===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/etc/unbound.conf,v
retrieving revision 1.14
retrieving revision 1.15
diff -c -r1.14 -r1.15
*** src/etc/unbound.conf	2018/12/16 20:41:30	1.14
--- src/etc/unbound.conf	2019/07/15 10:18:20	1.15
***************
*** 1,4 ****
! # $OpenBSD: unbound.conf,v 1.14 2018/12/16 20:41:30 tim Exp $
  
  server:
  	interface: 127.0.0.1
--- 1,4 ----
! # $OpenBSD: unbound.conf,v 1.15 2019/07/15 10:18:20 dtucker Exp $
  
  server:
  	interface: 127.0.0.1
***************
*** 48,53 ****
--- 48,58 ----
  	#
  	#tcp-upstream: yes
  
+ 	# CA Certificates used for forward-tls-upstream (RFC7858) hostname
+ 	# verification.  Since it's outside the chroot it is only loaded at
+ 	# startup and thus cannot be changed via a reload.
+ 	#tls-cert-bundle: "/etc/ssl/cert.pem"
+ 
  remote-control:
  	control-enable: yes
  	control-interface: /var/run/unbound.sock
***************
*** 58,60 ****
--- 63,74 ----
  #	name: "."				# use for ALL queries
  #	forward-addr: 192.0.2.53		# example address only
  #	forward-first: yes			# try direct if forwarder fails
+ 
+ # Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext
+ # if that fails.
+ #forward-zone:
+ #       name: "."
+ #       forward-tls-upstream: yes               # use DNS-over-TLS forwarder
+ #       forward-first: no                       # do NOT send direct
+ #       # the hostname after "#" is not a comment, it is used for TLS checks:
+ #       forward-addr: 192.0.2.53@953#resolver.hostname.example