- Fix #330: [Feature request] Add unencrypted DNS over HTTPS support.

This adds the option http-notls-downstream: yesno to change that,
  and the dohclient test code has the -n option.

daemon/worker.c

@@ -1789,8 +1789,8 @@ worker_init(struct worker* worker, struct config_file *cfg,
 			? cfg->tcp_keepalive_timeout
 			: cfg->tcp_idle_timeout,
 		cfg->harden_large_queries, cfg->http_max_streams,
-		cfg->http_endpoint, worker->daemon->tcl,
-		worker->daemon->listen_sslctx,
+		cfg->http_endpoint, cfg->http_notls_downstream,
+		worker->daemon->tcl, worker->daemon->listen_sslctx,
 		dtenv, worker_handle_request, worker);
 	if(!worker->front) {
 		log_err("could not create listening sockets");

doc/Changelog

@@ -3,6 +3,9 @@
 	  http-endpoint, http-max-streams, http-query-buffer-size,
 	  http-response-buffer-size, and http-nodelay.
 	- Fix memory leak of https port string when reading config.
+	- Fix #330: [Feature request] Add unencrypted DNS over HTTPS support.
+	  This adds the option http-notls-downstream: yesno to change that,
+	  and the dohclient test code has the -n option.
 
 16 October 2020: Wouter
 	- Fix that the out of order TCP processing does not limit the

doc/example.conf.in

@@ -788,6 +788,9 @@ server:
 	# service.
 	# http-nodelay: yes
 
+	# Disable TLS for DNS-over-HTTP downstream service.
+	# http-notls-downstream: no
+
 	# DNS64 prefix. Must be specified when DNS64 is use.
 	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
 	# dns64-prefix: 64:ff9b::0/96

doc/unbound.conf.5.in

@@ -587,6 +587,10 @@ megabytes or gigabytes (1024*1024 bytes in a megabyte).
 Set TCP_NODELAY socket option on sockets used to provide DNS-over-HTTPS service.
 Ignored if the option is not available. Default is yes.
 .TP
+.B http\-notls\-downstream: \fI<yes or no>
+Disable use of TLS for the downstream DNS-over-HTTP connections.  Useful for
+local back end servers.  Default is no.
+.TP
 .B use\-systemd: \fI<yes or no>
 Enable or disable systemd socket activation.
 Default is no.

services/listen_dnsport.c

@@ -1244,8 +1244,9 @@ struct listen_dnsport*
 listen_create(struct comm_base* base, struct listen_port* ports,
 	size_t bufsize, int tcp_accept_count, int tcp_idle_timeout,
 	int harden_large_queries, uint32_t http_max_streams,
-	char* http_endpoint, struct tcl_list* tcp_conn_limit, void* sslctx,
-	struct dt_env* dtenv, comm_point_callback_type* cb, void *cb_arg)
+	char* http_endpoint, int http_notls, struct tcl_list* tcp_conn_limit,
+	void* sslctx, struct dt_env* dtenv, comm_point_callback_type* cb,
+	void *cb_arg)
 {
 	struct listen_dnsport* front = (struct listen_dnsport*)
 		malloc(sizeof(struct listen_dnsport));
@@ -1295,15 +1296,19 @@ listen_create(struct comm_base* base, struct listen_port* ports,
 				http_max_streams, http_endpoint,
 				tcp_conn_limit, bufsize, front->udp_buff,
 				ports->ftype, cb, cb_arg);
-			cp->ssl = sslctx;
+			if(http_notls && ports->ftype == listen_type_http)
+				cp->ssl = NULL;
+			else
+				cp->ssl = sslctx;
 			if(ports->ftype == listen_type_http) {
-				if(!sslctx) {
-				log_warn("HTTPS port configured, but no TLS "
+				if(!sslctx && !http_notls) {
+				  log_warn("HTTPS port configured, but no TLS "
 					"tls-service-key or tls-service-pem "
 					"set");
 				}
 #ifndef HAVE_SSL_CTX_SET_ALPN_SELECT_CB
-				log_warn("Unbound is not compiled with an "
+				if(!http_notls)
+				  log_warn("Unbound is not compiled with an "
 					"OpenSSL version supporting ALPN "
 					" (OpenSSL >= 1.0.2). This is required "
 					"to use DNS-over-HTTPS");

services/listen_dnsport.h

@@ -159,6 +159,7 @@ int resolve_interface_names(struct config_file* cfg, char*** resif,
  * @param harden_large_queries: whether query size should be limited.
  * @param http_max_streams: maximum number of HTTP/2 streams per connection.
  * @param http_endpoint: HTTP endpoint to service queries on
+ * @param http_notls: no TLS for http downstream
  * @param tcp_conn_limit: TCP connection limit info.
  * @param sslctx: nonNULL if ssl context.
  * @param dtenv: nonNULL if dnstap enabled.
@@ -171,8 +172,9 @@ struct listen_dnsport*
 listen_create(struct comm_base* base, struct listen_port* ports,
 	size_t bufsize, int tcp_accept_count, int tcp_idle_timeout,
 	int harden_large_queries, uint32_t http_max_streams,
-	char* http_endpoint, struct tcl_list* tcp_conn_limit, void* sslctx,
-	struct dt_env* dtenv, comm_point_callback_type* cb, void *cb_arg);
+	char* http_endpoint, int http_notls, struct tcl_list* tcp_conn_limit,
+	void* sslctx, struct dt_env* dtenv, comm_point_callback_type* cb,
+	void *cb_arg);
 
 /**
  * delete the listening structure

testcode/dohclient.c

@@ -90,6 +90,7 @@ static void usage(char* argv[])
 	printf("-e		HTTP endpoint, default: /dns-query\n");
 	printf("-c		Content-type in request, default: "
 		"application/dns-message\n");
+	printf("-n		no-tls, TLS is disabled\n");
 	printf("-h 		This help text\n");
 	exit(1);
 }
@@ -185,7 +186,10 @@ submit_query(struct http2_session* h2_session, struct sldns_buffer* buf)
 	headers[1].name = (uint8_t*)":path";
 	headers[1].value = (uint8_t*)h2_stream->path;
 	headers[2].name = (uint8_t*)":scheme";
-	headers[2].value = (uint8_t*)"https";
+	if(h2_session->ssl)
+		headers[2].value = (uint8_t*)"https";
+	else
+		headers[2].value = (uint8_t*)"http";
 	headers[3].name = (uint8_t*)":authority";
 	headers[3].value = (uint8_t*)h2_session->authority;
 	headers[4].name = (uint8_t*)"content-type";
@@ -246,6 +250,7 @@ static ssize_t http2_recv_cb(nghttp2_session* ATTR_UNUSED(session),
 {
 	struct http2_session* h2_session = (struct http2_session*)cb_arg;
 	int r;
+	ssize_t ret;
 	struct timeval tv, *waittv;
 	fd_set rfd;
 	ERR_clear_error();
@@ -267,35 +272,58 @@ static ssize_t http2_recv_cb(nghttp2_session* ATTR_UNUSED(session),
 		return NGHTTP2_ERR_WOULDBLOCK;
 	}
 
-	r = SSL_read(h2_session->ssl, buf, len);
-	if(r <= 0) {
-		int want = SSL_get_error(h2_session->ssl, r);
-		if(want == SSL_ERROR_ZERO_RETURN) {
+	if(h2_session->ssl) {
+		r = SSL_read(h2_session->ssl, buf, len);
+		if(r <= 0) {
+			int want = SSL_get_error(h2_session->ssl, r);
+			if(want == SSL_ERROR_ZERO_RETURN) {
+				return NGHTTP2_ERR_EOF;
+			}
+			log_crypto_err("could not SSL_read");
 			return NGHTTP2_ERR_EOF;
 		}
-		log_crypto_err("could not SSL_read");
+		return r;
+	}
+
+	ret = read(h2_session->fd, buf, len);
+	if(ret == 0) {
+		return NGHTTP2_ERR_EOF;
+	} else if(ret < 0) {
+		log_err("could not http2 read: %s", strerror(errno));
 		return NGHTTP2_ERR_EOF;
 	}
-	return r;
+	return ret;
 }
 
 static ssize_t http2_send_cb(nghttp2_session* ATTR_UNUSED(session),
 	const uint8_t* buf, size_t len, int ATTR_UNUSED(flags), void* cb_arg)
 {
 	struct http2_session* h2_session = (struct http2_session*)cb_arg;
+	ssize_t ret;
 
