Re: DNS control port additions to /etc/services
On 2014/07/16 11:02, Craig R. Skinner wrote: > On 2014-07-15 Tue 16:04 PM |, Theo de Raadt wrote: > > >On Tue, Jul 15, 2014 at 12:22:37PM +0100, Craig R. Skinner wrote: > > >> > > >> Suggestion of add NSD, Unbound & BIND control ports to /etc/services: > > > > > >Makes sense to me. Anyone want to OK this? > > > > > >> Index: etc/services > > >> === > > >> RCS file: /cvs/src/etc/services,v > > >> retrieving revision 1.87 > > >> diff -u -p -r1.87 services > > >> --- etc/services 12 Jul 2014 14:51:07 - 1.87 > > >> +++ etc/services 15 Jul 2014 11:17:31 - > > >> @@ -181,6 +181,8 @@ kerberos-adm 749/tcp # > > >> Kerberos 5 kad > > >> kerberos-adm749/udp # Kerberos 5 kadmin > > >> rsync 873/tcp # rsync server > > >> cddb888/tcp cddbp # Audio CD Database > > >> +named-rndc 953/tcp # Domain Name System > > >> (DNS) BIND RNDC Service > > >> +named-rndc 953/udp # Domain Name System > > >> (DNS) BIND RNDC Service > > >> imaps 993/tcp # imap4 protocol over > > >> TLS/SSL > > >> imaps 993/udp # imap4 protocol over > > >> TLS/SSL > > >> pop3s 995/tcp spop3 # pop3 protocol over > > >> TLS/SSL > > > > That means two more reserved ports are taken out of the bucket. > > > > Strip out the Kerberos stuff?: Not sure (Antoine would know better), but this may be needed for Kerberos in ports. > > $ fgrep -i Kerberos etc/services > kerberos 88/udp kerberos-sec# Kerberos 5 UDP > kerberos 88/tcp kerberos-sec# Kerberos 5 TCP > kpasswd 464/tcp # Kerberos 5 password > changing > kpasswd 464/udp # Kerberos 5 password > changing > klogin543/tcp # Kerberos > authenticated rlogin > kshell544/tcp krcmd # Kerberos remote shell > ekshell 545/tcp # Kerberos encrypted > shell > kerberos-adm 749/tcp # Kerberos 5 kadmin > kerberos-adm 749/udp # Kerberos 5 kadmin > kpop 1109/tcp# Pop with Kerberos > eklogin 2105/tcp# Kerberos encrypted > rlogin > rkinit2108/tcp# Kerberos remote kinit > kx2111/tcp# X over kerberos > kip 2112/tcp# IP over kerberos > iprop 2121/tcp# Kerberos incremental > propagation > krb524/tcp# Kerberos 5->4 > krb524/udp# Kerberos 5->4 > afs3-kaserver 7004/tcp# AFS kerberos authentication > server > afs3-kaserver 7004/udp# AFS kerberos authentication > server > kerberos-iv 750/udp kdc # Kerberos authentication--udp > kerberos-iv 750/tcp kdc # Kerberos authentication--tcp > kerberos_master 751/udp # Kerberos 4 kadmin > kerberos_master 751/tcp # Kerberos 4 kadmin > krb_prop 754/tcp hprop # Kerberos slave propagation > krbupdate 760/tcp kreg# BSD Kerberos registration >
Re: DNS control port additions to /etc/services
On 2014-07-15 Tue 16:04 PM |, Theo de Raadt wrote: > >On Tue, Jul 15, 2014 at 12:22:37PM +0100, Craig R. Skinner wrote: > >> > >> Suggestion of add NSD, Unbound & BIND control ports to /etc/services: > > > >Makes sense to me. Anyone want to OK this? > > > >> Index: etc/services > >> === > >> RCS file: /cvs/src/etc/services,v > >> retrieving revision 1.87 > >> diff -u -p -r1.87 services > >> --- etc/services 12 Jul 2014 14:51:07 - 1.87 > >> +++ etc/services 15 Jul 2014 11:17:31 - > >> @@ -181,6 +181,8 @@ kerberos-adm 749/tcp # > >> Kerberos 5 kad > >> kerberos-adm 749/udp # Kerberos 5 kadmin > >> rsync 873/tcp # rsync server > >> cddb 888/tcp cddbp # Audio CD Database > >> +named-rndc953/tcp # Domain Name System > >> (DNS) BIND RNDC Service > >> +named-rndc953/udp # Domain Name System > >> (DNS) BIND RNDC