Evan Hunt via RT wrote:
> > This is deliberate.  There is no need for a port to be registered
> > for this as it is entirely private use.  rndc.conf provides a
> > adequate way to remember the port between invocations.
> 
> However, our use of 953 as a default could be problematic if some other
> service came along which wanted to reserve that port.  It wouldn't hurt
> to ask IANA to recognize the existing usage.

Yes, in fact Unbound used to default to port 953 for *its* control port,
following the BIND example, apparently on the assumption that no one
would want to run BIND and Unbound (with default configs) on the same
machine :-)

When I prodded NLnetLabs about that issue, they went to IANA and were
assigned port 8953 ("ub-dns-control").  It doesn't seem like there's
much need for a daemon's control port to be in the "System Port" range.

I also wonder if it makes sense to support AF_LOCAL sockets for the
control socket, if you had no need to manage remote servers.  (I believe
the current rndc default is for named to bind to the loopback interface,
so I suspect a lot of users only use rndc locally.)  You could even
avoid cryptographic authentication entirely and rely only on Unix
filesystem permissions for access control.

-- 
Robert Edmonds
edmonds@debian.org