new reverse DDNS Domain, one must first add a new domain
        element:
<screen>
<userinput>> config add DhcpDdns/reverse_ddns/ddns_domains</userinput>
</screen>
        Displaying the DDNS Domain reveals this:
<screen>
<userinput>> config show DhcpDdns/reverse_ddns/ddns_domains[0]</userinput>
DhcpDdns/reverse_ddns/ddns_domains[0]/name  ""  string  (default)
DhcpDdns/reverse_ddns/ddns_domains[0]/key_name  ""  string  (default)
DhcpDdns/reverse_ddns/ddns_domains[0]/dns_servers   []  list    (default)
</screen>
        For domain supporting the subnet 2001:db8:1::, we would set the
        domain's name as follows:
<screen>
<userinput>> config set DhcpDdns/reverse_ddns/ddns_domains[1]/name "1.0.0.0.8.B.D.0.1.0.0.2.ip6.arpa."</userinput>
<userinput>> config commit</userinput>
</screen>
        It is permissible to add a domain without any servers. If that domain
        should be matched to a request, however, the request will fail.  In
        order to make the domain useful though, we must add at least one DNS
        server to it.
        </para>

        <section id="add-reverse-dns-servers">
          <title>Adding Reverse DNS Servers</title>
          <para>
          The section describes how to add DNS servers to a Reverse DDNS Domain.
          Repeat them for as many servers as desired for a each domain.
          </para>
          <para>
          Reverse DNS Server entries represents a actual DNS servers which
          support the server side of the DDNS protocol. Each Reverse DNS Server
          has the following parameters:
          <itemizedlist>
            <listitem>
              <simpara>
              <command>hostname</command> &mdash;
              The resolvable host name of the DNS server. This value is
              currently ignored.
              </simpara>
            </listitem>
            <listitem>
              <simpara>
              <command>ip_address</command> &mdash;
              The IP address at which the server listens for DDNS requests.
              </simpara>
            </listitem>
            <listitem>
              <simpara>
              <command>port</command> &mdash;
              The port on which the server listens for DDNS requests. It
              defaults to the standard DNS service port of 53.
              </simpara>
            </listitem>
          </itemizedlist>
          To create a new reverse DNS Server, one must first add a new server
          element to the domain:
<screen>
<userinput>> config add DhcpDdns/reverse_ddns/ddns_domains[0]/dns_servers</userinput>
</screen>
         Displaying the DNS Server element should appear as follows:
<screen>
<userinput>> config show DhcpDdns/reverse_ddns/ddns_domains[0]/dns_servers[0]</userinput>
DhcpDdns/reverse_ddns/ddns_domains[0]/dns_servers[0]/hostname   ""  string  (default)
DhcpDdns/reverse_ddns/ddns_domains[0]/dns_servers[0]/ip_address ""  string  (default)
DhcpDdns/reverse_ddns/ddns_domains[0]/dns_servers[0]/port   53  integer(default)
</screen>
        As stated earlier, "hostname" is not yet supported so, the parameter
        "ip_address" must be set to the address of the DNS server. If for
        example the service is running at "172.88.99.10", then set it as
        follows:
<screen>
<userinput>> config set DhcpDdns/reverse_ddns/ddns_domains[0]/dns_servers[0]/ip_address "172.88.99.10"</userinput>
<userinput>> config commit</userinput>
</screen>
          </para>
        </section> <!-- "add-reverse-dns-servers" -->

      </section> <!-- "add-reverse-ddns-domains" -->

      </section> <!-- "d2-reverse-ddns-config" -->

      <section id="d2-exmaple-config">
        <title>Example DHCP-DDNS Server Configuration</title>
        <para>
        This section provides an example DHCP-DDNS server configuration based
        on a small example network.  Let's suppose our example network has
        three domains, each with their own subnet.

