From 065b2fa0597186b7274fef1e48837ad5ff39d6cf Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 4 Nov 2019 12:04:48 +0000
Subject: [PATCH] unbound: Allow forcing to speak TLS to upstream servers only

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/initscripts/system/unbound | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index 8eaf3734a8..89914480eb 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -16,6 +16,7 @@ INSECURE_ZONES=
 USE_FORWARDERS=1
 ENABLE_SAFE_SEARCH=off
 FORCE_TCP=off
+FORCE_TLS=off
 
 # Cache any local zones for 60 seconds
 LOCAL_TTL=60
@@ -206,8 +207,15 @@ write_forward_conf() {
 	(
 		config_header
 
+		# Force using TLS for upstream servers only
+		if [ "${FORCE_TLS}" = "on" ]; then
+			echo "# Force using TLS for upstream servers only"
+			echo "server:"
+			echo "	tls-upstream: yes"
+			echo
+
 		# Force using TCP for upstream servers only
-		if [ "${FORCE_TCP}" = "on" ]; then
+		elif [ "${FORCE_TCP}" = "on" ]; then
 			echo "# Force using TCP for upstream servers only"
 			echo "server:"
 			echo "	tcp-upstream: yes"
-- 
2.39.5