DoT for libunbound

Florian Obser florian at
Sun Jan 27 17:32:02 UTC 2019


I'd like to use DoT in libunbound but it doesn't look like I can
enable it short of loading a whole unbound.conf via ub_ctx_config().

I came up with the following, does this look reasonable? Should this
be done a different way maybe via ub_ctx_set_option()?

This needs a lib bump if it goes in, but I'm not too familiar with the
build system and wouldn't know how to do that.


diff --git doc/ doc/
index 62d5f045490..69b09174dd0 100644
--- doc/
+++ doc/
@@ -20,6 +20,7 @@
 .B ub_ctx_config,
 .B ub_ctx_set_fwd,
 .B ub_ctx_set_stub,
+.B ub_ctx_set_tls,
 .B ub_ctx_resolvconf,
 .B ub_ctx_hosts,
 .B ub_ctx_add_ta,
@@ -72,6 +73,9 @@
 		\fIint\fR isprime);
+\fBub_ctx_set_tls\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR tls);
 \fBub_ctx_resolvconf\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname);
@@ -227,6 +231,12 @@ for different zones, or to add multiple addresses for a particular zone.
 At this time it is only possible to set configuration before the
 first resolve is done.
+.B ub_ctx_set_tls
+Enable DNS over TLS (DoT) for machines set with 
+.B ub_ctx_set_fwd.
+At this time it is only possible to set configuration before the
+first resolve is done.
 .B ub_ctx_resolvconf
 By default the root servers are queried and full resolver mode is used, but
 you can use this call to read the list of nameservers to use from the
diff --git libunbound/libunbound.c libunbound/libunbound.c
index 31adbd54dcd..ee7ef4a9a76 100644
--- libunbound/libunbound.c
+++ libunbound/libunbound.c
@@ -966,6 +966,19 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
 	return UB_NOERROR;
+int ub_ctx_set_tls(struct ub_ctx* ctx, int tls)
+	lock_basic_lock(&ctx->cfglock);
+	if(ctx->finalized) {
+		lock_basic_unlock(&ctx->cfglock);
+		errno=EINVAL;
+		return UB_AFTERFINAL;
+	}
+	ctx->env->cfg->ssl_upstream = tls;
+	lock_basic_unlock(&ctx->cfglock);
+	return UB_NOERROR;
 int ub_ctx_set_stub(struct ub_ctx* ctx, const char* zone, const char* addr,
 	int isprime)
diff --git libunbound/ubsyms.def libunbound/ubsyms.def
index 0d8e6af91ee..0ace984fa30 100644
--- libunbound/ubsyms.def
+++ libunbound/ubsyms.def
@@ -20,6 +20,7 @@ ub_ctx_set_event
diff --git libunbound/unbound.h libunbound/unbound.h
index 90766b06236..8074e3ac5ba 100644
--- libunbound/unbound.h
+++ libunbound/unbound.h
@@ -309,6 +309,17 @@ int ub_ctx_config(struct ub_ctx* ctx, const char* fname);
 int ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr);
+ * Use DNS over TLS to send queries to machines set with ub_ctx_set_fwd().
+ *
+ * @param ctx: context.
+ *	At this time it is only possible to set configuration before the
+ *	first resolve is done.
+ * @param tls: enable or disable DNS over TLS
+ * @return 0 if OK, else error.
+ */
+int ub_ctx_set_tls(struct ub_ctx* ctx, int tls);
  * Add a stub zone, with given address to send to.  This is for custom
  * root hints or pointing to a local authoritative dns server.

I'm not entirely sure you are real.

More information about the Unbound-users mailing list