Service > >> imaps 993/tcp # imap4 protocol over > >> TLS/SSL > >> imaps 993/udp # imap4 protocol over > >> TLS/SSL > >> pop3s 995/tcp spop3 # pop3 protocol over > >> TLS/SSL > > That means two more reserved ports are taken out of the bucket. > Strip out the Kerberos stuff?: $ fgrep -i Kerberos etc/services kerberos88/udp kerberos-sec# Kerberos 5 UDP kerberos88/tcp kerberos-sec# Kerberos 5 TCP kpasswd 464/tcp # Kerberos 5 password changing kpasswd 464/udp # Kerberos 5 password changing klogin 543/tcp # Kerberos authenticated rlogin kshell 544/tcp krcmd # Kerberos remote shell ekshell 545/tcp # Kerberos encrypted shell kerberos-adm749/tcp # Kerberos 5 kadmin kerberos-adm749/udp # Kerberos 5 kadmin kpop1109/tcp# Pop with Kerberos eklogin 2105/tcp# Kerberos encrypted rlogin rkinit 2108/tcp# Kerberos remote kinit kx 2111/tcp# X over kerberos kip 2112/tcp# IP over kerberos iprop 2121/tcp# Kerberos incremental propagation krb524 /tcp# Kerberos 5->4 krb524 /udp# Kerberos 5->4 afs3-kaserver 7004/tcp# AFS kerberos authentication server afs3-kaserver 7004/udp# AFS kerberos authentication server kerberos-iv 750/udp kdc # Kerberos authentication--udp kerberos-iv 750/tcp kdc # Kerberos authentication--tcp kerberos_master 751/udp # Kerberos 4 kadmin kerberos_master 751/tcp # Kerberos 4 kadmin krb_prop754/tcp hprop # Kerberos slave propagation krbupdate 760/tcp kreg# BSD Kerberos registration
Re: DNS control port additions to /etc/services
>BIND uses TCP for the control socket, so if this does go in, please >do not list the UDP one. Correct. For any service that runs on only one protocol, do not list the other protocol.
Re: DNS control port additions to /etc/services
>> Date: Tue, 15 Jul 2014 17:17:45 +0200 >> From: Antoine Jacoutot >> >> But be careful, this is not a user-editable file anymore, so we need >> to take into account that some stuffs that may not appear obvious to >> us may still be needed by people. > >That's a mistake. You're supposed to be able to add ports in there >for custom software such that you can use getservbyname(3) and don't >have to hardcode the port number in your code and be sure that >something else doesn't camp out on that port because of port >randomization. Give us time to figure out how this is going to work. This isn't some part of the tree that can be built in one step. sysmerge is going to change drastically in the next week. Wait and see.
Re: DNS control port additions to /etc/services
>On Tue, Jul 15, 2014 at 12:22:37PM +0100, Craig R. Skinner wrote: >> >> Suggestion of add NSD, Unbound & BIND control ports to /etc/services: > >Makes sense to me. Anyone want to OK this? > >> Index: etc/services >> === >> RCS file: /cvs/src/etc/services,v >> retrieving revision 1.87 >> diff -u -p -r1.87 services >> --- etc/services 12 Jul 2014 14:51:07 - 1.87 >> +++ etc/services 15 Jul 2014 11:17:31 - >> @@ -181,6 +181,8 @@ kerberos-adm 749/tcp # >> Kerberos 5 kad >> kerberos-adm749/udp # Kerberos 5 kadmin >> rsync 873/tcp # rsync server >> cddb888/tcp cddbp # Audio CD Database >> +named-rndc 953/tcp # Domain Name System (DNS) BIND >> RNDC Service >> +named-rndc 953/udp # Domain Name System (DNS) BIND >> RNDC Service >> imaps 993/tcp # imap4 protocol over >> TLS/SSL >> imaps 993/udp # imap4 protocol over >> TLS/SSL >> pop3s 995/tcp spop3 # pop3 protocol over >> TLS/SSL That means two more reserved ports are taken out of the bucket.
