Cannot override tcp-upstream and tls-upstream with forward-tcp-upstream and forward-tls-upstream

[MegaManSec]

Hello,

I am not sure if this is a bug or intentional, but thought I would report it here anyways.

I currently use unbound with an upstream DoT server. I use forward-tls-upstream to ensure that all of the upstream requests use implicitly use TLS (in case of bugs like https://github.com/NLnetLabs/unbound/issues/676)

However, I would also like to use forward-tls-upstream to implicitly set some domains to be resolved via an upstream server over normal DNS over UDP. As such, I have the following configuration:

server:
    tcp-upstream: yes
    tls-upstream: yes
    tls-cert-bundle: "/usr/local/share/certs/ca-root-nss.crt"

forward-zone:
        name: .
        forward-addr: 194.242.2.3@853#adblock.dns.mullvad.net

forward-zone:
        name: "wlan.schiphol.nl"
        forward-addr: 192.168.127.97
        forward-tls-upstream: no
        forward-tcp-upstream: no

My expectation is that when wlan.schiphol.nl is resolved, the 192.168.127.97 server is used via standard DNS over UDP, without encryption. Unfortunately it seems that neither forward-tls-upstream nor forward-tcp-upstream (either together or separately) take preference over the server: setting.

Unbound Version 1.21.0 on FreeBSD13.

[wcawijngaards]

The forward-tls-upstream and forward-tcp-upstream only take precedence over the server: setting when they enable the setting. For disabling it it does not override the server setting.

If it is needed to have separate options for tls and tcp for particular forward-zone and stub-zone entries, do not use the global server settings but instead configure all of the forward-zone and stub-zone entries individuall with the forward-tls-upstream, forward-tcp-upstream, stub-tls-upstream and stub-tcp-upstream options. That leaves the tcp-upstream and tls-upstream settings at the default no, in the server: section. In the individual stub-zone and forward-zone sections it can then be configured in detail.