1.7.3 - tls-upstream taking precedence over stub-tls-upstream?

Wouter Wijngaards wouter at nlnetlabs.nl
Fri Jul 20 13:21:18 UTC 2018


On 20/07/18 15:15, ѽ҉ᶬḳ℠ via Unbound-users wrote:
> Hi,
> I would have expected that > stub-tls-upstream: no < would countermand >
> tls-upstream: yes < for the stub-zone but it appears not to be the case.
> Is it by design that it is superseding?

It takes the or to enable them.  If one or the other is enabled then it
enables TLS for that connection.  There is no superseding behaviour, one
way or the other.

So if you set tls-upstream: yes, all of them are yes, and the stub
specific option is ignored.
If you set tls-upstream: no, you can use the stub specific option to
manage individual details.

The design behind it does not keep track of the presence of the option
but just the result boolean with default no.  So it cannot tell.

Most people today want forward-tls-upstream: yes, for forwarders. Not
really the stub variation, but you could try resolver to authority dns
over tls if you want.

Best regards, Wouter

More information about the Unbound-users mailing list