Re: DNS control port additions to /etc/services
previously on this list Claudio Jeker contributed: > IMO /etc/services should not be overwritten on upgrade. > Also if people are careful and only append at the end then merging the > file with sysmerge should be trivial. Isn't it trivial to sysmerge in any case? Then again so is adding a line to rc.local using sed,ed,perl,cat or whatever you prefer to inject/append your changes? -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd ___
Re: DNS control port additions to /etc/services
On Tue, Jul 15, 2014 at 05:53:36PM +0200, Antoine Jacoutot wrote: > On Tue, Jul 15, 2014 at 05:51:46PM +0200, Mark Kettenis wrote: > > > Date: Tue, 15 Jul 2014 17:17:45 +0200 > > > From: Antoine Jacoutot > > > > > > But be careful, this is not a user-editable file anymore, so we need > > > to take into account that some stuffs that may not appear obvious to > > > us may still be needed by people. > > > > That's a mistake. You're supposed to be able to add ports in there > > for custom software such that you can use getservbyname(3) and don't > > have to hardcode the port number in your code and be sure that > > something else doesn't camp out on that port because of port > > randomization. > > You can still edit the file, but it will be overwritten on upgrade. > If you need new entries, they can be committed. > I think Mark is talking about stuff that is not in the ports tree. I had local additions to services in the past and may use that again for convinience e.g. to remember on what magic port some webfrontend is running. IMO /etc/services should not be overwritten on upgrade. Also if people are careful and only append at the end then merging the file with sysmerge should be trivial. -- :wq Claudio
Re: DNS control port additions to /etc/services
On Tue, Jul 15, 2014 at 05:51:46PM +0200, Mark Kettenis wrote: > > Date: Tue, 15 Jul 2014 17:17:45 +0200 > > From: Antoine Jacoutot > > > > But be careful, this is not a user-editable file anymore, so we need > > to take into account that some stuffs that may not appear obvious to > > us may still be needed by people. > > That's a mistake. You're supposed to be able to add ports in there > for custom software such that you can use getservbyname(3) and don't > have to hardcode the port number in your code and be sure that > something else doesn't camp out on that port because of port > randomization. You can still edit the file, but it will be overwritten on upgrade. If you need new entries, they can be committed. -- Antoine
Re: DNS control port additions to /etc/services
> Date: Tue, 15 Jul 2014 17:17:45 +0200 > From: Antoine Jacoutot > > But be careful, this is not a user-editable file anymore, so we need > to take into account that some stuffs that may not appear obvious to > us may still be needed by people. That's a mistake. You're supposed to be able to add ports in there for custom software such that you can use getservbyname(3) and don't have to hardcode the port number in your code and be sure that something else doesn't camp out on that port because of port randomization.