        <table>
          <title>Our example network</title>
          <tgroup cols='4' align='left'>
          <colspec colname='domain'/>
          <colspec colname='subnet'/>
          <colspec colname='fservers'/>
          <colspec colname='rservers'/>
          <thead>
            <row>
              <entry>Domain</entry>
              <entry>Subnet</entry>
              <entry>Forward DNS Servers</entry>
              <entry>Reverse DNS Servers</entry>
            </row>
          </thead>
          <tbody>
            <row>
              <entry>four.example.com</entry>
              <entry>192.0.2.0/24</entry>
              <entry>172.16.1.5, 172.16.2.5</entry>
              <entry>172.16.1.5, 172.16.2.5</entry>
            </row>
            <row>
              <entry>six.example.com</entry>
              <entry>2001:db8:1::/64</entry>
              <entry>3001:1::50</entry>
              <entry>3001:1::51</entry>
            </row>
            <row>
              <entry>example.com</entry>
              <entry>192.0.0.0/16</entry>
              <entry>172.16.2.5</entry>
              <entry>172.16.2.5</entry>
            </row>
          </tbody>
          </tgroup>
        </table>
        </para>
        <para>
        We need to construct three forward DDNS Domains:
        <table>
          <title>Forward DDNS Domains Needed</title>
          <tgroup cols='3' align='left'>
          <colspec colname='num'/>
          <colspec colname='name'/>
          <colspec colname='servers'/>
          <thead>
            <row>
              <entry>#</entry>
              <entry>DDNS Domain Name</entry>
              <entry>DNS Servers</entry>
            </row>
          </thead>
          <tbody>
            <row>
              <entry>1.</entry>
              <entry>four.example.com.</entry>
              <entry>172.16.1.5, 172.16.2.5</entry>
            </row>
            <row>
              <entry>2.</entry>
              <entry>six.example.com.</entry>
              <entry>3001:1::50</entry>
            </row>
            <row>
              <entry>3.</entry>
              <entry>example.com.</entry>
              <entry>172.16.2.5</entry>
            </row>
          </tbody>
          </tgroup>
        </table>
        As discussed earlier, FQDN to domain matching is based on the longest
        match. The FQDN, "myhost.four.example.com.", will match the first
        domain ("four.example.com") while "admin.example.com." will match the
        third domain ("example.com"). The
        FQDN, "other.example.net." will fail to match any domain and would
        be rejected.
        </para>
        <para>
        The following series of commands in bindctl will create the Forward
        DDNS Domains.
<screen>
<userinput>
> config add DhcpDdns/forward_ddns/ddns_domains
> config set DhcpDdns/forward_ddns/ddns_domains[0]/name "four.example.com."
> config add DhcpDdns/forward_ddns/ddns_domains[0]/dns_servers
> config set DhcpDdns/forward_ddns/ddns_domains[0]/dns_servers[0]/ip_address "172.16.1.5"
> config add DhcpDdns/forward_ddns/ddns_domains[0]/dns_servers
> config set DhcpDdns/forward_ddns/ddns_domains[0]/dns_servers[1]/ip_address "172.16.2.5"
>
> config add DhcpDdns/forward_ddns/ddns_domains
> config set DhcpDdns/forward_ddns/ddns_domains[1]/name "six.example.com."
> config add DhcpDdns/forward_ddns/ddns_domains[1]/dns_servers
> config set DhcpDdns/forward_ddns/ddns_domains[1]/dns_servers[0]/ip_address "3001:1::50:"
>
> config add DhcpDdns/forward_ddns/ddns_domains
> config set DhcpDdns/forward_ddns/ddns_domains[2]/name "example.com."
> config add DhcpDdns/forward_ddns/ddns_domains[2]/dns_servers
> config set DhcpDdns/forward_ddns/ddns_domains[2]/dns_servers[0]/ip_address "172.16.2.5"
>
> config commit
</userinput>
</screen>
        </para>
        <para>
        Similarly, we need to construct the three reverse DDNS Domains:
        <table>
          <title>Reverse DDNS Domains Needed</title>
          <tgroup cols='3' align='left'>
          <colspec colname='num'/>
          <colspec colname='DDNS Domain name'/>
          <colspec colname='DDNS Domain DNS Servers'/>
          <thead>
            <row>
              <entry>#</entry>
              <entry>DDNS Domain Name</entry>
              <entry>DNS Servers</entry>
            </row>
          </thead>
          <tbody>
            <row>
              <entry>1.</entry>
              <entry>2.0.192.in-addr.arpa.</entry>
              <entry>172.16.1.5, 172.16.2.5</entry>
            </row>
            <row>
              <entry>2.</entry>
              <entry>1.0.0.0.8.d.b.0.1.0.0.2.ip6.arpa.</entry>
              <entry>3001:1::50</entry>
            </row>
            <row>
              <entry>3.</entry>
              <entry>0.182.in-addr.arpa.</entry>
              <entry>172.16.2.5</entry>
            </row>
          </tbody>
          </tgroup>
        </table>
        An address of "192.0.2.150" will match the first domain,
        "2001:db8:1::10" will match the second domain, and "192.0.50.77"
        the third domain.
        </para>
        <para>
        The following series of commands in bindctl will create our Reverse
        DDNS Domains.
<screen>
<userinput>
> config add DhcpDdns/reverse_ddns/ddns_domains
> config set DhcpDdns/reverse_ddns/ddns_domains[0]/name "2.0.192.in-addr.arpa."
> config add DhcpDdns/reverse_ddns/ddns_domains[0]/dns_servers
> config set DhcpDdns/reverse_ddns/ddns_domains[0]/dns_servers[0]/ip_address "172.16.1.5"
> config add DhcpDdns/reverse_ddns/ddns_domains[0]/dns_servers
> config set DhcpDdns/reverse_ddns/ddns_domains[0]/dns_servers[1]/ip_address "172.16.2.5"
>
> config add DhcpDdns/reverse_ddns/ddns_domains
> config set DhcpDdns/reverse_ddns/ddns_domains[1]/name "1.0.0.0.8.d.b.0.1.0.0.2.ip6.arpa."
> config add DhcpDdns/reverse_ddns/ddns_domains[1]/dns_servers
> config set DhcpDdns/reverse_ddns/ddns_domains[1]/dns_servers[0]/ip_address "3001:1::50:"
>
> config add DhcpDdns/reverse_ddns/ddns_domains
> config set DhcpDdns/reverse_ddns/ddns_domains[2]/name "0.192.in-addr.arpa."
> config add DhcpDdns/reverse_ddns/ddns_domains[2]/dns_servers
> config set DhcpDdns/reverse_ddns/ddns_domains[2]/dns_servers[0]/ip_address "172.16.2.5"
>
> config commit
</userinput>
</screen>
        </para>
        </section> <!-- end of "d2-example" -->
    </section> <!-- end of section "d2-configuration" -->
    <section>
      <title>DHCP-DDNS Server Limitations</title>
      <para>The following are the current limitations of the DHCP-DDNS Server.</para>
      <itemizedlist>
        <listitem>
          <simpara>
            Requests received from the DHCP servers are placed in a
            queue until they are processed.  Currently all queued requests
            are lost when the server shuts down.
          </simpara>
        </listitem>
        <listitem>
          <simpara>
            TSIG Authentication (<ulink
            url="http://tools.ietf.org/html/rfc2845">RFC 2845</ulink>)
            is not supported yet.
          </simpara>
        </listitem>
      </itemizedlist>
    </section>
  </chapter> <!-- DHCP-DDNS Server -->