-	int r;
-	ERR_clear_error();
-	r = SSL_write(h2_session->ssl, buf, len);
-	if(r <= 0) {
-		int want = SSL_get_error(h2_session->ssl, r);
-		if(want == SSL_ERROR_ZERO_RETURN) {
+	if(h2_session->ssl) {
+		int r;
+		ERR_clear_error();
+		r = SSL_write(h2_session->ssl, buf, len);
+		if(r <= 0) {
+			int want = SSL_get_error(h2_session->ssl, r);
+			if(want == SSL_ERROR_ZERO_RETURN) {
+				return NGHTTP2_ERR_CALLBACK_FAILURE;
+			}
+			log_crypto_err("could not SSL_write");
 			return NGHTTP2_ERR_CALLBACK_FAILURE;
 		}
-		log_crypto_err("could not SSL_write");
+		return r;
+	}
+
+	ret = write(h2_session->fd, buf, len);
+	if(ret == 0) {
+		return NGHTTP2_ERR_CALLBACK_FAILURE;
+	} else if(ret < 0) {
+		log_err("could not http2 write: %s", strerror(errno));
 		return NGHTTP2_ERR_CALLBACK_FAILURE;
 	}
-	return r;
+	return ret;
 }
 
 static int http2_stream_close_cb(nghttp2_session* ATTR_UNUSED(session),
@@ -459,7 +487,7 @@ http2_read(struct http2_session* h2_session)
 }
 
 static void
-run(struct http2_session* h2_session, int port, int count, char** q)
+run(struct http2_session* h2_session, int port, int no_tls, int count, char** q)
 {
 	int i;
 	SSL_CTX* ctx = NULL;
@@ -470,26 +498,28 @@ run(struct http2_session* h2_session, int port, int count, char** q)
 	fd = open_svr(h2_session->authority, port);
 	h2_session->fd = fd;
 
-	ctx = connect_sslctx_create(NULL, NULL, NULL, 0);
-	if(!ctx) fatal_exit("cannot create ssl ctx");
-	SSL_CTX_set_alpn_protos(ctx, (const unsigned char *)"\x02h2", 3);
-	ssl = outgoing_ssl_fd(ctx, fd);
-	if(!ssl) {
-		printf("cannot create ssl\n");
-		exit(1);
-	}
-	h2_session->ssl = ssl;
-	while(1) {
-		int r;
-		ERR_clear_error();
-		if( (r=SSL_do_handshake(ssl)) == 1)
-			break;
-		r = SSL_get_error(ssl, r);
-		if(r != SSL_ERROR_WANT_READ &&
-			r != SSL_ERROR_WANT_WRITE) {
-			log_crypto_err("could not ssl_handshake");
+	if(!no_tls) {
+		ctx = connect_sslctx_create(NULL, NULL, NULL, 0);
+		if(!ctx) fatal_exit("cannot create ssl ctx");
+		SSL_CTX_set_alpn_protos(ctx, (const unsigned char *)"\x02h2", 3);
+		ssl = outgoing_ssl_fd(ctx, fd);
+		if(!ssl) {
+			printf("cannot create ssl\n");
 			exit(1);
 		}
+		h2_session->ssl = ssl;
+		while(1) {
+			int r;
+			ERR_clear_error();
+			if( (r=SSL_do_handshake(ssl)) == 1)
+				break;
+			r = SSL_get_error(ssl, r);
+			if(r != SSL_ERROR_WANT_READ &&
+				r != SSL_ERROR_WANT_WRITE) {
+				log_crypto_err("could not ssl_handshake");
+				exit(1);
+			}
+		}
 	}
 
 	http2_submit_setting(h2_session);
@@ -511,9 +541,13 @@ run(struct http2_session* h2_session, int port, int count, char** q)
 
 	/* shutdown */
 	http2_session_delete(h2_session);
-	SSL_shutdown(ssl);
-	SSL_free(ssl);
-	SSL_CTX_free(ctx);
+	if(ssl) {
+		SSL_shutdown(ssl);
+		SSL_free(ssl);
+	}
+	if(ctx) {
+		SSL_CTX_free(ctx);
+	}
 	close(fd);
 }
 
@@ -524,10 +558,21 @@ extern char* optarg;
 int main(int argc, char** argv)
 {
 	int c;
-	int port = UNBOUND_DNS_OVER_HTTPS_PORT;
-	struct http2_session* h2_session = http2_session_create();
-	if(!h2_session) fatal_exit("out of memory");
+	int port = UNBOUND_DNS_OVER_HTTPS_PORT, no_tls = 0;
+	struct http2_session* h2_session;
 
+#ifdef USE_WINSOCK
+	WSADATA wsa_data;
+	if(WSAStartup(MAKEWORD(2,2), &wsa_data) != 0) {
+		printf("WSAStartup failed\n");
+		return 1;
+	}
+#endif
+	log_init(0, 0, 0);
+	checklock_start();
+
+	h2_session = http2_session_create();
+	if(!h2_session) fatal_exit("out of memory");
 	if(argc == 1) {
 		usage(argv);
 	}
@@ -537,7 +582,7 @@ int main(int argc, char** argv)
 	h2_session->endpoint = "/dns-query";
 	h2_session->content_type = "application/dns-message";
 
-	while((c=getopt(argc, argv, "c:e:hs:p:P")) != -1) {
+	while((c=getopt(argc, argv, "c:e:hns:p:P")) != -1) {
 		switch(c) {
 			case 'c':
 				h2_session->content_type = optarg;
@@ -545,6 +590,9 @@ int main(int argc, char** argv)
 			case 'e':
 				h2_session->endpoint = optarg;
 				break;
+			case 'n':
+				no_tls = 1;
+				break;
 			case 'p':
 				if(atoi(optarg)==0 && strcmp(optarg,"0")!=0) {
 					printf("error parsing port, "
@@ -573,8 +621,12 @@ int main(int argc, char** argv)
 	}
 
 
-	run(h2_session, port, argc, argv);
+	run(h2_session, port, no_tls, argc, argv);
 
+	checklock_stop();
+#ifdef USE_WINSOCK
+	WSACleanup();
+#endif
 	return 0;
 }
 #else

testcode/fake_event.c

@@ -872,6 +872,7 @@ listen_create(struct comm_base* base, struct listen_port* ATTR_UNUSED(ports),
 	int ATTR_UNUSED(harden_large_queries),
 	uint32_t ATTR_UNUSED(http_max_streams),
 	char* ATTR_UNUSED(http_endpoint),
+	int ATTR_UNUSED(http_notls),
 	struct tcl_list* ATTR_UNUSED(tcp_conn_limit),
 	void* ATTR_UNUSED(sslctx), struct dt_env* ATTR_UNUSED(dtenv),
 	comm_point_callback_type* cb, void *cb_arg)

util/config_file.c

@@ -527,6 +527,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_MEMSIZE("http-query-buffer-size:", http_query_buffer_size)
 	else S_MEMSIZE("http-response-buffer-size:", http_response_buffer_size)
 	else S_YNO("http-nodelay:", http_nodelay)
+	else S_YNO("http-notls-downstream:", http_notls_downstream)
 	else S_YNO("interface-automatic:", if_automatic)
 	else S_YNO("use-systemd:", use_systemd)
 	else S_YNO("do-daemonize:", do_daemonize)
@@ -990,6 +991,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_MEM(opt, "http-query-buffer-size", http_query_buffer_size)
 	else O_MEM(opt, "http-response-buffer-size", http_response_buffer_size)
 	else O_YNO(opt, "http-nodelay", http_nodelay)
+	else O_YNO(opt, "http-notls-downstream", http_notls_downstream)
 	else O_YNO(opt, "use-systemd", use_systemd)
 	else O_YNO(opt, "do-daemonize", do_daemonize)
 	else O_STR(opt, "chroot", chrootdir)

util/config_file.h

@@ -143,6 +143,8 @@ struct config_file {
 	size_t http_response_buffer_size;
 	/** set TCP_NODELAY option for http sockets */
 	int http_nodelay;
+	/** Disable TLS for http sockets downstream */
+	int http_notls_downstream;
 