Re: DNS control port additions to /etc/services
On Tue, Jul 15, 2014 at 04:35:58PM +0100, Stuart Henderson wrote: > On 2014/07/15 17:17, Antoine Jacoutot wrote: > > > > Well it depends what policy we want. Looking at the file most entries > > > > have both even if only one protocol is effectively in use. > > > > > > Looking at the file though, most of those are older entries - I think > > > > Yes. The reason is this: > > " > > # Note that it is presently the policy of IANA to assign a single well-known > > # port number for both TCP and UDP; hence, most entries here have two > > entries > > # even if the protocol doesn't support UDP operations. > > " > > > > > new entries should be specific, and where we have knowledge of the > > > protocols we should remove silly old ones. BGP, Gopher, HTTP, POP, > > > and IMAP over UDP look like good candidates for example.. > > > > I am all in favor of cleaning this file and removing useless entries. > > But be careful, this is not a user-editable file anymore, > > It isn't? Oh dear... No. That is why we can relax the rules a *little*. -- Antoine
Re: DNS control port additions to /etc/services
On 2014/07/15 17:17, Antoine Jacoutot wrote: > > > Well it depends what policy we want. Looking at the file most entries > > > have both even if only one protocol is effectively in use. > > > > Looking at the file though, most of those are older entries - I think > > Yes. The reason is this: > " > # Note that it is presently the policy of IANA to assign a single well-known > # port number for both TCP and UDP; hence, most entries here have two entries > # even if the protocol doesn't support UDP operations. > " > > > new entries should be specific, and where we have knowledge of the > > protocols we should remove silly old ones. BGP, Gopher, HTTP, POP, > > and IMAP over UDP look like good candidates for example.. > > I am all in favor of cleaning this file and removing useless entries. > But be careful, this is not a user-editable file anymore, It isn't? Oh dear...
Re: DNS control port additions to /etc/services
> > Well it depends what policy we want. Looking at the file most entries have > > both even if only one protocol is effectively in use. > > Looking at the file though, most of those are older entries - I think Yes. The reason is this: " # Note that it is presently the policy of IANA to assign a single well-known # port number for both TCP and UDP; hence, most entries here have two entries # even if the protocol doesn't support UDP operations. " > new entries should be specific, and where we have knowledge of the > protocols we should remove silly old ones. BGP, Gopher, HTTP, POP, > and IMAP over UDP look like good candidates for example.. I am all in favor of cleaning this file and removing useless entries. But be careful, this is not a user-editable file anymore, so we need to take into account that some stuffs that may not appear obvious to us may still be needed by people. -- Antoine
Re: DNS control port additions to /etc/services
On 2014/07/15 16:35, Antoine Jacoutot wrote: > > I'll discuss tweaks to the diff below but I'm in two minds about whether > > we want it. We don't enable the control socket in unbound by default at > > present (there is a diff somewhere to move this to unix domain sockets > > which we'd much prefer over network sockets..) Be aware, there is a > > downside to adding entries to /etc/services on OpenBSD. It isn't just a > > handy list of ports, it is used to populate net.inet.tcp.baddynamic and > > net.inet.udp.baddynamic which are used to block off ports from dynamic > > port allocation. > > Absolutely! > > > > > +named-rndc 953/tcp # Domain Name System > > > > (DNS) BIND RNDC Service > > > > +named-rndc 953/udp # Domain Name System > > > > (DNS) BIND RNDC Service > > > > BIND uses TCP for the control socket, so if this does go in, please > > do not list the UDP one. > > Well it depends what policy we want. Looking at the file most entries have > both even if only one protocol is effectively in use. Looking at the file though, most of those are older entries - I think new entries should be specific, and where we have knowledge of the protocols we should remove silly old ones. BGP, Gopher, HTTP, POP, and IMAP over UDP look like good candidates for example.. > > > > 12345678901234567890123456789012345678901234567890123456789012345678901234567890 > > > > imaps 993/tcp # imap4 protocol over > > > > TLS/SSL > > > > imaps 993/udp # imap4 protocol over > > > > TLS/SSL > > > > pop3s 995/tcp spop3 # pop3 protocol over > > > > TLS/SSL > > > > @@ -301,6 +303,8 @@ spamd 8025/tcp > > > > # spamd(8) > > > > spamd-sync 8025/udp# spamd(8) > > > > synchronisation > > > > spamd-cfg 8026/tcp# spamd(8) configuration > > > > dhcpd-sync 8067/udp# dhcpd(8) > > > > synchronisation > > > > +nsd-cntl 8952/tcp# NSD authoritative DNS > > > > server control > > > > +unbound-cntl 8953/tcp# Unbound validating, > > > > recursive, and caching DNS server control > > > > hunt 26740/udp # hunt(6) > > > > +1 on sperreault's comment to use iana names. And let's try not > > to go over 80 columns unnecessarily please. Oh, 8953 is in already.