  <chapter id="libdhcp">
    <title>libdhcp++ library</title>
    <para>
      libdhcp++ is a common library written in C++ that handles
      many DHCP-related tasks, including:
      <itemizedlist>
        <listitem>
          <simpara>DHCPv4 and DHCPv6 packets parsing, manipulation and assembly</simpara>
        </listitem>
        <listitem>
          <simpara>Option parsing, manipulation and assembly</simpara>
        </listitem>
        <listitem>
          <simpara>Network interface detection</simpara>
        </listitem>
        <listitem>
          <simpara>Socket operations such as creation, data transmission and reception and socket closing.</simpara>
        </listitem>
      </itemizedlist>
    </para>

    <para>
    While this library is currently used by Kea, it is designed to
    be a portable, universal library, useful for any kind of DHCP-related software.
    </para>

<!-- TODO: point to doxygen docs -->

    <section id="iface-detect">
      <title>Interface detection and Socket handling</title>
      <para>Both the DHCPv4 and DHCPv6 components share network
      interface detection routines. Interface detection is
      currently supported on Linux, all BSD family (FreeBSD, NetBSD,
      OpenBSD), Mac OS X and Solaris 11 systems.</para>

      <para>DHCPv4 requires special raw socket processing to send and receive
      packets from hosts that do not have IPv4 address assigned yet. Support
      for this operation is implemented on Linux only, so it is likely that
      DHCPv4 component will not work in certain cases on systems other than
      Linux.</para>
    </section>

