- unbound-control has version number in the header,

UBCT[version]_space_ is the header sent by the client now.
- Unbound control port number is registered with IANA:
  ub-dns-control  8953/tcp    unbound dns nameserver control
  This is the new default for the control-port config setting.


git-svn-id: file:///svn/unbound/trunk@2424 be551aaa-1e26-0410-a405-d3ace91eadb9

config.h.in

@@ -871,4 +871,10 @@ void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file,
 
 /** default port for DNS traffic. */
 #define UNBOUND_DNS_PORT 53
+/** default port for unbound control traffic, registered port with IANA,
+    ub-dns-control  8953/tcp    unbound dns nameserver control */
+#define UNBOUND_CONTROL_PORT 8953
+/** the version of unbound-control that this software implements */
+#define UNBOUND_CONTROL_VERSION 1
+
 

configure.ac

@@ -930,6 +930,12 @@ void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file,
 
 /** default port for DNS traffic. */
 #define UNBOUND_DNS_PORT 53
+/** default port for unbound control traffic, registered port with IANA,
+    ub-dns-control  8953/tcp    unbound dns nameserver control */
+#define UNBOUND_CONTROL_PORT 8953
+/** the version of unbound-control that this software implements */
+#define UNBOUND_CONTROL_VERSION 1
+
 ])
 
 AC_CONFIG_FILES([Makefile doc/example.conf doc/libunbound.3 doc/unbound.8 doc/unbound-anchor.8 doc/unbound-checkconf.8 doc/unbound.conf.5 doc/unbound-control.8])

daemon/remote.c

@@ -1871,7 +1871,8 @@ static void
 handle_req(struct daemon_remote* rc, struct rc_state* s, SSL* ssl)
 {
 	int r;
-	char magic[5];
+	char pre[10];
+	char magic[7];
 	char buf[1024];
 #ifdef USE_WINSOCK
 	/* makes it possible to set the socket blocking again. */
@@ -1880,7 +1881,7 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, SSL* ssl)
 #endif
 	fd_set_block(s->c->fd);
 
-	/* try to read magic UBCT string */
+	/* try to read magic UBCT[version]_space_ string */
 	ERR_clear_error();
 	if((r=SSL_read(ssl, magic, (int)sizeof(magic)-1)) <= 0) {
 		if(SSL_get_error(ssl, r) == SSL_ERROR_ZERO_RETURN)
@@ -1888,9 +1889,10 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, SSL* ssl)
 		log_crypto_err("could not SSL_read");
 		return;
 	}
-	magic[4] = 0;
+	magic[6] = 0;
-	if( r != 4 || strcmp(magic, "UBCT") != 0) {
+	if( r != 6 || strncmp(magic, "UBCT", 4) != 0) {
 		verbose(VERB_QUERY, "control connection has bad magic string");
+		/* probably wrong tool connected, ignore it completely */
 		return;
 	}
 
@@ -1898,6 +1900,13 @@ handle_req(struct daemon_remote* rc, struct rc_state* s, SSL* ssl)
 	if(!ssl_read_line(ssl, buf, sizeof(buf))) {
 		return;
 	}
+	snprintf(pre, sizeof(pre), "UBCT%d ", UNBOUND_CONTROL_VERSION);
+	if(strcmp(magic, pre) != 0) {
+		verbose(VERB_QUERY, "control connection had bad "
+			"version %s, cmd: %s", magic, buf);
+		ssl_printf(ssl, "error version mismatch\n");
+		return;
+	}
 	verbose(VERB_DETAIL, "control cmd: %s", buf);
 
 	/* figure out what to do */

doc/Changelog

@@ -1,3 +1,10 @@
+10 June 2011: Wouter
+	- unbound-control has version number in the header,
+	  UBCT[version]_space_ is the header sent by the client now.
+	- Unbound control port number is registered with IANA:
+	  ub-dns-control  8953/tcp    unbound dns nameserver control
+	  This is the new default for the control-port config setting.
+
 30 May 2011: Wouter
 	- Fix Makefile for U in environment, since wrong U is more common than
 	  deansification necessity.

doc/control_proto_spec.txt

@@ -1,16 +1,21 @@
 
 Specification for the unbound-control protocol.
 
-Server listens on 953 TCP (localhost by default). Client connects,
+Server listens on 8953 TCP (localhost by default). Client connects,
 SSLv3 or TLSv1 connection setup (server selfsigned certificate, 
 client has cert signed by server certificate).
 
+Port 8953 is registered with IANA as:
+ub-dns-control  8953/tcp    unbound dns nameserver control
+# Wouter Wijngaards <wouter&nlnetlabs.nl> 10 May 2011
+On may 11 2011, ticket [IANA #442315].
+
 Query and Response
 ------------------
 Client sends 
-	UBCT [commandline] \n
+	UBCT[version] [commandline] \n
-	fixed string UBCT, then an ascii text line, with a command, 
+	fixed string UBCT1 (for version 1), then an ascii text line,
-	some whitespace allowed. Line ends with '\n'.
+	with a command, some whitespace allowed. Line ends with '\n'.
 
 Server executes command. And sends reply in ascii text over channel, 
 closes the channel when done.

doc/example.conf.in

@@ -472,7 +472,7 @@ remote-control:
 	# control-interface: ::1
 
 	# port number for remote control operations.
-	# control-port: 953
+	# control-port: 8953
 
 	# unbound server key file.
 	# server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"

doc/unbound.conf.5.in

@@ -888,7 +888,7 @@ By default localhost (127.0.0.1 and ::1) is listened to.
 Use 0.0.0.0 and ::0 to listen to all interfaces.
 .TP 5
 .B control\-port: <port number>
-The port number to listen on for control commands, default is 953
+The port number to listen on for control commands, default is 8953
 (that is the same port number named uses to listen to rndc).
 If you change this port number, and permissions have been dropped, a
 reload is not sufficient to open the port again, you must then restart.

smallapp/unbound-control.c

@@ -258,12 +258,13 @@ send_file(SSL* ssl, FILE* in, char* buf, size_t sz)
 static int
 go_cmd(SSL* ssl, int argc, char* argv[])
 {
-	const char* pre="UBCT";
+	char pre[10];
 	const char* space=" ";
 	const char* newline="\n";
 	int was_error = 0, first_line = 1;
 	int r, i;
 	char buf[1024];
+	snprintf(pre, sizeof(pre), "UBCT%d ", UNBOUND_CONTROL_VERSION);
 	if(SSL_write(ssl, pre, (int)strlen(pre)) <= 0)
 		ssl_err("could not SSL_write");
 	for(i=0; i<argc; i++) {

util/config_file.c

@@ -190,7 +190,7 @@ config_create(void)
 	cfg->python_script = NULL;
 	cfg->remote_control_enable = 0;
 	cfg->control_ifs = NULL;
-	cfg->control_port = 953;
+	cfg->control_port = UNBOUND_CONTROL_PORT;
 	if(!(cfg->server_key_file = strdup(RUN_DIR"/unbound_server.key"))) 
 		goto error_exit;
 	if(!(cfg->server_cert_file = strdup(RUN_DIR"/unbound_server.pem")))