 	/** outgoing port range number of ports (per thread) */
 	int outgoing_num_ports;

util/configlexer.lex

@@ -262,6 +262,7 @@ http-max-streams{COLON}		{ YDVAR(1, VAR_HTTP_MAX_STREAMS) }
 http-query-buffer-size{COLON}	{ YDVAR(1, VAR_HTTP_QUERY_BUFFER_SIZE) }
 http-response-buffer-size{COLON} { YDVAR(1, VAR_HTTP_RESPONSE_BUFFER_SIZE) }
 http-nodelay{COLON}		{ YDVAR(1, VAR_HTTP_NODELAY) }
+http-notls-downstream{COLON}	{ YDVAR(1, VAR_HTTP_NOTLS_DOWNSTREAM) }
 use-systemd{COLON}		{ YDVAR(1, VAR_USE_SYSTEMD) }
 do-daemonize{COLON}		{ YDVAR(1, VAR_DO_DAEMONIZE) }
 interface{COLON}		{ YDVAR(1, VAR_INTERFACE) }

util/configparser.h

@@ -194,158 +194,159 @@ extern int yydebug;
     VAR_HTTP_QUERY_BUFFER_SIZE = 400,
     VAR_HTTP_RESPONSE_BUFFER_SIZE = 401,
     VAR_HTTP_NODELAY = 402,
-    VAR_STUB_FIRST = 403,
-    VAR_MINIMAL_RESPONSES = 404,
-    VAR_RRSET_ROUNDROBIN = 405,
-    VAR_MAX_UDP_SIZE = 406,
-    VAR_DELAY_CLOSE = 407,
-    VAR_UNBLOCK_LAN_ZONES = 408,
-    VAR_INSECURE_LAN_ZONES = 409,
-    VAR_INFRA_CACHE_MIN_RTT = 410,
-    VAR_DNS64_PREFIX = 411,
-    VAR_DNS64_SYNTHALL = 412,
-    VAR_DNS64_IGNORE_AAAA = 413,
-    VAR_DNSTAP = 414,
-    VAR_DNSTAP_ENABLE = 415,
-    VAR_DNSTAP_SOCKET_PATH = 416,
-    VAR_DNSTAP_IP = 417,
-    VAR_DNSTAP_TLS = 418,
-    VAR_DNSTAP_TLS_SERVER_NAME = 419,
-    VAR_DNSTAP_TLS_CERT_BUNDLE = 420,
-    VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 421,
-    VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 422,
-    VAR_DNSTAP_SEND_IDENTITY = 423,
-    VAR_DNSTAP_SEND_VERSION = 424,
-    VAR_DNSTAP_BIDIRECTIONAL = 425,
-    VAR_DNSTAP_IDENTITY = 426,
-    VAR_DNSTAP_VERSION = 427,
-    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 428,
-    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 429,
-    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 430,
-    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 431,
-    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 432,
-    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 433,
-    VAR_RESPONSE_IP_TAG = 434,
-    VAR_RESPONSE_IP = 435,
-    VAR_RESPONSE_IP_DATA = 436,
-    VAR_HARDEN_ALGO_DOWNGRADE = 437,
-    VAR_IP_TRANSPARENT = 438,
-    VAR_IP_DSCP = 439,
-    VAR_DISABLE_DNSSEC_LAME_CHECK = 440,
-    VAR_IP_RATELIMIT = 441,
-    VAR_IP_RATELIMIT_SLABS = 442,
-    VAR_IP_RATELIMIT_SIZE = 443,
-    VAR_RATELIMIT = 444,
-    VAR_RATELIMIT_SLABS = 445,
-    VAR_RATELIMIT_SIZE = 446,
-    VAR_RATELIMIT_FOR_DOMAIN = 447,
-    VAR_RATELIMIT_BELOW_DOMAIN = 448,
-    VAR_IP_RATELIMIT_FACTOR = 449,
-    VAR_RATELIMIT_FACTOR = 450,
-    VAR_SEND_CLIENT_SUBNET = 451,
-    VAR_CLIENT_SUBNET_ZONE = 452,
-    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 453,
-    VAR_CLIENT_SUBNET_OPCODE = 454,
-    VAR_MAX_CLIENT_SUBNET_IPV4 = 455,
-    VAR_MAX_CLIENT_SUBNET_IPV6 = 456,
-    VAR_MIN_CLIENT_SUBNET_IPV4 = 457,
-    VAR_MIN_CLIENT_SUBNET_IPV6 = 458,
-    VAR_MAX_ECS_TREE_SIZE_IPV4 = 459,
-    VAR_MAX_ECS_TREE_SIZE_IPV6 = 460,
-    VAR_CAPS_WHITELIST = 461,
-    VAR_CACHE_MAX_NEGATIVE_TTL = 462,
-    VAR_PERMIT_SMALL_HOLDDOWN = 463,
-    VAR_QNAME_MINIMISATION = 464,
-    VAR_QNAME_MINIMISATION_STRICT = 465,
-    VAR_IP_FREEBIND = 466,
-    VAR_DEFINE_TAG = 467,
-    VAR_LOCAL_ZONE_TAG = 468,
-    VAR_ACCESS_CONTROL_TAG = 469,
-    VAR_LOCAL_ZONE_OVERRIDE = 470,
-    VAR_ACCESS_CONTROL_TAG_ACTION = 471,
-    VAR_ACCESS_CONTROL_TAG_DATA = 472,
-    VAR_VIEW = 473,
-    VAR_ACCESS_CONTROL_VIEW = 474,
-    VAR_VIEW_FIRST = 475,
-    VAR_SERVE_EXPIRED = 476,
-    VAR_SERVE_EXPIRED_TTL = 477,
-    VAR_SERVE_EXPIRED_TTL_RESET = 478,
-    VAR_SERVE_EXPIRED_REPLY_TTL = 479,
-    VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 480,
-    VAR_FAKE_DSA = 481,
-    VAR_FAKE_SHA1 = 482,
-    VAR_LOG_IDENTITY = 483,
-    VAR_HIDE_TRUSTANCHOR = 484,
-    VAR_TRUST_ANCHOR_SIGNALING = 485,
-    VAR_AGGRESSIVE_NSEC = 486,
-    VAR_USE_SYSTEMD = 487,
-    VAR_SHM_ENABLE = 488,
-    VAR_SHM_KEY = 489,
-    VAR_ROOT_KEY_SENTINEL = 490,
-    VAR_DNSCRYPT = 491,
-    VAR_DNSCRYPT_ENABLE = 492,
-    VAR_DNSCRYPT_PORT = 493,
-    VAR_DNSCRYPT_PROVIDER = 494,
-    VAR_DNSCRYPT_SECRET_KEY = 495,
-    VAR_DNSCRYPT_PROVIDER_CERT = 496,
-    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 497,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 498,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 499,
-    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 500,
-    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 501,
-    VAR_IPSECMOD_ENABLED = 502,
-    VAR_IPSECMOD_HOOK = 503,
-    VAR_IPSECMOD_IGNORE_BOGUS = 504,
-    VAR_IPSECMOD_MAX_TTL = 505,
-    VAR_IPSECMOD_WHITELIST = 506,
-    VAR_IPSECMOD_STRICT = 507,
-    VAR_CACHEDB = 508,
-    VAR_CACHEDB_BACKEND = 509,
-    VAR_CACHEDB_SECRETSEED = 510,
-    VAR_CACHEDB_REDISHOST = 511,
-    VAR_CACHEDB_REDISPORT = 512,
-    VAR_CACHEDB_REDISTIMEOUT = 513,
-    VAR_CACHEDB_REDISEXPIRERECORDS = 514,
-    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 515,
-    VAR_FOR_UPSTREAM = 516,
-    VAR_AUTH_ZONE = 517,
-    VAR_ZONEFILE = 518,
-    VAR_MASTER = 519,
-    VAR_URL = 520,
-    VAR_FOR_DOWNSTREAM = 521,
-    VAR_FALLBACK_ENABLED = 522,
-    VAR_TLS_ADDITIONAL_PORT = 523,
-    VAR_LOW_RTT = 524,
-    VAR_LOW_RTT_PERMIL = 525,
-    VAR_FAST_SERVER_PERMIL = 526,
-    VAR_FAST_SERVER_NUM = 527,
-    VAR_ALLOW_NOTIFY = 528,
-    VAR_TLS_WIN_CERT = 529,
-    VAR_TCP_CONNECTION_LIMIT = 530,
-    VAR_FORWARD_NO_CACHE = 531,
-    VAR_STUB_NO_CACHE = 532,
-    VAR_LOG_SERVFAIL = 533,
-    VAR_DENY_ANY = 534,
-    VAR_UNKNOWN_SERVER_TIME_LIMIT = 535,
-    VAR_LOG_TAG_QUERYREPLY = 536,
-    VAR_STREAM_WAIT_SIZE = 537,
-    VAR_TLS_CIPHERS = 538,