<!--
    <section id="packet-handling">
      <title>DHCPv4/DHCPv6 packet handling</title>
      <para>TODO: Describe packet handling here, with pointers to wiki</para>
    </section>
-->

  </chapter>

  <chapter id="statistics">
    <title>Statistics</title>

    <para>
      The <command>b10-stats</command> process is started by
      <command>b10-init</command>.
      It periodically collects statistics data from various modules
      and aggregates it.
<!-- TODO -->
    </para>

    <para>

       This stats daemon provides commands to identify if it is
       running, show specified or all statistics data, and show specified
       or all statistics data schema.

       For example, using <command>bindctl</command>:

       <screen>
&gt; <userinput>Stats show</userinput>
{
    "Auth": {
        "opcode.iquery": 0,
        "opcode.notify": 10,
        "opcode.query": 869617,
        ...
        "queries.tcp": 1749,
        "queries.udp": 867868
    },
    "Init": {
        "boot_time": "2011-01-20T16:59:03Z"
    },
    "Stats": {
        "boot_time": "2011-01-20T16:59:05Z",
        "last_update_time": "2011-01-20T17:04:05Z",
        "lname": "4d3869d9_a@jreed.example.net",
        "report_time": "2011-01-20T17:04:06Z",
        "timestamp": 1295543046.823504
    }
}
       </screen>
    </para>

  </chapter>

  <chapter id="logging">
    <title>Logging</title>

    <section>
      <title>Logging configuration</title>

      <para>

        The logging system in Kea is configured through the
        Logging module. All  modules will look at the
        configuration in Logging to see what should be logged and
        to where.

<!-- TODO: what is context of Logging module for readers of this guide? -->

      </para>

      <section>
        <title>Loggers</title>

        <para>

          Within Kea, a message is logged through a component
          called a "logger". Different parts of log messages
          through different loggers, and each logger can be configured
          independently of one another.

        </para>

        <para>

          In the Logging module, you can specify the configuration
          for zero or more loggers; any that are not specified will
          take appropriate default values.

        </para>

        <para>

          The three most important elements of a logger configuration
          are the <option>name</option> (the component that is
          generating the messages), the <option>severity</option>
          (what to log), and the <option>output_options</option>
          (where to log).

        </para>

        <section>
          <title>name (string)</title>

          <para>
          Each logger in the system has a name, the name being that
          of the component using it to log messages. For instance,
          if you want to configure logging for the Dhcp4 module,
          you add an entry for a logger named <quote>Dhcp4</quote>. This
          configuration will then be used by the loggers in the
          Dhcp4 module, and all the libraries used by it.
              </para>

<!-- TODO: later we will have a way to know names of all modules

Right now you can only see what their names are if they are running
(a simple 'help' without anything else in bindctl for instance).

 -->
          <para>

          If you want to specify logging for one specific library
          within the module, you set the name to
          <replaceable>module.library</replaceable>.  For example, the
          logger used by the nameserver address store component
          has the full name of <quote>Dhcp4.dhcpsrv</quote>. If
          there is no entry in Logging for a particular library,
          it will use the configuration given for the module.

        </para>

       <para>

          To illustrate this, suppose you want the dhcpsrv library
          to log messages of severity DEBUG, and the rest of the
          Dhcp4 code to log messages of severity INFO. To achieve
          this you specify two loggers, one with the name
          <quote>Dhcp4</quote> and severity INFO, and one with
          the name <quote>Dhcp4.dhcpsrv</quote> with severity
          DEBUG. As there are no entries for other libraries,
          they will use the configuration for the module
          (<quote>Dhcp4</quote>), so giving the desired behavior.

        </para>

        <para>

          One special case is that of a module name of <quote>*</quote>
          (asterisks), which is interpreted as <emphasis>any</emphasis>
          module. You can set global logging options by using this,
          including setting the logging configuration for a library
          that is used by multiple modules (e.g. <quote>*.config</quote>
          specifies the configuration library code in whatever
          module is using it).

        </para>

        <para>

          If there are multiple logger specifications in the
          configuration that might match a particular logger, the
          specification with the more specific logger name takes
          precedence. For example, if there are entries for
          both <quote>*</quote> and <quote>Dhcp4</quote>, the
          Dhcp4 module &mdash; and all libraries it uses &mdash;
          will log messages according to the configuration in the
          second entry (<quote>Dhcp4</quote>). All other modules
          will use the configuration of the first entry
          (<quote>*</quote>).

