Dag-Erling Smørgrav
2015-01-05 15:37:06 UTC
(sounds like an oxymoron, but by "local socket" I mean AF_LOCAL, which
is the correct name for AF_UNIX.)
I just committed a heavily modified version of Ilya Bakulin's patch
(contrib/unbound_unixsock.diff) to FreeBSD 11. I have attached a
version of the patch relative to Unbound 1.5.1. It also applies cleanly
to ***@3302, but I have not tested the result.
Here is a summary:
Add support for using a local socket for the remote control connection
by specifying its path instead of (or in addition to) an IP address as
an argument to the control-interface configuration variable.
Add support for unencrypted and unauthenticated control connections
through a new configuration variable, control-use-cert. To avoid the
complexity of supporting both SSL socket and plain socket descriptors
in the same code, we just use an unencrypted SSL context and forego
authentication. The downside is that we still have to perform DH kex
when establishing the connection.
This patch was derived (with significant modifications) from the
contrib/unbound_unixsock.diff patch originally submitted by Ilya
Bakulin of Genua mbH.
Note that my patch does not update generated files, so remember to run
autoreconf and regenerate the configuration parser and lexer.
Genua have already released Ilya's part of the patch under the BSD
license. I release my version under the same license.
DES
is the correct name for AF_UNIX.)
I just committed a heavily modified version of Ilya Bakulin's patch
(contrib/unbound_unixsock.diff) to FreeBSD 11. I have attached a
version of the patch relative to Unbound 1.5.1. It also applies cleanly
to ***@3302, but I have not tested the result.
Here is a summary:
Add support for using a local socket for the remote control connection
by specifying its path instead of (or in addition to) an IP address as
an argument to the control-interface configuration variable.
Add support for unencrypted and unauthenticated control connections
through a new configuration variable, control-use-cert. To avoid the
complexity of supporting both SSL socket and plain socket descriptors
in the same code, we just use an unencrypted SSL context and forego
authentication. The downside is that we still have to perform DH kex
when establishing the connection.
This patch was derived (with significant modifications) from the
contrib/unbound_unixsock.diff patch originally submitted by Ilya
Bakulin of Genua mbH.
Note that my patch does not update generated files, so remember to run
autoreconf and regenerate the configuration parser and lexer.
Genua have already released Ilya's part of the patch under the BSD
license. I release my version under the same license.
DES
--
Dag-Erling SmÞrgrav - ***@des.no
Dag-Erling SmÞrgrav - ***@des.no