From edmonds@debian.org  Mon Nov 30 21:17:05 2015
MIME-Version: 1.0
In-Reply-To: <rt-4.2.8-1384-1448917522-1315.41202-5-0@isc.org>
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.0
Content-Disposition: inline
X-RT-Interface: API
References: <RT-Ticket-41202@isc.org> <20151130190536.GA28613@mycre.ws> <rt-4.2.8-15470-1448910416-485.41202-3-0@isc.org> <20151130202356.14C3A3DC5BEF@rock.dv.isc.org> <rt-4.2.8-15470-1448915040-790.41202-4-0@isc.org> <20151130210521.GA34449@isc.org> <rt-4.2.8-1384-1448917522-1315.41202-5-0@isc.org>
Message-ID: <20151130211702.GA13263@mycre.ws>
content-type: text/plain; charset="utf-8"
X-RT-Original-Encoding: utf-8
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by bugs.isc.org (Postfix) with ESMTP id 3F12F71B586 for <bind9-bugs@bugs.isc.org>; Mon, 30 Nov 2015 21:17:05 +0000 (UTC)
Received: from chase.mycre.ws (chase.mycre.ws [70.89.251.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "chase.mycre.ws", Issuer "mycre.ws" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id 3C3841FCACF for <bind9-bugs@isc.org>; Mon, 30 Nov 2015 21:17:03 +0000 (UTC)
Received: by chase.mycre.ws (Postfix, from userid 1000) id 1DCB61C40331; Mon, 30 Nov 2015 16:17:02 -0500 (EST)
Delivered-To: bind9-bugs@bugs.isc.org
Subject: Re: [ISC-Bugs #41202] No IANA registration for port 953
Return-Path: <edmonds@debian.org>
X-Original-To: bind9-bugs@bugs.isc.org
Date: Mon, 30 Nov 2015 16:17:02 -0500
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.ams1.isc.org
To: "Evan Hunt via RT" <bind9-bugs@isc.org>
From: "Robert Edmonds" <edmonds@debian.org>
RT-Message-ID: <rt-4.2.8-1389-1448918225-473.41202-0-0@isc.org>
Content-Length: 1286

Evan Hunt via RT wrote:
> > This is deliberate.  There is no need for a port to be registered
> > for this as it is entirely private use.  rndc.conf provides a
> > adequate way to remember the port between invocations.
> 
> However, our use of 953 as a default could be problematic if some other
> service came along which wanted to reserve that port.  It wouldn't hurt
> to ask IANA to recognize the existing usage.

Yes, in fact Unbound used to default to port 953 for *its* control port,
following the BIND example, apparently on the assumption that no one
would want to run BIND and Unbound (with default configs) on the same
machine :-)

When I prodded NLnetLabs about that issue, they went to IANA and were
assigned port 8953 ("ub-dns-control").  It doesn't seem like there's
much need for a daemon's control port to be in the "System Port" range.

I also wonder if it makes sense to support AF_LOCAL sockets for the
control socket, if you had no need to manage remote servers.  (I believe
the current rndc default is for named to bind to the loopback interface,
so I suspect a lot of users only use rndc locally.)  You could even
avoid cryptographic authentication entirely and rely only on Unix
filesystem permissions for access control.

-- 
Robert Edmonds
edmonds@debian.org