        </para>

        <para>

          One final note about the naming. When specifying the
          module name within a logger, use the name of the module
          as specified in <command>bindctl</command>, e.g.
          <quote>Dhcp4</quote> for the Dhcp4 module,
          <quote>Dhcp6</quote> for the Dhcp6 module, etc. When
          the message is logged, the message will include the name
          of the logger generating the message, but with the module
          name replaced by the name of the process implementing
          the module (so for example, a message generated by the
          <quote>Dhcp4</quote> logger will appear in the output
          with a logger name of <quote>b10-dhcp4</quote>).

        </para>

        </section>

        <section>
          <title>severity (string)</title>

        <para>

          This specifies the category of messages logged.
          Each message is logged with an associated severity which
          may be one of the following (in descending order of
          severity):
        </para>

        <itemizedlist>
          <listitem>
            <simpara> FATAL </simpara>
          </listitem>

          <listitem>
            <simpara> ERROR </simpara>
          </listitem>

          <listitem>
            <simpara> WARN </simpara>
          </listitem>

          <listitem>
            <simpara> INFO </simpara>
          </listitem>

          <listitem>
            <simpara> DEBUG </simpara>
          </listitem>
        </itemizedlist>

        <para>

          When the severity of a logger is set to one of these
          values, it will only log messages of that severity, and
          the severities above it. The severity may also be set to
          NONE, in which case all messages from that logger are
          inhibited.

<!-- TODO: worded wrong? If I set to INFO, why would it show DEBUG which is literally below in that list? -->

        </para>

        </section>

        <section>
          <title>output_options (list)</title>

        <para>

          Each logger can have zero or more
          <option>output_options</option>. These specify where log
          messages are sent to. These are explained in detail below.

        </para>

        <para>

          The other options for a logger are:

        </para>

        </section>

        <section>
          <title>debuglevel (integer)</title>

        <para>

          When a logger's severity is set to DEBUG, this value
          specifies what debug messages should be printed. It ranges
          from 0 (least verbose) to 99 (most verbose).
        </para>


<!-- TODO: complete this sentence:

          The general classification of debug message types is

TODO; there's a ticket to determine these levels, see #1074

 -->

        <para>

          If severity for the logger is not DEBUG, this value is ignored.

        </para>

        </section>

        <section>
          <title>additive (true or false)</title>

        <para>

          If this is true, the <option>output_options</option> from
          the parent will be used. For example, if there are two
          loggers configured; <quote>Dhcp4</quote> and
          <quote>Dhcp4.dhcpsrv</quote>, and <option>additive</option>
          is true in the second, it will write the log messages
          not only to the destinations specified for
          <quote>Dhcp4.dhcpsrv</quote>, but also to the destinations
          as specified in the <option>output_options</option> in
          the logger named <quote>Dhcp4</quote>.

      </para>

      </section>

      </section>

      <section>
        <title>Output Options</title>

        <para>

          The main settings for an output option are the
          <option>destination</option> and a value called
          <option>output</option>, the meaning of which depends on
          the destination that is set.

        </para>

        <section>
          <title>destination (string)</title>

          <para>

            The destination is the type of output. It can be one of:

          </para>

          <itemizedlist>

            <listitem>
              <simpara> console </simpara>
          </listitem>

            <listitem>
              <simpara> file </simpara>
          </listitem>

            <listitem>
              <simpara> syslog </simpara>
            </listitem>

          </itemizedlist>

        </section>

        <section>
          <title>output (string)</title>

        <para>

          Depending on what is set as the output destination, this
          value is interpreted as follows:

        </para>

        <variablelist>

          <varlistentry>
            <term><option>destination</option> is <quote>console</quote></term>
            <listitem>
              <para>
                 The value of output must be one of <quote>stdout</quote>
                 (messages printed to standard output) or
                 <quote>stderr</quote> (messages printed to standard
                 error).
              </para>
              <para>
                Note: if output is set to <quote>stderr</quote> and a lot of
                messages are produced in a short time (e.g. if the logging
                level is set to DEBUG), you may occasionally see some messages
                jumbled up together.  This is due to a combination of the way
                that messages are written to the screen and the unbuffered
                nature of the standard error stream.  If this occurs, it is
                recommended that output be set to <quote>stdout</quote>.
              </para>
            </listitem>
          </varlistentry>

