unbound: Allow forcing to speak TLS to upstream servers only

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index 1c9f4288ca485592e2c7d5aa0b3b7f8383a12ac4..cafc2e61c81e555330bc7e5af1b0a575a8391499 100644 (file)
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -16,6 +16,7 @@ INSECURE_ZONES=
 USE_FORWARDERS=1
 ENABLE_SAFE_SEARCH=off
 FORCE_TCP=off
+FORCE_TLS=off
 
 # Cache any local zones for 60 seconds
 LOCAL_TTL=60
@@ -184,8 +185,15 @@ write_forward_conf() {
        (
                config_header
 
+               # Force using TLS for upstream servers only
+               if [ "${FORCE_TLS}" = "on" ]; then
+                       echo "# Force using TLS for upstream servers only"
+                       echo "server:"
+                       echo "  tls-upstream: yes"
+                       echo
+
                # Force using TCP for upstream servers only
-               if [ "${FORCE_TCP}" = "on" ]; then
+               elif [ "${FORCE_TCP}" = "on" ]; then
                        echo "# Force using TCP for upstream servers only"
                        echo "server:"
                        echo "  tcp-upstream: yes"