• Marek Vavruša's avatar
    daemon: allow opportunistic DNS over TLS to origins · a1ba8458
    Marek Vavruša authored
    This commit allows opportunistic DNS over TLS to origins configured
    as supporting DoT on port 853. It also adds interface for clearing
    configured TLS clients to allow runtime reconfiguration.
    
    The general mode of operation is as follows:
    
    1. Produce a new outgoing query
    2. Check if the selected upstream address has configured TLS support on port 853
     2a. If it does: upgrade to DNS over TLS, it cannot be downgraded from this point
     2b. If not: continue with preferred protocol
    
    This allows further automatic discovery as in [1], but right now it has to be configured
    manually.
    
    [1]: https://tools.ietf.org/id/draft-bortzmeyer-dprive-resolver-to-auth-00.html
    
    (cherrypicked from cloudflare branch, need to be adapted)
    a1ba8458
tls.c 36.4 KB