+12 September 2008: Wouter
+ - removed browser control mentions. Proto speccy.
+
11 September 2008: Wouter
- set nonblocking on new TCP streams, because linux does not inherit
the socket options to the accepted socket.
--- /dev/null
+
+Specification for the unbound-control protocol.
+
+Server listens on 953 TCP (localhost by default). Client connects,
+SSLv3 or TLSv1 connection setup (server selfsigned certificate,
+client has cert signed by server certificate).
+
+Query and Response
+------------------
+Client sends
+ UBCT [commandline] \n
+ fixed string UBCT, then an ascii text line, with a command,
+ some whitespace allowed. Line ends with '\n'.
+
+Server executes command. And sends reply in ascii text over channel,
+closes the channel when done.
+ in case of error the first line of the response is:
+ error <descriptive text possible> \n
+ or the remainder is data of the response.
+
+Queries and responses
+---------------------
+stop
+ no output
+reload
+ no output
+stats
+ output is a list of [name]=[value] lines.
+ clears the counters.
+dump_cache
+ output is a text representation of the cache contents.
+load_cache
+ client sends cache contents (like from dump_cache), stored in the
+ cache. If client sends 'ok' or 'error' lines at start, ignored.
+ end of data indicated with a line with 'EOF' on it.
+flush_name <name>
+ flushes some information regarding the name from the cache.
+ removes the A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR types.
+flush_type <name> <RR type>
+ removes rrtype entry from the cache.
+flush_zone <name>
+ removes name and everything below that name from the cache.
+ has to search through the cache item by item, so this is slow.
+delegation <domain name>
+ see what servers would be queried for the given domain name.
+info <domain name>
+ see data about the domain name
+local_zone_remove <name of local-zone entry>
+ the local-zone entry is removed.
+ All data from the local zone is also deleted.
+ If it did not exist, nothing happens.
+local_zone_add <name of local zone> <type>
+ As the config file entry. Adds new local zone or updates
+ existing zone type.
+local_data_remove <name>
+ Removes local-data (all types) name.
+local_data_add <resource record string>
+ Add new local data record (on the rest of the line).
+ local_data_add www.example.com. IN A 192.0.2.2
+
# control-interface: 127.0.0.1
# control-interface: ::1
- # port number for remote control operations. Same as BIND rndc uses.
+ # port number for remote control operations.
# control-port: 953
# unbound server key file.
The script preserves private keys present in the directory.
After running the script as root, turn on \fBcontrol-enable\fR in
\fIunbound.conf\fR.
-.SH "BROWSER SUPPORT"
-It is also possible to administer via a browser. The client key needs
-to be loaded into the browser, the setup script (see above) has generated
-the file \fIunbound_control_browser.pfx\fR, with the client key and
-certificate. By default it is stored with an empty password.
-This can be loaded into a web browser, say Firefox, in the preferences \-
-advanced \- encryption \- view certificates \- your certs window.
-Then connect to the server control port (https://localhost:953) and
-create a security override to accept the self-signed certificate from
-the unbound server.
.SH "FILES"
.TP
.I @ub_conf_file@
unbound configuration file.
.TP
.I @UNBOUND_RUN_DIR@
-directory with private keys (unbound_server.key and unbound_control.key),
-self-signed certificates (unbound_server.pem and unbound_control.pem) and
-unbound_control_browser.pfx file.
+directory with private keys (unbound_server.key and unbound_control.key) and
+self-signed certificates (unbound_server.pem and unbound_control.pem).
.SH "SEE ALSO"
\fIunbound.conf\fR(5),
\fIunbound\fR(8).
openssl req -key $CTL_BASE.key -config request.cfg -new | openssl x509 -req -days $DAYS -CA $SVR_BASE"_trust.pem" -CAkey $SVR_BASE.key -CAcreateserial -out $CTL_BASE.pem
test -f $CTL_BASE.pem || error "could not create $CTL_BASE.pem"
# create trusted usage pem
-openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"
+# openssl x509 -in $CTL_BASE.pem -addtrust clientAuth -out $CTL_BASE"_trust.pem"
# see details with openssl x509 -noout -text < $SVR_BASE.pem
-
-echo "create $CTL_BASE""_browser.pfx (web client certificate)"
-echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:"
-echo "preferences - advanced - encryption - view certificates - your certs"
-echo "empty password is used, simply click OK on the password dialog box."
-openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"
+# echo "create $CTL_BASE""_browser.pfx (web client certificate)"
+# echo "create webbrowser PKCS#12 .PFX certificate file. In Firefox import in:"
+# echo "preferences - advanced - encryption - view certificates - your certs"
+# echo "empty password is used, simply click OK on the password dialog box."
+# openssl pkcs12 -export -in $CTL_BASE"_trust.pem" -inkey $CTL_BASE.key -name "unbound remote control client cert" -out $CTL_BASE"_browser.pfx" -password "pass:" || error "could not create browser certificate"
# remove crap
rm -f request.cfg
projects / thirdparty / unbound.git / commitdiff
