proto spec.

git-svn-id: file:///svn/unbound/trunk@1233 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -1,3 +1,6 @@
+12 September 2008: Wouter
+	- removed browser control mentions. Proto speccy.
+
 11 September 2008: Wouter
 	- set nonblocking on new TCP streams, because linux does not inherit
 	  the socket options to the accepted socket.

doc/control_proto_spec.txt

@@ -0,0 +1,60 @@
+
+Specification for the unbound-control protocol.
+
+Server listens on 953 TCP (localhost by default). Client connects,
+SSLv3 or TLSv1 connection setup (server selfsigned certificate, 
+client has cert signed by server certificate).
+
+Query and Response
+------------------
+Client sends 
+	UBCT [commandline] \n
+	fixed string UBCT, then an ascii text line, with a command, 
+	some whitespace allowed. Line ends with '\n'.
+
+Server executes command. And sends reply in ascii text over channel, 
+closes the channel when done.
+	in case of error the first line of the response is:
+		error <descriptive text possible> \n
+	or the remainder is data of the response.
+
+Queries and responses
+---------------------
+stop
+	no output
+reload
+	no output
+stats
+	output is a list of [name]=[value] lines.
+	clears the counters.
+dump_cache
+	output is a text representation of the cache contents.
+load_cache
+	client sends cache contents (like from dump_cache), stored in the
+	cache. If client sends 'ok' or 'error' lines at start, ignored.
+	end of data indicated with a line with 'EOF' on it.
+flush_name <name>
+	flushes some information regarding the name from the cache.
+	removes the A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR types.
+flush_type <name> <RR type>
+	removes rrtype entry from the cache.
+flush_zone <name>
+	removes name and everything below that name from the cache.
+	has to search through the cache item by item, so this is slow.
+delegation <domain name>
+	see what servers would be queried for the given domain name.
+info <domain name>
+	see data about the domain name
+local_zone_remove <name of local-zone entry>
+	the local-zone entry is removed.
+	All data from the local zone is also deleted.
+	If it did not exist, nothing happens.
+local_zone_add <name of local zone> <type>
+	As the config file entry. Adds new local zone or updates
+	existing zone type.
+local_data_remove <name>
+	Removes local-data (all types) name.
+local_data_add <resource record string>
+	Add new local data record (on the rest of the line).
+	local_data_add www.example.com. IN A 192.0.2.2
+

doc/example.conf.in

@@ -376,7 +376,7 @@ remote-control:
 	# control-interface: 127.0.0.1
 	# control-interface: ::1
 
-	# port number for remote control operations. Same as BIND rndc uses.
+	# port number for remote control operations.
 	# control-port: 953
 
 	# unbound server key file.

doc/unbound-control.8.in

@@ -57,25 +57,14 @@ these in the default run directory, or with \-d in another directory.
 The script preserves private keys present in the directory.
 After running the script as root, turn on \fBcontrol-enable\fR in 
 \fIunbound.conf\fR.
-.SH "BROWSER SUPPORT"
-It is also possible to administer via a browser.  The client key needs
-to be loaded into the browser, the setup script (see above) has generated
-the file \fIunbound_control_browser.pfx\fR, with the client key and 
-certificate.  By default it is stored with an empty password.
-This can be loaded into a web browser, say Firefox, in the preferences \- 
-advanced \- encryption \- view certificates \- your certs window.
-Then connect to the server control port (https://localhost:953) and 
-create a security override to accept the self-signed certificate from 
-the unbound server.  
 .SH "FILES"
 .TP
 .I @ub_conf_file@
 unbound configuration file.
 .TP
 .I @UNBOUND_RUN_DIR@
-directory with private keys (unbound_server.key and unbound_control.key), 
-self-signed certificates (unbound_server.pem and unbound_control.pem) and 
-unbound_control_browser.pfx file.
+directory with private keys (unbound_server.key and unbound_control.key) and
+self-signed certificates (unbound_server.pem and unbound_control.pem).
 .SH "SEE ALSO"
 \fIunbound.conf\fR(5), 
 \fIunbound\fR(8).

smallapp/unbound-control-setup.sh

@@ -133,15 +133,14 @@ echo "create $CTL_BASE.pem (signed client certificate)"
 openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -out $CTL_BASE.pem
 test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
 # create trusted usage pem
-openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"
+# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"
 
 # see details with openssl x509 -noout -text < $SVR_BASE.pem
-
-echo "create $CTL_BASE""_browser.pfx (web client certificate)"
-echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:"
-echo "preferences - advanced - encryption - view certificates - your certs"
-echo "empty password is used, simply click OK on the password dialog box."
-openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"
+# echo "create $CTL_BASE""_browser.pfx (web client certificate)"
+# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:"
+# echo "preferences - advanced - encryption - view certificates - your certs"
+# echo "empty password is used, simply click OK on the password dialog box."
+# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"
 
 # remove crap
 rm -f request.cfg