Re: unbound 1.5.2rc1

Tue, 17 Feb 2015 02:26:02 -0800 

On 2015/02/17 01:01, Stuart Henderson wrote:
> This updates to the head of the unbound tree, adding Ilya Bakulin's code to
> support unbound-control over a unix domain socket rather than SSL. I don't
> see many standard cases needing the SSL socket any more, so I've removed
> the code from the rc.d script that automatically generates SSL keys when
> control-enable is used, if somebody wants to control from a remote machine
> they can always do this themselves.
> 
> Any comments/OKs?

Brad suggested I split out the etc parts for this for separate discussion.

Rather than editing unbound.conf, another option might be to change the
code to allow using the unix socket by default. I'm reluctant to diverge
from upstream code as it's easier to miss during a merge, but perhaps we
could add an autoconf flag to allow setting this by default (which would
then be more palatable for inclusion in upstream code).


Index: etc/unbound.conf
===================================================================
RCS file: /cvs/src/etc/unbound.conf,v
retrieving revision 1.4
diff -u -p -r1.4 unbound.conf
--- etc/unbound.conf    2 Apr 2014 21:43:30 -0000       1.4
+++ etc/unbound.conf    17 Feb 2015 10:20:36 -0000
@@ -37,6 +37,11 @@ server:
        #
        #tcp-upstream: yes
 
+remote-control:
+       control-enable: yes
+       control-use-cert: no
+       control-interface: /var/run/unbound.sock
+
 # Use an upstream forwarder (recursive resolver) for specific zones.
 # Example addresses given below are public resolvers valid as of 2014/03.
 #
Index: etc/rc.d/unbound
===================================================================
RCS file: /cvs/src/etc/rc.d/unbound,v
retrieving revision 1.2
diff -u -p -r1.2 unbound
--- etc/rc.d/unbound    29 Dec 2014 11:17:43 -0000      1.2
+++ etc/rc.d/unbound    17 Feb 2015 10:20:36 -0000
@@ -8,16 +8,9 @@ daemon_flags="-c /var/unbound/etc/unboun
 . /etc/rc.d/rc.subr
 
 pexp="unbound${daemon_flags:+ ${daemon_flags}}"
+rc_reload=NO
 
 rc_pre() {
-       if grep '^[[:space:]]*control-enable:[[:space:]]*yes' \
-           /var/unbound/etc/unbound.conf > /dev/null 2>&1 && \
-           ! [[ -f /var/unbound/etc/unbound_server.key ||
-           -f /var/unbound/etc/unbound_server.pem ||
-           -f /var/unbound/etc/unbound_control.key ||
-           -f /var/unbound/etc/unbound_control.pem ]]; then
-               /usr/sbin/unbound-control-setup 2> /dev/null
-       fi
        if grep '^[[:space:]]*auto-trust-anchor-file:' \
             /var/unbound/etc/unbound.conf > /dev/null 2>&1; then
                /usr/sbin/unbound-anchor -v || true

Reply via email to