diff --git a/doc/Changelog b/doc/Changelog index 4b4018cfc..494623997 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +12 September 2008: Wouter + - removed browser control mentions. Proto speccy. + 11 September 2008: Wouter - set nonblocking on new TCP streams, because linux does not inherit the socket options to the accepted socket. diff --git a/doc/control_proto_spec.txt b/doc/control_proto_spec.txt new file mode 100644 index 000000000..d57c7aa4f --- /dev/null +++ b/doc/control_proto_spec.txt @@ -0,0 +1,60 @@ + +Specification for the unbound-control protocol. + +Server listens on 953 TCP (localhost by default). Client connects, +SSLv3 or TLSv1 connection setup (server selfsigned certificate, +client has cert signed by server certificate). + +Query and Response +------------------ +Client sends + UBCT [commandline] \n + fixed string UBCT, then an ascii text line, with a command, + some whitespace allowed. Line ends with '\n'. + +Server executes command. And sends reply in ascii text over channel, +closes the channel when done. + in case of error the first line of the response is: + error \n + or the remainder is data of the response. + +Queries and responses +--------------------- +stop + no output +reload + no output +stats + output is a list of [name]=[value] lines. + clears the counters. +dump_cache + output is a text representation of the cache contents. +load_cache + client sends cache contents (like from dump_cache), stored in the + cache. If client sends 'ok' or 'error' lines at start, ignored. + end of data indicated with a line with 'EOF' on it. +flush_name + flushes some information regarding the name from the cache. + removes the A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR types. +flush_type + removes rrtype entry from the cache. +flush_zone + removes name and everything below that name from the cache. + has to search through the cache item by item, so this is slow. +delegation + see what servers would be queried for the given domain name. +info + see data about the domain name +local_zone_remove + the local-zone entry is removed. + All data from the local zone is also deleted. + If it did not exist, nothing happens. +local_zone_add + As the config file entry. Adds new local zone or updates + existing zone type. +local_data_remove + Removes local-data (all types) name. +local_data_add + Add new local data record (on the rest of the line). + local_data_add www.example.com. IN A 192.0.2.2 + diff --git a/doc/example.conf.in b/doc/example.conf.in index 1efd5e822..636dfc7a8 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -376,7 +376,7 @@ remote-control: # control-interface: 127.0.0.1 # control-interface: ::1 - # port number for remote control operations. Same as BIND rndc uses. + # port number for remote control operations. # control-port: 953 # unbound server key file. diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in index 8d17fe642..3eca71fec 100644 --- a/doc/unbound-control.8.in +++ b/doc/unbound-control.8.in @@ -57,25 +57,14 @@ these in the default run directory, or with \-d in another directory. The script preserves private keys present in the directory. After running the script as root, turn on \fBcontrol-enable\fR in \fIunbound.conf\fR. -.SH "BROWSER SUPPORT" -It is also possible to administer via a browser. The client key needs -to be loaded into the browser, the setup script (see above) has generated -the file \fIunbound_control_browser.pfx\fR, with the client key and -certificate. By default it is stored with an empty password. -This can be loaded into a web browser, say Firefox, in the preferences \- -advanced \- encryption \- view certificates \- your certs window. -Then connect to the server control port (https://localhost:953) and -create a security override to accept the self-signed certificate from -the unbound server. .SH "FILES" .TP .I @ub_conf_file@ unbound configuration file. .TP .I @UNBOUND_RUN_DIR@ -directory with private keys (unbound_server.key and unbound_control.key), -self-signed certificates (unbound_server.pem and unbound_control.pem) and -unbound_control_browser.pfx file. +directory with private keys (unbound_server.key and unbound_control.key) and +self-signed certificates (unbound_server.pem and unbound_control.pem). .SH "SEE ALSO" \fIunbound.conf\fR(5), \fIunbound\fR(8). diff --git a/smallapp/unbound-control-setup.sh b/smallapp/unbound-control-setup.sh index 8574856c4..d8bf6c592 100755 --- a/smallapp/unbound-control-setup.sh +++ b/smallapp/unbound-control-setup.sh @@ -133,15 +133,14 @@ echo "create $CTL_BASE.pem (signed client certificate)" openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -out $CTL_BASE.pem test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem" # create trusted usage pem -openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem" +# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem" # see details with openssl x509 -noout -text < $SVR_BASE.pem - -echo "create $CTL_BASE""_browser.pfx (web client certificate)" -echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:" -echo "preferences - advanced - encryption - view certificates - your certs" -echo "empty password is used, simply click OK on the password dialog box." -openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate" +# echo "create $CTL_BASE""_browser.pfx (web client certificate)" +# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:" +# echo "preferences - advanced - encryption - view certificates - your certs" +# echo "empty password is used, simply click OK on the password dialog box." +# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate" # remove crap rm -f request.cfg