[FR] Specify secure transport requirement for certain authoritative servers

[bdaehlie]

Let's Encrypt would like to be able to provide Unbound with a list of authoritative DNS servers (in domain and IP address formats) and then require a specified secure transport protocol (e.g. DoH or DoQ) to be used whenever recursive resolution runs across one of those servers.

[Aura67]

unbound already supports something like Dns over Tls with a forward zone you can use it to query other upstream servers (encrypted) over the TLS transport layer.

https://nlnetlabs.nl/news/2018/May/03/unbound-1.7.1-released/
https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-forward-forward-tls-upstream
https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-forward-forward-addr

[gthess]

@bdaehlie, for upstream, Unbound only supports DoT at the moment which can also be configured per upstream.

If you are talking to forwarders, forward-zone needs to be configured and the relative option is forward-tls-upstream as pointed out by @Aura67 .

If you are talking to authoritatives, stub-zone needs to be configured and the relative option is stub-tls-upstream.

You can also use stub-no-cache/forward-no-cache to always ask for fresh records.

For DoT to work you would need to configure tls-cert-bundle as well.