Re: enable unbound-control in default config

Sun, 19 Jul 2015 13:03:53 -0700 

ok

Stuart Henderson(st...@openbsd.org) on 2015.07.19 17:55:00 +0100:
> In the past, the only option for unbound-control was a TCP socket
> using SSL/TLS, but nowadays it also supports unix domain sockets,
> so it seems like it would be reasonable to enable it by default
> in our configuration so that users added to the _unbound group
> can access stats and do various types of runtime reconfiguration.
> We can then also get rid of the not-squeaky-clean config check
> and cert generation from the rc script.
> 
> I've been using this for ages. Any comments? OK?
> 
> srw-rw----  1 _unbound  _unbound  0 Jul 18 08:43 /var/run/unbound.sock
> 
> Index: rc.d/unbound
> ===================================================================
> RCS file: /cvs/src/etc/rc.d/unbound,v
> retrieving revision 1.2
> diff -u -p -r1.2 unbound
> --- rc.d/unbound      29 Dec 2014 11:17:43 -0000      1.2
> +++ rc.d/unbound      19 Jul 2015 16:47:12 -0000
> @@ -10,14 +10,6 @@ daemon_flags="-c /var/unbound/etc/unboun
>  pexp="unbound${daemon_flags:+ ${daemon_flags}}"
>  
>  rc_pre() {
> -     if grep '^[[:space:]]*control-enable:[[:space:]]*yes' \
> -         /var/unbound/etc/unbound.conf > /dev/null 2>&1 && \
> -         ! [[ -f /var/unbound/etc/unbound_server.key ||
> -         -f /var/unbound/etc/unbound_server.pem ||
> -         -f /var/unbound/etc/unbound_control.key ||
> -         -f /var/unbound/etc/unbound_control.pem ]]; then
> -             /usr/sbin/unbound-control-setup 2> /dev/null
> -     fi
>       if grep '^[[:space:]]*auto-trust-anchor-file:' \
>              /var/unbound/etc/unbound.conf > /dev/null 2>&1; then
>               /usr/sbin/unbound-anchor -v || true
> Index: unbound.conf
> ===================================================================
> RCS file: /cvs/src/etc/unbound.conf,v
> retrieving revision 1.4
> diff -u -p -r1.4 unbound.conf
> --- unbound.conf      2 Apr 2014 21:43:30 -0000       1.4
> +++ unbound.conf      19 Jul 2015 16:47:12 -0000
> @@ -37,6 +37,11 @@ server:
>       #
>       #tcp-upstream: yes
>  
> +remote-control:
> +     control-enable: yes
> +     control-use-cert: no
> +     control-interface: /var/run/unbound.sock
> +
>  # Use an upstream forwarder (recursive resolver) for specific zones.
>  # Example addresses given below are public resolvers valid as of 2014/03.
>  #
> 

--

Reply via email to