Add tls-cert-bundle and example of using a DNS-over-TLS forwarder.

Note that, at this time, Unbound does not re-use TLS connections
(https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4089) so the
TCP and TLS handshakes will cause a disproportiate increase in
latency compared to UDP.  ok sthen@ florian@

src/etc/unbound.conf

@@ -1,4 +1,4 @@
-# $OpenBSD: unbound.conf,v 1.14 2018/12/16 20:41:30 tim Exp $
+# $OpenBSD: unbound.conf,v 1.15 2019/07/15 10:18:20 dtucker Exp $
 
 server:
 	interface: 127.0.0.1
@@ -48,6 +48,11 @@ server:
 	#
 	#tcp-upstream: yes
 
+	# CA Certificates used for forward-tls-upstream (RFC7858) hostname
+	# verification.  Since it's outside the chroot it is only loaded at
+	# startup and thus cannot be changed via a reload.
+	#tls-cert-bundle: "/etc/ssl/cert.pem"
+
 remote-control:
 	control-enable: yes
 	control-interface: /var/run/unbound.sock
@@ -58,3 +63,12 @@ remote-control:
 #	name: "."				# use for ALL queries
 #	forward-addr: 192.0.2.53		# example address only
 #	forward-first: yes			# try direct if forwarder fails
+
+# Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext
+# if that fails.
+#forward-zone:
+#       name: "."
+#       forward-tls-upstream: yes               # use DNS-over-TLS forwarder
+#       forward-first: no                       # do NOT send direct
+#       # the hostname after "#" is not a comment, it is used for TLS checks:
+#       forward-addr: 192.0.2.53@953#resolver.hostname.example