From 2519f7993f55804813d8157011a4dcc33a478fb7 Mon Sep 17 00:00:00 2001
From: dtucker <>
Date: Mon, 15 Jul 2019 10:18:20 +0000
Subject: [PATCH] Add tls-cert-bundle and example of using a DNS-over-TLS
 forwarder. Note that, at this time, Unbound does not re-use TLS connections
 (https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4089) so the TCP and
 TLS handshakes will cause a disproportiate increase in latency compared to
 UDP.  ok sthen@ florian@

---
 src/etc/unbound.conf | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/etc/unbound.conf b/src/etc/unbound.conf
index 614b8b55..e16b08c2 100644
--- a/src/etc/unbound.conf
+++ b/src/etc/unbound.conf
@@ -1,4 +1,4 @@
-# $OpenBSD: unbound.conf,v 1.14 2018/12/16 20:41:30 tim Exp $
+# $OpenBSD: unbound.conf,v 1.15 2019/07/15 10:18:20 dtucker Exp $
 
 server:
 	interface: 127.0.0.1
@@ -48,6 +48,11 @@ server:
 	#
 	#tcp-upstream: yes
 
+	# CA Certificates used for forward-tls-upstream (RFC7858) hostname
+	# verification.  Since it's outside the chroot it is only loaded at
+	# startup and thus cannot be changed via a reload.
+	#tls-cert-bundle: "/etc/ssl/cert.pem"
+
 remote-control:
 	control-enable: yes
 	control-interface: /var/run/unbound.sock
@@ -58,3 +63,12 @@ remote-control:
 #	name: "."				# use for ALL queries
 #	forward-addr: 192.0.2.53		# example address only
 #	forward-first: yes			# try direct if forwarder fails
+
+# Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext
+# if that fails.
+#forward-zone:
+#       name: "."
+#       forward-tls-upstream: yes               # use DNS-over-TLS forwarder
+#       forward-first: no                       # do NOT send direct
+#       # the hostname after "#" is not a comment, it is used for TLS checks:
+#       forward-addr: 192.0.2.53@953#resolver.hostname.example