[Unbound-users] [PATCH] UNIX sockets support for unbound-control

Ilya Bakulin Ilya_Bakulin at genua.de
Fri Aug 3 14:10:51 UTC 2012


Hi all,
We develop a product that contains unbound server, and we want to use 
unbound-control utility for managing running unbound instances. This utility 
looks very powerful, with ability to query server status, flush/restore zone 
caches and even add new zone entries on the fly.
One thing that we miss is the ability to control unbound via unix sockets. 
This may be quite useful and secure setup. Using unix sockets makes it 
possible to use traditional unix permissions for controlling access to 
unbound, and it's impossible to access control interface when an attacker 
occasionally breaks some other chrooted process on the system (because chroot 
restricts access only to file system namespace, not to IP sockets namespace). 
The other advantage is that they are faster than local TCP, which may be 
useful if loading cache via load_cache command.

Attached is a patch that adds unix sockets support to unbound and 
unbound-control. After applying patch it is possible to have such 
configuration:
>>>>>>>>>>>>>>>>>>>>>>>>>>
remote-control:
        control-enable: yes
        control-interface: /tmp/unbound.sock
        server-key-file: /cage/unbound/etc/unbound_server.key
        server-cert-file: /cage/unbound/etc/unbound_server.pem
        control-key-file: /cage/unbound/etc/unbound_control.key
        control-cert-file: /cage/unbound/etc/unbound_control.pem
>>>>>>>>>>>>>>>>>>>>>>>>>>
Additionally, this patch fixes log_addr() function in libunbound, that is not 
fully compatible with unix sockets.

This patch is made for unbound 1.4.15.

Please review attached patch and tell me if you find this feature useful! :-)

--
Best regards,
Ilya Bakulin

genua
Gesellschaft fuer Netzwerk- und Unix-Administration mbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de
Geschaeftsfuehrer: Dr. Magnus Harlander, Dr. Michaela Harlander,
Bernhard Schneck. Amtsgericht Muenchen HRB 98238
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unbound_unixsock_for_control.diff
Type: text/x-diff
Size: 4829 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20120803/08e2eaa1/attachment.bin>


More information about the Unbound-users mailing list