Re: DNS control port additions to /etc/services
> I'll discuss tweaks to the diff below but I'm in two minds about whether > we want it. We don't enable the control socket in unbound by default at > present (there is a diff somewhere to move this to unix domain sockets > which we'd much prefer over network sockets..) Be aware, there is a > downside to adding entries to /etc/services on OpenBSD. It isn't just a > handy list of ports, it is used to populate net.inet.tcp.baddynamic and > net.inet.udp.baddynamic which are used to block off ports from dynamic > port allocation. Absolutely! > > > +named-rndc 953/tcp # Domain Name System > > > (DNS) BIND RNDC Service > > > +named-rndc 953/udp # Domain Name System > > > (DNS) BIND RNDC Service > > BIND uses TCP for the control socket, so if this does go in, please > do not list the UDP one. Well it depends what policy we want. Looking at the file most entries have both even if only one protocol is effectively in use. > > 12345678901234567890123456789012345678901234567890123456789012345678901234567890 > > > imaps993/tcp # imap4 protocol over > > > TLS/SSL > > > imaps993/udp # imap4 protocol over > > > TLS/SSL > > > pop3s995/tcp spop3 # pop3 protocol over > > > TLS/SSL > > > @@ -301,6 +303,8 @@ spamd 8025/tcp# > > > spamd(8) > > > spamd-sync 8025/udp# spamd(8) > > > synchronisation > > > spamd-cfg8026/tcp# spamd(8) configuration > > > dhcpd-sync 8067/udp# dhcpd(8) > > > synchronisation > > > +nsd-cntl 8952/tcp# NSD authoritative DNS server > > > control > > > +unbound-cntl 8953/tcp# Unbound validating, > > > recursive, and caching DNS server control > > > hunt 26740/udp # hunt(6) > > +1 on sperreault's comment to use iana names. And let's try not > to go over 80 columns unnecessarily please. > -- Antoine
Re: DNS control port additions to /etc/services
On 2014/07/15 15:51, Antoine Jacoutot wrote: > On Tue, Jul 15, 2014 at 12:22:37PM +0100, Craig R. Skinner wrote: > > > > Suggestion of add NSD, Unbound & BIND control ports to /etc/services: > Makes sense to me. Anyone want to OK this? I'll discuss tweaks to the diff below but I'm in two minds about whether we want it. We don't enable the control socket in unbound by default at present (there is a diff somewhere to move this to unix domain sockets which we'd much prefer over network sockets..) Be aware, there is a downside to adding entries to /etc/services on OpenBSD. It isn't just a handy list of ports, it is used to populate net.inet.tcp.baddynamic and net.inet.udp.baddynamic which are used to block off ports from dynamic port allocation. > > +named-rndc 953/tcp # Domain Name System (DNS) BIND > > RNDC Service > > +named-rndc 953/udp # Domain Name System (DNS) BIND > > RNDC Service BIND uses TCP for the control socket, so if this does go in, please do not list the UDP one. 12345678901234567890123456789012345678901234567890123456789012345678901234567890 > > imaps 993/tcp # imap4 protocol over > > TLS/SSL > > imaps 993/udp # imap4 protocol over > > TLS/SSL > > pop3s 995/tcp spop3 # pop3 protocol over > > TLS/SSL > > @@ -301,6 +303,8 @@ spamd 8025/tcp# > > spamd(8) > > spamd-sync 8025/udp# spamd(8) synchronisation > > spamd-cfg 8026/tcp# spamd(8) configuration > > dhcpd-sync 8067/udp# dhcpd(8) synchronisation > > +nsd-cntl 8952/tcp# NSD authoritative DNS server > > control > > +unbound-cntl 8953/tcp# Unbound validating, > > recursive, and caching DNS server control > > hunt 26740/udp # hunt(6) +1 on sperreault's comment to use iana names. And let's try not to go over 80 columns unnecessarily please.