-    VAR_TLS_CIPHERSUITES = 539,
-    VAR_TLS_USE_SNI = 540,
-    VAR_IPSET = 541,
-    VAR_IPSET_NAME_V4 = 542,
-    VAR_IPSET_NAME_V6 = 543,
-    VAR_TLS_SESSION_TICKET_KEYS = 544,
-    VAR_RPZ = 545,
-    VAR_TAGS = 546,
-    VAR_RPZ_ACTION_OVERRIDE = 547,
-    VAR_RPZ_CNAME_OVERRIDE = 548,
-    VAR_RPZ_LOG = 549,
-    VAR_RPZ_LOG_NAME = 550,
-    VAR_DYNLIB = 551,
-    VAR_DYNLIB_FILE = 552,
-    VAR_EDNS_CLIENT_TAG = 553,
-    VAR_EDNS_CLIENT_TAG_OPCODE = 554
+    VAR_HTTP_NOTLS_DOWNSTREAM = 403,
+    VAR_STUB_FIRST = 404,
+    VAR_MINIMAL_RESPONSES = 405,
+    VAR_RRSET_ROUNDROBIN = 406,
+    VAR_MAX_UDP_SIZE = 407,
+    VAR_DELAY_CLOSE = 408,
+    VAR_UNBLOCK_LAN_ZONES = 409,
+    VAR_INSECURE_LAN_ZONES = 410,
+    VAR_INFRA_CACHE_MIN_RTT = 411,
+    VAR_DNS64_PREFIX = 412,
+    VAR_DNS64_SYNTHALL = 413,
+    VAR_DNS64_IGNORE_AAAA = 414,
+    VAR_DNSTAP = 415,
+    VAR_DNSTAP_ENABLE = 416,
+    VAR_DNSTAP_SOCKET_PATH = 417,
+    VAR_DNSTAP_IP = 418,
+    VAR_DNSTAP_TLS = 419,
+    VAR_DNSTAP_TLS_SERVER_NAME = 420,
+    VAR_DNSTAP_TLS_CERT_BUNDLE = 421,
+    VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 422,
+    VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 423,
+    VAR_DNSTAP_SEND_IDENTITY = 424,
+    VAR_DNSTAP_SEND_VERSION = 425,
+    VAR_DNSTAP_BIDIRECTIONAL = 426,
+    VAR_DNSTAP_IDENTITY = 427,
+    VAR_DNSTAP_VERSION = 428,
+    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 429,
+    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 430,
+    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 431,
+    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 432,
+    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 433,
+    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 434,
+    VAR_RESPONSE_IP_TAG = 435,
+    VAR_RESPONSE_IP = 436,
+    VAR_RESPONSE_IP_DATA = 437,
+    VAR_HARDEN_ALGO_DOWNGRADE = 438,
+    VAR_IP_TRANSPARENT = 439,
+    VAR_IP_DSCP = 440,
+    VAR_DISABLE_DNSSEC_LAME_CHECK = 441,
+    VAR_IP_RATELIMIT = 442,
+    VAR_IP_RATELIMIT_SLABS = 443,
+    VAR_IP_RATELIMIT_SIZE = 444,
+    VAR_RATELIMIT = 445,
+    VAR_RATELIMIT_SLABS = 446,
+    VAR_RATELIMIT_SIZE = 447,
+    VAR_RATELIMIT_FOR_DOMAIN = 448,
+    VAR_RATELIMIT_BELOW_DOMAIN = 449,
+    VAR_IP_RATELIMIT_FACTOR = 450,
+    VAR_RATELIMIT_FACTOR = 451,
+    VAR_SEND_CLIENT_SUBNET = 452,
+    VAR_CLIENT_SUBNET_ZONE = 453,
+    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 454,
+    VAR_CLIENT_SUBNET_OPCODE = 455,
+    VAR_MAX_CLIENT_SUBNET_IPV4 = 456,
+    VAR_MAX_CLIENT_SUBNET_IPV6 = 457,
+    VAR_MIN_CLIENT_SUBNET_IPV4 = 458,
+    VAR_MIN_CLIENT_SUBNET_IPV6 = 459,
+    VAR_MAX_ECS_TREE_SIZE_IPV4 = 460,
+    VAR_MAX_ECS_TREE_SIZE_IPV6 = 461,
+    VAR_CAPS_WHITELIST = 462,
+    VAR_CACHE_MAX_NEGATIVE_TTL = 463,
+    VAR_PERMIT_SMALL_HOLDDOWN = 464,
+    VAR_QNAME_MINIMISATION = 465,
+    VAR_QNAME_MINIMISATION_STRICT = 466,
+    VAR_IP_FREEBIND = 467,
+    VAR_DEFINE_TAG = 468,
+    VAR_LOCAL_ZONE_TAG = 469,
+    VAR_ACCESS_CONTROL_TAG = 470,
+    VAR_LOCAL_ZONE_OVERRIDE = 471,
+    VAR_ACCESS_CONTROL_TAG_ACTION = 472,
+    VAR_ACCESS_CONTROL_TAG_DATA = 473,
+    VAR_VIEW = 474,
+    VAR_ACCESS_CONTROL_VIEW = 475,
+    VAR_VIEW_FIRST = 476,
+    VAR_SERVE_EXPIRED = 477,
+    VAR_SERVE_EXPIRED_TTL = 478,
+    VAR_SERVE_EXPIRED_TTL_RESET = 479,
+    VAR_SERVE_EXPIRED_REPLY_TTL = 480,
+    VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 481,
+    VAR_FAKE_DSA = 482,
+    VAR_FAKE_SHA1 = 483,
+    VAR_LOG_IDENTITY = 484,
+    VAR_HIDE_TRUSTANCHOR = 485,
+    VAR_TRUST_ANCHOR_SIGNALING = 486,
+    VAR_AGGRESSIVE_NSEC = 487,
+    VAR_USE_SYSTEMD = 488,
+    VAR_SHM_ENABLE = 489,
+    VAR_SHM_KEY = 490,
+    VAR_ROOT_KEY_SENTINEL = 491,
+    VAR_DNSCRYPT = 492,
+    VAR_DNSCRYPT_ENABLE = 493,
+    VAR_DNSCRYPT_PORT = 494,
+    VAR_DNSCRYPT_PROVIDER = 495,
+    VAR_DNSCRYPT_SECRET_KEY = 496,
+    VAR_DNSCRYPT_PROVIDER_CERT = 497,
+    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 498,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 499,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 500,
+    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 501,
+    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 502,
+    VAR_IPSECMOD_ENABLED = 503,
+    VAR_IPSECMOD_HOOK = 504,
+    VAR_IPSECMOD_IGNORE_BOGUS = 505,
+    VAR_IPSECMOD_MAX_TTL = 506,
+    VAR_IPSECMOD_WHITELIST = 507,
+    VAR_IPSECMOD_STRICT = 508,
+    VAR_CACHEDB = 509,
+    VAR_CACHEDB_BACKEND = 510,
+    VAR_CACHEDB_SECRETSEED = 511,
+    VAR_CACHEDB_REDISHOST = 512,
+    VAR_CACHEDB_REDISPORT = 513,
+    VAR_CACHEDB_REDISTIMEOUT = 514,
+    VAR_CACHEDB_REDISEXPIRERECORDS = 515,
+    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 516,
+    VAR_FOR_UPSTREAM = 517,
+    VAR_AUTH_ZONE = 518,
+    VAR_ZONEFILE = 519,
+    VAR_MASTER = 520,
+    VAR_URL = 521,
+    VAR_FOR_DOWNSTREAM = 522,
+    VAR_FALLBACK_ENABLED = 523,
+    VAR_TLS_ADDITIONAL_PORT = 524,
+    VAR_LOW_RTT = 525,
+    VAR_LOW_RTT_PERMIL = 526,
+    VAR_FAST_SERVER_PERMIL = 527,
+    VAR_FAST_SERVER_NUM = 528,
+    VAR_ALLOW_NOTIFY = 529,
+    VAR_TLS_WIN_CERT = 530,
+    VAR_TCP_CONNECTION_LIMIT = 531,
+    VAR_FORWARD_NO_CACHE = 532,
+    VAR_STUB_NO_CACHE = 533,
+    VAR_LOG_SERVFAIL = 534,
+    VAR_DENY_ANY = 535,
+    VAR_UNKNOWN_SERVER_TIME_LIMIT = 536,
+    VAR_LOG_TAG_QUERYREPLY = 537,
+    VAR_STREAM_WAIT_SIZE = 538,
+    VAR_TLS_CIPHERS = 539,
+    VAR_TLS_CIPHERSUITES = 540,
+    VAR_TLS_USE_SNI = 541,
+    VAR_IPSET = 542,
+    VAR_IPSET_NAME_V4 = 543,
+    VAR_IPSET_NAME_V6 = 544,
+    VAR_TLS_SESSION_TICKET_KEYS = 545,
+    VAR_RPZ = 546,
+    VAR_TAGS = 547,
+    VAR_RPZ_ACTION_OVERRIDE = 548,
+    VAR_RPZ_CNAME_OVERRIDE = 549,