          <varlistentry>
            <term><option>destination</option> is <quote>file</quote></term>
            <listitem>
              <para>
                The value of output is interpreted as a file name;
                log messages will be appended to this file.
              </para>
            </listitem>
          </varlistentry>

          <varlistentry>
            <term><option>destination</option> is <quote>syslog</quote></term>
            <listitem>
              <para>
                The value of output is interpreted as the
                <command>syslog</command> facility (e.g.
                <emphasis>local0</emphasis>) that should be used
                for log messages.
              </para>
            </listitem>
          </varlistentry>

        </variablelist>

        <para>

          The other options for <option>output_options</option> are:

        </para>

        <section>
          <title>flush (true of false)</title>

          <para>
            Flush buffers after each log message. Doing this will
            reduce performance but will ensure that if the program
            terminates abnormally, all messages up to the point of
            termination are output.
          </para>

        </section>

        <section>
          <title>maxsize (integer)</title>

          <para>
            Only relevant when destination is file, this is maximum
            file size of output files in bytes. When the maximum
            size is reached, the file is renamed and a new file opened.
            (For example, a ".1" is appended to the name &mdash;
            if a ".1" file exists, it is renamed ".2",
            etc.)
          </para>

          <para>
            If this is 0, no maximum file size is used.
          </para>

          <note>
            <simpara>
	      Due to a limitation of the underlying logging library
	      (log4cplus), rolling over the log files (from ".1" to
	      ".2", etc) may show odd results: There can be
	      multiple small files at the timing of roll over.  This
	      can happen when multiple processes try to roll
	      over the files simultaneously.
	      Version 1.1.0 of log4cplus solved this problem, so if
	      this or higher version of log4cplus is used to build
	      Kea, it shouldn't happen.  Even for older versions
	      it is normally expected to happen rarely unless the log
	      messages are produced very frequently by multiple
	      different processes.
	    </simpara>
	  </note>

        </section>

        <section>
          <title>maxver (integer)</title>

          <para>
            Maximum number of old log files to keep around when
            rolling the output file. Only relevant when
            <option>destination</option> is <quote>file</quote>.
          </para>

        </section>

      </section>

      </section>

      <section>
        <title>Example session</title>

        <para>

          In this example we want to set the global logging to
          write to the file <filename>/var/log/my_bind10.log</filename>,
          at severity WARN. We want the authoritative server to
          log at DEBUG with debuglevel 40, to a different file
          (<filename>/tmp/debug_messages</filename>).

        </para>

        <para>

          Start <command>bindctl</command>.

        </para>

        <para>

           <screen>["login success "]
&gt; <userinput>config show Logging</userinput>
Logging/loggers	[]	list
</screen>

        </para>

        <para>

          By default, no specific loggers are configured, in which
          case the severity defaults to INFO and the output is
          written to stderr.

        </para>

        <para>

          Let's first add a default logger:

        </para>

<!-- TODO: adding the empty loggers makes no sense -->
        <para>

          <screen>&gt; <userinput>config add Logging/loggers</userinput>
&gt; <userinput>config show Logging</userinput>
Logging/loggers/	list	(modified)
</screen>

        </para>

        <para>

          The loggers value line changed to indicate that it is no
          longer an empty list:

        </para>

        <para>

          <screen>&gt; <userinput>config show Logging/loggers</userinput>
Logging/loggers[0]/name	""	string	(default)
Logging/loggers[0]/severity	"INFO"	string	(default)
Logging/loggers[0]/debuglevel	0	integer	(default)
Logging/loggers[0]/additive	false	boolean	(default)
Logging/loggers[0]/output_options	[]	list	(default)
</screen>

        </para>

        <para>

          The name is mandatory, so we must set it. We will also
          change the severity as well. Let's start with the global
          logger.