Re: DNS control port additions to /etc/services
On Tue, Jul 15, 2014 at 10:06:10AM -0400, Simon Perreault wrote: > Le 2014-07-15 09:51, Antoine Jacoutot a écrit : > >>+unbound-cntl 8953/tcp# Unbound validating, > >>recursive, and caching DNS server control > > The IANA name for this port is "ub-dns-control". > > http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=8953 > > Does that matter at all? We shoud use the iana assigned name. If unbound-cntl is really needed, we can add it as an alias. -- Antoine
Re: DNS control port additions to /etc/services
Le 2014-07-15 09:51, Antoine Jacoutot a écrit : +unbound-cntl 8953/tcp# Unbound validating, recursive, and caching DNS server control The IANA name for this port is "ub-dns-control". http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?search=8953 Does that matter at all? Simon
Re: DNS control port additions to /etc/services
On Tue, Jul 15, 2014 at 12:22:37PM +0100, Craig R. Skinner wrote: > > Suggestion of add NSD, Unbound & BIND control ports to /etc/services: Makes sense to me. Anyone want to OK this? > Index: etc/services > === > RCS file: /cvs/src/etc/services,v > retrieving revision 1.87 > diff -u -p -r1.87 services > --- etc/services 12 Jul 2014 14:51:07 - 1.87 > +++ etc/services 15 Jul 2014 11:17:31 - > @@ -181,6 +181,8 @@ kerberos-adm 749/tcp # > Kerberos 5 kad > kerberos-adm 749/udp # Kerberos 5 kadmin > rsync873/tcp # rsync server > cddb 888/tcp cddbp # Audio CD Database > +named-rndc 953/tcp # Domain Name System (DNS) BIND > RNDC Service > +named-rndc 953/udp # Domain Name System (DNS) BIND > RNDC Service > imaps993/tcp # imap4 protocol over > TLS/SSL > imaps993/udp # imap4 protocol over > TLS/SSL > pop3s995/tcp spop3 # pop3 protocol over > TLS/SSL > @@ -301,6 +303,8 @@ spamd 8025/tcp# > spamd(8) > spamd-sync 8025/udp# spamd(8) synchronisation > spamd-cfg8026/tcp# spamd(8) configuration > dhcpd-sync 8067/udp# dhcpd(8) synchronisation > +nsd-cntl 8952/tcp# NSD authoritative DNS server > control > +unbound-cntl 8953/tcp# Unbound validating, > recursive, and caching DNS server control > hunt 26740/udp # hunt(6) > # > # Appletalk > -- Antoine
DNS control port additions to /etc/services
Suggestion of add NSD, Unbound & BIND control ports to /etc/services: Index: etc/services === RCS file: /cvs/src/etc/services,v retrieving revision 1.87 diff -u -p -r1.87 services --- etc/services12 Jul 2014 14:51:07 - 1.87 +++ etc/services15 Jul 2014 11:17:31 - @@ -181,6 +181,8 @@ kerberos-adm749/tcp # Kerberos 5 kad kerberos-adm 749/udp # Kerberos 5 kadmin rsync 873/tcp # rsync server cddb 888/tcp cddbp # Audio CD Database +named-rndc 953/tcp # Domain Name System (DNS) BIND RNDC Service +named-rndc 953/udp # Domain Name System (DNS) BIND RNDC Service imaps 993/tcp # imap4 protocol over TLS/SSL imaps 993/udp # imap4 protocol over TLS/SSL pop3s 995/tcp spop3 # pop3 protocol over TLS/SSL @@ -301,6 +303,8 @@ spamd 8025/tcp# spamd(8) spamd-sync 8025/udp# spamd(8) synchronisation spamd-cfg 8026/tcp# spamd(8) configuration dhcpd-sync 8067/udp# dhcpd(8) synchronisation +nsd-cntl 8952/tcp# NSD authoritative DNS server control +unbound-cntl 8953/tcp# Unbound validating, recursive, and caching DNS server control hunt 26740/udp # hunt(6) # # Appletalk