+    VAR_RPZ_LOG = 550,
+    VAR_RPZ_LOG_NAME = 551,
+    VAR_DYNLIB = 552,
+    VAR_DYNLIB_FILE = 553,
+    VAR_EDNS_CLIENT_TAG = 554,
+    VAR_EDNS_CLIENT_TAG_OPCODE = 555
   };
 #endif
 /* Tokens.  */
@@ -494,158 +495,159 @@ extern int yydebug;
 #define VAR_HTTP_QUERY_BUFFER_SIZE 400
 #define VAR_HTTP_RESPONSE_BUFFER_SIZE 401
 #define VAR_HTTP_NODELAY 402
-#define VAR_STUB_FIRST 403
-#define VAR_MINIMAL_RESPONSES 404
-#define VAR_RRSET_ROUNDROBIN 405
-#define VAR_MAX_UDP_SIZE 406
-#define VAR_DELAY_CLOSE 407
-#define VAR_UNBLOCK_LAN_ZONES 408
-#define VAR_INSECURE_LAN_ZONES 409
-#define VAR_INFRA_CACHE_MIN_RTT 410
-#define VAR_DNS64_PREFIX 411
-#define VAR_DNS64_SYNTHALL 412
-#define VAR_DNS64_IGNORE_AAAA 413
-#define VAR_DNSTAP 414
-#define VAR_DNSTAP_ENABLE 415
-#define VAR_DNSTAP_SOCKET_PATH 416
-#define VAR_DNSTAP_IP 417
-#define VAR_DNSTAP_TLS 418
-#define VAR_DNSTAP_TLS_SERVER_NAME 419
-#define VAR_DNSTAP_TLS_CERT_BUNDLE 420
-#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 421
-#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 422
-#define VAR_DNSTAP_SEND_IDENTITY 423
-#define VAR_DNSTAP_SEND_VERSION 424
-#define VAR_DNSTAP_BIDIRECTIONAL 425
-#define VAR_DNSTAP_IDENTITY 426
-#define VAR_DNSTAP_VERSION 427
-#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 428
-#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 429
-#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 430
-#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 431
-#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 432
-#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 433
-#define VAR_RESPONSE_IP_TAG 434
-#define VAR_RESPONSE_IP 435
-#define VAR_RESPONSE_IP_DATA 436
-#define VAR_HARDEN_ALGO_DOWNGRADE 437
-#define VAR_IP_TRANSPARENT 438
-#define VAR_IP_DSCP 439
-#define VAR_DISABLE_DNSSEC_LAME_CHECK 440
-#define VAR_IP_RATELIMIT 441
-#define VAR_IP_RATELIMIT_SLABS 442
-#define VAR_IP_RATELIMIT_SIZE 443
-#define VAR_RATELIMIT 444
-#define VAR_RATELIMIT_SLABS 445
-#define VAR_RATELIMIT_SIZE 446
-#define VAR_RATELIMIT_FOR_DOMAIN 447
-#define VAR_RATELIMIT_BELOW_DOMAIN 448
-#define VAR_IP_RATELIMIT_FACTOR 449
-#define VAR_RATELIMIT_FACTOR 450
-#define VAR_SEND_CLIENT_SUBNET 451
-#define VAR_CLIENT_SUBNET_ZONE 452
-#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 453
-#define VAR_CLIENT_SUBNET_OPCODE 454
-#define VAR_MAX_CLIENT_SUBNET_IPV4 455
-#define VAR_MAX_CLIENT_SUBNET_IPV6 456
-#define VAR_MIN_CLIENT_SUBNET_IPV4 457
-#define VAR_MIN_CLIENT_SUBNET_IPV6 458
-#define VAR_MAX_ECS_TREE_SIZE_IPV4 459
-#define VAR_MAX_ECS_TREE_SIZE_IPV6 460
-#define VAR_CAPS_WHITELIST 461
-#define VAR_CACHE_MAX_NEGATIVE_TTL 462
-#define VAR_PERMIT_SMALL_HOLDDOWN 463
-#define VAR_QNAME_MINIMISATION 464
-#define VAR_QNAME_MINIMISATION_STRICT 465
-#define VAR_IP_FREEBIND 466
-#define VAR_DEFINE_TAG 467
-#define VAR_LOCAL_ZONE_TAG 468
-#define VAR_ACCESS_CONTROL_TAG 469
-#define VAR_LOCAL_ZONE_OVERRIDE 470
-#define VAR_ACCESS_CONTROL_TAG_ACTION 471
-#define VAR_ACCESS_CONTROL_TAG_DATA 472
-#define VAR_VIEW 473
-#define VAR_ACCESS_CONTROL_VIEW 474
-#define VAR_VIEW_FIRST 475
-#define VAR_SERVE_EXPIRED 476
-#define VAR_SERVE_EXPIRED_TTL 477
-#define VAR_SERVE_EXPIRED_TTL_RESET 478
-#define VAR_SERVE_EXPIRED_REPLY_TTL 479
-#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 480
-#define VAR_FAKE_DSA 481
-#define VAR_FAKE_SHA1 482
-#define VAR_LOG_IDENTITY 483
-#define VAR_HIDE_TRUSTANCHOR 484
-#define VAR_TRUST_ANCHOR_SIGNALING 485
-#define VAR_AGGRESSIVE_NSEC 486
-#define VAR_USE_SYSTEMD 487
-#define VAR_SHM_ENABLE 488
-#define VAR_SHM_KEY 489
-#define VAR_ROOT_KEY_SENTINEL 490
-#define VAR_DNSCRYPT 491
-#define VAR_DNSCRYPT_ENABLE 492
-#define VAR_DNSCRYPT_PORT 493
-#define VAR_DNSCRYPT_PROVIDER 494
-#define VAR_DNSCRYPT_SECRET_KEY 495
-#define VAR_DNSCRYPT_PROVIDER_CERT 496
-#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 497
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 498
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 499
-#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 500
-#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 501
-#define VAR_IPSECMOD_ENABLED 502
-#define VAR_IPSECMOD_HOOK 503
-#define VAR_IPSECMOD_IGNORE_BOGUS 504
-#define VAR_IPSECMOD_MAX_TTL 505
-#define VAR_IPSECMOD_WHITELIST 506
-#define VAR_IPSECMOD_STRICT 507
-#define VAR_CACHEDB 508
-#define VAR_CACHEDB_BACKEND 509
-#define VAR_CACHEDB_SECRETSEED 510
-#define VAR_CACHEDB_REDISHOST 511
-#define VAR_CACHEDB_REDISPORT 512
-#define VAR_CACHEDB_REDISTIMEOUT 513
-#define VAR_CACHEDB_REDISEXPIRERECORDS 514
-#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 515
-#define VAR_FOR_UPSTREAM 516
-#define VAR_AUTH_ZONE 517
-#define VAR_ZONEFILE 518
-#define VAR_MASTER 519
-#define VAR_URL 520
-#define VAR_FOR_DOWNSTREAM 521
-#define VAR_FALLBACK_ENABLED 522
-#define VAR_TLS_ADDITIONAL_PORT 523
-#define VAR_LOW_RTT 524
-#define VAR_LOW_RTT_PERMIL 525
-#define VAR_FAST_SERVER_PERMIL 526
-#define VAR_FAST_SERVER_NUM 527
-#define VAR_ALLOW_NOTIFY 528
-#define VAR_TLS_WIN_CERT 529
-#define VAR_TCP_CONNECTION_LIMIT 530
-#define VAR_FORWARD_NO_CACHE 531
-#define VAR_STUB_NO_CACHE 532
-#define VAR_LOG_SERVFAIL 533
-#define VAR_DENY_ANY 534
-#define VAR_UNKNOWN_SERVER_TIME_LIMIT 535
-#define VAR_LOG_TAG_QUERYREPLY 536
-#define VAR_STREAM_WAIT_SIZE 537
-#define VAR_TLS_CIPHERS 538
-#define VAR_TLS_CIPHERSUITES 539
-#define VAR_TLS_USE_SNI 540
-#define VAR_IPSET 541
-#define VAR_IPSET_NAME_V4 542
-#define VAR_IPSET_NAME_V6 543
-#define VAR_TLS_SESSION_TICKET_KEYS 544
-#define VAR_RPZ 545
-#define VAR_TAGS 546
-#define VAR_RPZ_ACTION_OVERRIDE 547
-#define VAR_RPZ_CNAME_OVERRIDE 548
-#define VAR_RPZ_LOG 549
-#define VAR_RPZ_LOG_NAME 550