        </para>

        <para>

          <screen>&gt; <userinput>config set Logging/loggers[0]/name *</userinput>
&gt; <userinput>config set Logging/loggers[0]/severity WARN</userinput>
&gt; <userinput>config show Logging/loggers</userinput>
Logging/loggers[0]/name	"*"	string	(modified)
Logging/loggers[0]/severity	"WARN"	string	(modified)
Logging/loggers[0]/debuglevel	0	integer	(default)
Logging/loggers[0]/additive	false	boolean	(default)
Logging/loggers[0]/output_options	[]	list	(default)
</screen>

        </para>

        <para>

          Of course, we need to specify where we want the log
          messages to go, so we add an entry for an output option.

        </para>

        <para>

          <screen>&gt; <userinput> config add Logging/loggers[0]/output_options</userinput>
&gt; <userinput> config show Logging/loggers[0]/output_options</userinput>
Logging/loggers[0]/output_options[0]/destination	"console"	string	(default)
Logging/loggers[0]/output_options[0]/output	"stdout"	string	(default)
Logging/loggers[0]/output_options[0]/flush	false	boolean	(default)
Logging/loggers[0]/output_options[0]/maxsize	0	integer	(default)
Logging/loggers[0]/output_options[0]/maxver	0	integer	(default)
</screen>


        </para>

        <para>

          These aren't the values we are looking for.

        </para>

        <para>

          <screen>&gt; <userinput> config set Logging/loggers[0]/output_options[0]/destination file</userinput>
&gt; <userinput> config set Logging/loggers[0]/output_options[0]/output /var/log/kea.log</userinput>
&gt; <userinput> config set Logging/loggers[0]/output_options[0]/maxsize 204800</userinput>
&gt; <userinput> config set Logging/loggers[0]/output_options[0]/maxver 8</userinput>
</screen>

        </para>

        <para>

          Which would make the entire configuration for this logger
          look like:

        </para>

        <para>

          <screen>&gt; <userinput> config show all Logging/loggers</userinput>
Logging/loggers[0]/name	"*"	string	(modified)
Logging/loggers[0]/severity	"WARN"	string	(modified)
Logging/loggers[0]/debuglevel	0	integer	(default)
Logging/loggers[0]/additive	false	boolean	(default)
Logging/loggers[0]/output_options[0]/destination	"file"	string	(modified)
Logging/loggers[0]/output_options[0]/output	"/var/log/kea.log"	string	(modified)
Logging/loggers[0]/output_options[0]/flush	false	boolean	(default)
Logging/loggers[0]/output_options[0]/maxsize	204800	integer	(modified)
Logging/loggers[0]/output_options[0]/maxver	8	integer	(modified)
</screen>

        </para>

        <para>

          That looks OK, so let's commit it before we add the
          configuration for the authoritative server's logger.

        </para>

        <para>

          <screen>&gt; <userinput> config commit</userinput></screen>

        </para>

        <para>

          Now that we have set it, and checked each value along
          the way, adding a second entry is quite similar.

        </para>

        <para>

          <screen>&gt; <userinput> config add Logging/loggers</userinput>
&gt; <userinput> config set Logging/loggers[1]/name Dhcp4</userinput>
&gt; <userinput> config set Logging/loggers[1]/severity DEBUG</userinput>
&gt; <userinput> config set Logging/loggers[1]/debuglevel 40</userinput>
&gt; <userinput> config add Logging/loggers[1]/output_options</userinput>
&gt; <userinput> config set Logging/loggers[1]/output_options[0]/destination file</userinput>
&gt; <userinput> config set Logging/loggers[1]/output_options[0]/output /tmp/dhcp4_debug.log</userinput>
&gt; <userinput> config commit</userinput>
</screen>

        </para>

        <para>

          And that's it. Once we have found whatever it was we
          needed the debug messages for, we can simply remove the
          second logger to let the DHCP server use the
          same settings as the rest.

        </para>

        <para>

          <screen>&gt; <userinput> config remove Logging/loggers[1]</userinput>
&gt; <userinput> config commit</userinput>
</screen>

        </para>

        <para>

          And every module will now be using the values from the
          logger named <quote>*</quote>.

