Patches are available here: https://portal.sinodun.com/stash/projects/TDNS/repos/dns-over-tls_patches/browse
STARTTLS is DNS is no longer described in any active draft, but is still available in these patches.
Various TFO patches are provided - please see the TFO patch repository.
- Add support for DNS-over-TLS (experimental) to Unbound as a server and a client.
- Adds new configuration file options:
- 'do-starttls: yes/no' # enable STARTTLS for downstream queries
- 'starttls-upsteam' : yes/no # enable STARTTLS for upstream queries
- 'starttls-delay': number of second # time to cache the STARTTLS capability of an upstream server before retrying a STARTTLS negotiation
- Adds option to use the TO bit for STARTTLS downstream. Enable with --enable-TObit configure option.
- Adds new statistics counters: SSL queries, EDNS_TO queries and STARTTLS queries
- Initial attempt to change behaviour of writes over SSL so that the DNS message is sent in a single packet when possible. (Previous behaviour was to send the length and message content separately.) Should be improved to avoid malloc on each write.
- Fix libunbound to support SSL by initiallising the SSL library.
- Adds experimental client and server support for TCP Fast open (linux only). Enable with --enable-tcp-fastopen configure option.
- apply patch
- run 'autoreconf --force'
- optionally specify the --enable-tcp-fastopen and/or --enable-TObit flags and when running 'configure'
- make, make install