-#define VAR_DYNLIB 551
-#define VAR_DYNLIB_FILE 552
-#define VAR_EDNS_CLIENT_TAG 553
-#define VAR_EDNS_CLIENT_TAG_OPCODE 554
+#define VAR_HTTP_NOTLS_DOWNSTREAM 403
+#define VAR_STUB_FIRST 404
+#define VAR_MINIMAL_RESPONSES 405
+#define VAR_RRSET_ROUNDROBIN 406
+#define VAR_MAX_UDP_SIZE 407
+#define VAR_DELAY_CLOSE 408
+#define VAR_UNBLOCK_LAN_ZONES 409
+#define VAR_INSECURE_LAN_ZONES 410
+#define VAR_INFRA_CACHE_MIN_RTT 411
+#define VAR_DNS64_PREFIX 412
+#define VAR_DNS64_SYNTHALL 413
+#define VAR_DNS64_IGNORE_AAAA 414
+#define VAR_DNSTAP 415
+#define VAR_DNSTAP_ENABLE 416
+#define VAR_DNSTAP_SOCKET_PATH 417
+#define VAR_DNSTAP_IP 418
+#define VAR_DNSTAP_TLS 419
+#define VAR_DNSTAP_TLS_SERVER_NAME 420
+#define VAR_DNSTAP_TLS_CERT_BUNDLE 421
+#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 422
+#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 423
+#define VAR_DNSTAP_SEND_IDENTITY 424
+#define VAR_DNSTAP_SEND_VERSION 425
+#define VAR_DNSTAP_BIDIRECTIONAL 426
+#define VAR_DNSTAP_IDENTITY 427
+#define VAR_DNSTAP_VERSION 428
+#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 429
+#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 430
+#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 431
+#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 432
+#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 433
+#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 434
+#define VAR_RESPONSE_IP_TAG 435
+#define VAR_RESPONSE_IP 436
+#define VAR_RESPONSE_IP_DATA 437
+#define VAR_HARDEN_ALGO_DOWNGRADE 438
+#define VAR_IP_TRANSPARENT 439
+#define VAR_IP_DSCP 440
+#define VAR_DISABLE_DNSSEC_LAME_CHECK 441
+#define VAR_IP_RATELIMIT 442
+#define VAR_IP_RATELIMIT_SLABS 443
+#define VAR_IP_RATELIMIT_SIZE 444
+#define VAR_RATELIMIT 445
+#define VAR_RATELIMIT_SLABS 446
+#define VAR_RATELIMIT_SIZE 447
+#define VAR_RATELIMIT_FOR_DOMAIN 448
+#define VAR_RATELIMIT_BELOW_DOMAIN 449
+#define VAR_IP_RATELIMIT_FACTOR 450
+#define VAR_RATELIMIT_FACTOR 451
+#define VAR_SEND_CLIENT_SUBNET 452
+#define VAR_CLIENT_SUBNET_ZONE 453
+#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 454
+#define VAR_CLIENT_SUBNET_OPCODE 455
+#define VAR_MAX_CLIENT_SUBNET_IPV4 456
+#define VAR_MAX_CLIENT_SUBNET_IPV6 457
+#define VAR_MIN_CLIENT_SUBNET_IPV4 458
+#define VAR_MIN_CLIENT_SUBNET_IPV6 459
+#define VAR_MAX_ECS_TREE_SIZE_IPV4 460
+#define VAR_MAX_ECS_TREE_SIZE_IPV6 461
+#define VAR_CAPS_WHITELIST 462
+#define VAR_CACHE_MAX_NEGATIVE_TTL 463
+#define VAR_PERMIT_SMALL_HOLDDOWN 464
+#define VAR_QNAME_MINIMISATION 465
+#define VAR_QNAME_MINIMISATION_STRICT 466
+#define VAR_IP_FREEBIND 467
+#define VAR_DEFINE_TAG 468
+#define VAR_LOCAL_ZONE_TAG 469
+#define VAR_ACCESS_CONTROL_TAG 470
+#define VAR_LOCAL_ZONE_OVERRIDE 471
+#define VAR_ACCESS_CONTROL_TAG_ACTION 472
+#define VAR_ACCESS_CONTROL_TAG_DATA 473
+#define VAR_VIEW 474
+#define VAR_ACCESS_CONTROL_VIEW 475
+#define VAR_VIEW_FIRST 476
+#define VAR_SERVE_EXPIRED 477
+#define VAR_SERVE_EXPIRED_TTL 478
+#define VAR_SERVE_EXPIRED_TTL_RESET 479
+#define VAR_SERVE_EXPIRED_REPLY_TTL 480
+#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 481
+#define VAR_FAKE_DSA 482
+#define VAR_FAKE_SHA1 483
+#define VAR_LOG_IDENTITY 484
+#define VAR_HIDE_TRUSTANCHOR 485
+#define VAR_TRUST_ANCHOR_SIGNALING 486
+#define VAR_AGGRESSIVE_NSEC 487
+#define VAR_USE_SYSTEMD 488
+#define VAR_SHM_ENABLE 489
+#define VAR_SHM_KEY 490
+#define VAR_ROOT_KEY_SENTINEL 491
+#define VAR_DNSCRYPT 492
+#define VAR_DNSCRYPT_ENABLE 493
+#define VAR_DNSCRYPT_PORT 494
+#define VAR_DNSCRYPT_PROVIDER 495
+#define VAR_DNSCRYPT_SECRET_KEY 496
+#define VAR_DNSCRYPT_PROVIDER_CERT 497
+#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 498
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 499
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 500
+#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 501
+#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 502
+#define VAR_IPSECMOD_ENABLED 503
+#define VAR_IPSECMOD_HOOK 504
+#define VAR_IPSECMOD_IGNORE_BOGUS 505
+#define VAR_IPSECMOD_MAX_TTL 506
+#define VAR_IPSECMOD_WHITELIST 507
+#define VAR_IPSECMOD_STRICT 508
+#define VAR_CACHEDB 509
+#define VAR_CACHEDB_BACKEND 510
+#define VAR_CACHEDB_SECRETSEED 511
+#define VAR_CACHEDB_REDISHOST 512
+#define VAR_CACHEDB_REDISPORT 513
+#define VAR_CACHEDB_REDISTIMEOUT 514
+#define VAR_CACHEDB_REDISEXPIRERECORDS 515
+#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 516
+#define VAR_FOR_UPSTREAM 517
+#define VAR_AUTH_ZONE 518
+#define VAR_ZONEFILE 519
+#define VAR_MASTER 520
+#define VAR_URL 521
+#define VAR_FOR_DOWNSTREAM 522
+#define VAR_FALLBACK_ENABLED 523
+#define VAR_TLS_ADDITIONAL_PORT 524
+#define VAR_LOW_RTT 525
+#define VAR_LOW_RTT_PERMIL 526
+#define VAR_FAST_SERVER_PERMIL 527
+#define VAR_FAST_SERVER_NUM 528
+#define VAR_ALLOW_NOTIFY 529
+#define VAR_TLS_WIN_CERT 530
+#define VAR_TCP_CONNECTION_LIMIT 531
+#define VAR_FORWARD_NO_CACHE 532
+#define VAR_STUB_NO_CACHE 533
+#define VAR_LOG_SERVFAIL 534
+#define VAR_DENY_ANY 535
+#define VAR_UNKNOWN_SERVER_TIME_LIMIT 536
+#define VAR_LOG_TAG_QUERYREPLY 537
+#define VAR_STREAM_WAIT_SIZE 538
+#define VAR_TLS_CIPHERS 539
+#define VAR_TLS_CIPHERSUITES 540
+#define VAR_TLS_USE_SNI 541
+#define VAR_IPSET 542
+#define VAR_IPSET_NAME_V4 543
+#define VAR_IPSET_NAME_V6 544
+#define VAR_TLS_SESSION_TICKET_KEYS 545
+#define VAR_RPZ 546
+#define VAR_TAGS 547
+#define VAR_RPZ_ACTION_OVERRIDE 548
+#define VAR_RPZ_CNAME_OVERRIDE 549
+#define VAR_RPZ_LOG 550
+#define VAR_RPZ_LOG_NAME 551
+#define VAR_DYNLIB 552
+#define VAR_DYNLIB_FILE 553
+#define VAR_EDNS_CLIENT_TAG 554
+#define VAR_EDNS_CLIENT_TAG_OPCODE 555
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -655,7 +657,7 @@ union YYSTYPE
 