        </para>

      </section>

    </section>

    <section>
      <title>Logging Message Format</title>

      <para>
          Each message written  to the configured logging
          destinations comprises a number of components that identify
          the origin of the message and, if the message indicates
          a problem, information about the problem that may be
          useful in fixing it.
      </para>

      <para>
          Consider the message below logged to a file:
          <screen>2014-04-11 12:58:01.005 INFO  [b10-dhcp4.dhcpsrv/27456]
    DHCPSRV_MEMFILE_DB opening memory file lease database: type=memfile universe=4</screen>
      </para>

      <para>
        Note: the layout of messages written to the system logging
        file (syslog) may be slightly different.  This message has
        been split across two lines here for display reasons; in the
        logging file, it will appear on one line.)
      </para>

      <para>
        The log message comprises a number of components:

          <variablelist>
          <varlistentry>
          <term>2014-04-11 12:58:01.005</term>
<!-- TODO: timestamp repeated even if using syslog? -->
          <listitem><para>
              The date and time at which the message was generated.
          </para></listitem>
          </varlistentry>

          <varlistentry>
          <term>INFO</term>
          <listitem><para>
              The severity of the message.
          </para></listitem>
          </varlistentry>

          <varlistentry>
          <term>[b10-dhcp4.dhcpsrv/27456]</term>
          <listitem><para>
            The source of the message.  This comprises two components:
            the BIND 10 process generating the message (in this
            case, <command>b10-dhcp4</command>) and the module
            within the program from which the message originated
            (which is the name of the common library used by DHCP server
            implementations).
          </para></listitem>
          </varlistentry>

          <varlistentry>
          <term>DHCPSRV_MEMFILE_DB</term>
          <listitem><para>
            The message identification.  Every message in Kea
            has a unique identification, which can be used as an
            index into the <ulink
            url="bind10-messages.html"><citetitle>Kea Messages
            Manual</citetitle></ulink> (<ulink
            url="http://kea.isc.org/docs/bind10-messages.html"
            />) from which more information can be obtained.
          </para></listitem>
          </varlistentry>

          <varlistentry>
          <term>opening memory file lease database: type=memfile universe=4</term>
          <listitem><para>
              A brief description.
              Within this text, information relating to the condition
              that caused the message to be logged will be included.
              In this example, the information is logged that the in-memory
              lease database backend will be used to store DHCP leases.
          </para></listitem>
          </varlistentry>
          </variablelist>
      </para>

    </section>

  </chapter>

    <chapter id="acknowledgements">
      <title>Acknowledgements</title>

      <para>Kea was initially implemented as a collection of applications
      within the BIND 10 framework. Hence, Kea development would not be
      possible without the generous support of BIND 10 project sponsors.</para>

      <para><ulink url="http://jprs.co.jp/">JPRS</ulink> and
      <ulink url="http://cira.ca/">CIRA</ulink> are Patron Level
      sponsors.</para>

      <para><ulink url="https://www.afnic.fr/">AFNIC</ulink>,
      <ulink url="https://www.cnnic.net.cn/">CNNIC</ulink>,
      <ulink url="https://www.nic.cz/">CZ.NIC</ulink>,
      <ulink url="http://www.denic.de/">DENIC eG</ulink>,
      <ulink url="https://www.google.com/">Google</ulink>,
      <ulink url="https://www.ripe.net/">RIPE NCC</ulink>,
      <ulink url="https://registro.br/">Registro.br</ulink>,
      <ulink url="https://nzrs.net.nz/">.nz Registry Services</ulink>, and
      <ulink url="https://www.tcinet.ru/">Technical Center of Internet</ulink>
      are current sponsors.</para>

      <para><ulink url="https://www.afilias.info/">Afilias</ulink>,
      <ulink url="https://www.iis.se/">IIS.SE</ulink>,
      <ulink url="http://www.nominet.org.uk/">Nominet</ulink>, and
      <ulink url="https://www.sidn.nl/">SIDN</ulink> were founding
      sponsors of the project.</para>

<!-- DHCP sponsorship by Comcast -->

      <para>Support for the development of the DHCPv4, DHCPv6 and
      DHCP-DDNS  components is provided by
      <ulink url="http://www.comcast.com/">Comcast</ulink>.</para>

    </chapter>


<!-- TODO: Add bibliography section (mostly RFCs, probably) -->


<!-- TODO: how to help: run unit tests, join lists, review trac tickets -->

  <!-- <index>    <title>Index</title> </index> -->

</book>

<!--

TODO:

Overview

Getting BIND 10 Installed
  Basics
  Dependencies
  Optional
  Advanced

How Does Everything Work Together?

Need Help?

-->