unbound: Allow forcing to speak TLS to upstream servers only

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index 8eaf3734a88a1638004dd5c35a16fed638febe8c..89914480eb08f2690f360b74b394241a4d7215cb 100644 (file)
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -16,6 +16,7 @@ INSECURE_ZONES=
 USE_FORWARDERS=1
 ENABLE_SAFE_SEARCH=off
 FORCE_TCP=off
+FORCE_TLS=off
 
 # Cache any local zones for 60 seconds
 LOCAL_TTL=60
@@ -206,8 +207,15 @@ write_forward_conf() {
        (
                config_header
 
+               # Force using TLS for upstream servers only
+               if [ "${FORCE_TLS}" = "on" ]; then
+                       echo "# Force using TLS for upstream servers only"
+                       echo "server:"
+                       echo "  tls-upstream: yes"
+                       echo
+
                # Force using TCP for upstream servers only
-               if [ "${FORCE_TCP}" = "on" ]; then
+               elif [ "${FORCE_TCP}" = "on" ]; then
                        echo "# Force using TCP for upstream servers only"
                        echo "server:"
                        echo "  tcp-upstream: yes"