 	char*	str;
 
-#line 659 "util/configparser.h"
+#line 661 "util/configparser.h"
 
 };
 typedef union YYSTYPE YYSTYPE;

util/configparser.y

@@ -114,7 +114,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_STUB_SSL_UPSTREAM VAR_FORWARD_SSL_UPSTREAM VAR_TLS_CERT_BUNDLE
 %token VAR_HTTPS_PORT VAR_HTTP_ENDPOINT VAR_HTTP_MAX_STREAMS
 %token VAR_HTTP_QUERY_BUFFER_SIZE VAR_HTTP_RESPONSE_BUFFER_SIZE
-%token VAR_HTTP_NODELAY
+%token VAR_HTTP_NODELAY VAR_HTTP_NOTLS_DOWNSTREAM
 %token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN
 %token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE
 %token VAR_UNBLOCK_LAN_ZONES VAR_INSECURE_LAN_ZONES
@@ -249,7 +249,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_ssl_service_key | server_ssl_service_pem | server_ssl_port |
 	server_https_port | server_http_endpoint | server_http_max_streams |
 	server_http_query_buffer_size | server_http_response_buffer_size |
-	server_http_nodelay |
+	server_http_nodelay | server_http_notls_downstream |
 	server_minimal_responses | server_rrset_roundrobin | server_max_udp_size |
 	server_so_reuseport | server_delay_close |
 	server_unblock_lan_zones | server_insecure_lan_zones |
@@ -1031,6 +1031,14 @@ server_http_nodelay: VAR_HTTP_NODELAY STRING_ARG
 			yyerror("expected yes or no.");
 		else cfg_parser->cfg->http_nodelay = (strcmp($2, "yes")==0);
 		free($2);
+	}
+server_http_notls_downstream: VAR_HTTP_NOTLS_DOWNSTREAM STRING_ARG
+	{
+		OUTYY(("P(server_http_notls_downstream:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->http_notls_downstream = (strcmp($2, "yes")==0);
+		free($2);
 	};
 server_use_systemd: VAR_USE_SYSTEMD STRING_ARG
 	{

util/netevent.c

@@ -978,6 +978,10 @@ comm_point_tcp_accept_callback(int fd, short event, void* arg)
 			log_warn("failed to submit http2 settings");
 			return;
 		}
+		if(!c->ssl) {
+			c_hdl->tcp_do_toggle_rw = 0;
+			c_hdl->use_h2 = 1;
+		}
 #endif
 		c_hdl->ev->ev = ub_event_new(c_hdl->ev->base->eb->base, -1,
 			UB_EV_PERSIST | UB_EV_READ | UB_EV_TIMEOUT,
@@ -2359,48 +2363,76 @@ int http2_stream_close_cb(nghttp2_session* ATTR_UNUSED(session),
 ssize_t http2_recv_cb(nghttp2_session* ATTR_UNUSED(session), uint8_t* buf,
 	size_t len, int ATTR_UNUSED(flags), void* cb_arg)
 {
-#ifdef HAVE_SSL
 	struct http2_session* h2_session = (struct http2_session*)cb_arg;
-	int r;
+	ssize_t ret;
 
 	log_assert(h2_session->c->type == comm_http);
 	log_assert(h2_session->c->h2_session);
 
-	if(!h2_session->c->ssl)
-		return 0;
-
-	ERR_clear_error();
-	r = SSL_read(h2_session->c->ssl, buf, len);
-	if(r <= 0) {
-		int want = SSL_get_error(h2_session->c->ssl, r);
-		if(want == SSL_ERROR_ZERO_RETURN) {
-			return NGHTTP2_ERR_EOF;
-		} else if(want == SSL_ERROR_WANT_READ) {
-			return NGHTTP2_ERR_WOULDBLOCK;
-		} else if(want == SSL_ERROR_WANT_WRITE) {
-			h2_session->c->ssl_shake_state = comm_ssl_shake_hs_write;
-			comm_point_listen_for_rw(h2_session->c, 0, 1);
-			return NGHTTP2_ERR_WOULDBLOCK;
-		} else if(want == SSL_ERROR_SYSCALL) {
+#ifdef HAVE_SSL
+	if(h2_session->c->ssl) {
+		int r;
+		ERR_clear_error();
+		r = SSL_read(h2_session->c->ssl, buf, len);
+		if(r <= 0) {
+			int want = SSL_get_error(h2_session->c->ssl, r);
+			if(want == SSL_ERROR_ZERO_RETURN) {
+				return NGHTTP2_ERR_EOF;
+			} else if(want == SSL_ERROR_WANT_READ) {
+				return NGHTTP2_ERR_WOULDBLOCK;
+			} else if(want == SSL_ERROR_WANT_WRITE) {
+				h2_session->c->ssl_shake_state = comm_ssl_shake_hs_write;
+				comm_point_listen_for_rw(h2_session->c, 0, 1);
+				return NGHTTP2_ERR_WOULDBLOCK;
+			} else if(want == SSL_ERROR_SYSCALL) {
 #ifdef ECONNRESET
-			if(errno == ECONNRESET && verbosity < 2)
-				return NGHTTP2_ERR_CALLBACK_FAILURE;
+				if(errno == ECONNRESET && verbosity < 2)
+					return NGHTTP2_ERR_CALLBACK_FAILURE;
 #endif
-			if(errno != 0)
-				log_err("SSL_read syscall: %s",
-					strerror(errno));
+				if(errno != 0)
+					log_err("SSL_read syscall: %s",
+						strerror(errno));
+				return NGHTTP2_ERR_CALLBACK_FAILURE;
+			}
+			log_crypto_err("could not SSL_read");
 			return NGHTTP2_ERR_CALLBACK_FAILURE;
 		}
-		log_crypto_err("could not SSL_read");
+		return r;
+	}
+#endif /* HAVE_SSL */
+
+	ret = recv(h2_session->c->fd, buf, len, 0);
+	if(ret == 0) {
+		return NGHTTP2_ERR_EOF;
+	} else if(ret < 0) {
+#ifndef USE_WINSOCK
+		if(errno == EINTR || errno == EAGAIN)
+			return NGHTTP2_ERR_WOULDBLOCK;
+#ifdef ECONNRESET
+		if(errno == ECONNRESET && verbosity < 2)
+			return NGHTTP2_ERR_CALLBACK_FAILURE;
+#endif
+		log_err_addr("could not http2 recv: %s", strerror(errno),
+			&h2_session->c->repinfo.addr,
+			h2_session->c->repinfo.addrlen);
+#else /* USE_WINSOCK */
+		if(WSAGetLastError() == WSAECONNRESET)
+			return NGHTTP2_ERR_CALLBACK_FAILURE;
+		if(WSAGetLastError() == WSAEINPROGRESS)
+			return NGHTTP2_ERR_WOULDBLOCK;
+		if(WSAGetLastError() == WSAEWOULDBLOCK) {
+			ub_winsock_tcp_wouldblock(h2_session->c->ev->ev,
+				UB_EV_READ);
+			return NGHTTP2_ERR_WOULDBLOCK;
+		}
+		log_err_addr("could not http2 recv: %s",
+			wsa_strerror(WSAGetLastError()),
+			&h2_session->c->repinfo.addr,
+			h2_session->c->repinfo.addrlen);
+#endif
 		return NGHTTP2_ERR_CALLBACK_FAILURE;
 	}
-	return r;
-#else
-	(void)buf;
-	(void)len;
-	(void)cb_arg;
-	return -1;
-#endif
+	return ret;
 }
 #endif /* HAVE_NGHTTP2 */
 
@@ -2411,7 +2443,6 @@ comm_point_http2_handle_read(int ATTR_UNUSED(fd), struct comm_point* c)
 #ifdef HAVE_NGHTTP2
 	int ret;
 	log_assert(c->h2_session);
-	log_assert(c->ssl);
 
 	/* reading until recv cb returns NGHTTP2_ERR_WOULDBLOCK */
 	ret = nghttp2_session_recv(c->h2_session->session);
@@ -2648,47 +2679,81 @@ http_write_more(int fd, struct comm_point* c)
 ssize_t http2_send_cb(nghttp2_session* ATTR_UNUSED(session), const uint8_t* buf,
 	size_t len, int ATTR_UNUSED(flags), void* cb_arg)
 {
-#ifdef HAVE_SSL
-	int r;
+	ssize_t ret;
 	struct http2_session* h2_session = (struct http2_session*)cb_arg;
 	log_assert(h2_session->c->type == comm_http);
 	log_assert(h2_session->c->h2_session);
 
-	if(!h2_session->c->ssl)
-		return 0;
-
-	ERR_clear_error();
-	r = SSL_write(h2_session->c->ssl, buf, len);
-	if(r <= 0) {
-		int want = SSL_get_error(h2_session->c->ssl, r);
-		if(want == SSL_ERROR_ZERO_RETURN) {
-			return NGHTTP2_ERR_CALLBACK_FAILURE;
-		} else if(want == SSL_ERROR_WANT_READ) {
-			h2_session->c->ssl_shake_state = comm_ssl_shake_hs_read;
-			comm_point_listen_for_rw(h2_session->c, 1, 0);
-			return NGHTTP2_ERR_WOULDBLOCK;
-		} else if(want == SSL_ERROR_WANT_WRITE) {
-			return NGHTTP2_ERR_WOULDBLOCK;
-		} else if(want == SSL_ERROR_SYSCALL) {
-#ifdef EPIPE
-			if(errno == EPIPE && verbosity < 2)
+#ifdef HAVE_SSL
+	if(h2_session->c->ssl) {
+		int r;
+		ERR_clear_error();
+		r = SSL_write(h2_session->c->ssl, buf, len);
+		if(r <= 0) {
+			int want = SSL_get_error(h2_session->c->ssl, r);
+			if(want == SSL_ERROR_ZERO_RETURN) {
 				return NGHTTP2_ERR_CALLBACK_FAILURE;
+			} else if(want == SSL_ERROR_WANT_READ) {
+				h2_session->c->ssl_shake_state = comm_ssl_shake_hs_read;
+				comm_point_listen_for_rw(h2_session->c, 1, 0);
+				return NGHTTP2_ERR_WOULDBLOCK;
+			} else if(want == SSL_ERROR_WANT_WRITE) {
+				return NGHTTP2_ERR_WOULDBLOCK;
+			} else if(want == SSL_ERROR_SYSCALL) {
+#ifdef EPIPE
+				if(errno == EPIPE && verbosity < 2)
+					return NGHTTP2_ERR_CALLBACK_FAILURE;
 #endif
-			if(errno != 0)
-				log_err("SSL_write syscall: %s",
-					strerror(errno));
+				if(errno != 0)
+					log_err("SSL_write syscall: %s",
+						strerror(errno));
+				return NGHTTP2_ERR_CALLBACK_FAILURE;
+			}
+			log_crypto_err("could not SSL_write");
 			return NGHTTP2_ERR_CALLBACK_FAILURE;
 		}
-		log_crypto_err("could not SSL_write");
+		return r;
+	}
+#endif /* HAVE_SSL */
+
+	ret = send(h2_session->c->fd, buf, len, 0);
+	if(ret == 0) {
+		return NGHTTP2_ERR_CALLBACK_FAILURE;
+	} else if(ret < 0) {
+#ifndef USE_WINSOCK
+		if(errno == EINTR || errno == EAGAIN)
+			return NGHTTP2_ERR_WOULDBLOCK;
+#ifdef EPIPE
+		if(errno == EPIPE && verbosity < 2)
+			return NGHTTP2_ERR_CALLBACK_FAILURE;
+#endif
+#ifdef ECONNRESET
+		if(errno == ECONNRESET && verbosity < 2)
+			return NGHTTP2_ERR_CALLBACK_FAILURE;
+#endif
+		log_err_addr("could not http2 write: %s", strerror(errno),
+			&h2_session->c->repinfo.addr,
+			h2_session->c->repinfo.addrlen);
+#else /* USE_WINSOCK */
+		if(WSAGetLastError() == WSAENOTCONN)
+			return NGHTTP2_ERR_WOULDBLOCK;
+		if(WSAGetLastError() == WSAEINPROGRESS)
+			return NGHTTP2_ERR_WOULDBLOCK;
+		if(WSAGetLastError() == WSAEWOULDBLOCK) {
+			ub_winsock_tcp_wouldblock(h2_session->c->ev->ev,
+				UB_EV_WRITE);
+			return NGHTTP2_ERR_WOULDBLOCK;
+		}
+		if(WSAGetLastError() == WSAECONNRESET && verbosity < 2)
+			return NGHTTP2_ERR_CALLBACK_FAILURE;
+		log_err_addr("could not http2 write: %s",
+			wsa_strerror(WSAGetLastError()),
+			&h2_session->c->repinfo.addr,
+			h2_session->c->repinfo.addrlen);
+#endif
 		return NGHTTP2_ERR_CALLBACK_FAILURE;
 	}
-	return r;
-#else
-	(void)buf;
-	(void)len;
-	(void)cb_arg;
-	return -1;
-#endif
+	return ret;
 }
 #endif /* HAVE_NGHTTP2 */
 
@@ -2699,7 +2764,6 @@ comm_point_http2_handle_write(int ATTR_UNUSED(fd), struct comm_point* c)
 #ifdef HAVE_NGHTTP2
 	int ret;
 	log_assert(c->h2_session);
-	log_assert(c->ssl);
 
 	ret = nghttp2_session_send(c->h2_session->session);
 	if(ret) {