DoH support is disabled

Hello Dominic and thanks for this bug report. I agree it would make sense to add DoH support in the current Ubuntu development release (Impish), however I think the required change should ideally be made in Debian (rationale: avoid adding a delta to a sync and we're early in the devel cycle). Ubuntu will then inherit DoH support with the next package sync.

There's an active Debian bug about this: [1]. I'll link it to this Ubuntu bug to make it easy to follow progress.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973793

Thanks, I mostly copied the bug report from the Debian package. Is there someone here that can nudge the package managers at Debian?

Hi Dominic,

I've pinged Robert Edmonds on the MR. Let's see if that works. Thanks!

In case the MR is not addressed when we approach our feature freeze, we could consider including it as a delta to enable DNS-over-HTTPS support in unbound.

I would support this, DNS-over-HTTPS is increasing in usage and its omission is frustrating. I had to compile from source on Hirsute to enable it.

For reference, the Debian MR is:

https://salsa.debian.org/dns-team/unbound/-/merge_requests/14

The Debian MR has still not been actioned. Can we now consider enabling DoH support in Ubuntu's Unbound package?

Thank you for your interest in this feature, Dominic.

There is still some time before Ubuntu's Feature Freeze, but I think we can consider including this feature in the Ubuntu unbound because of the radio silence from the Debian side (which is completely understandable, because Debian is currently in freeze).

Someone from the Ubuntu Server team will start working on this in the next days.

The patch proposed at

https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/unbound/+git/unbound/+merge/405055

Enables DoH for unbound.

The change can be tested using the upstream test "dohclient". One possible way of reproducing the bug and verifying the changes follows:

Create the tsting binary:

$ git ubuntu clone unbound
$ cd unbound
$ ./configure --with-libnghttp2
$ make dohclient

Install unbound:

# apt-get install unbound

Configure unbound by appending the following to /etc/unbound/unbound.conf:

server:
 interface: 127.0.0.1@443
 tls-service-key: "/etc/unbound/unbound_server.key"
 tls-service-pem: "/etc/unbound/unbound_server.pem"
 https-port: 443

Restart unbound
$ systemctl restart unbound

test DoH support:
$ ./dohclient -s 127.0.0.1 nlnetlabs.nl AAAA IN

Which outputs:
> nghttp2 session mem_recv failed

Finally, install the fixed package, as proposed in the linked MP, restart unbound, and verify DoH support again:
$ ./dohclient -s 127.0.0.1 nlnetlabs.nl AAAA IN

Which outputs a proper response, including
> :status 200

which should confirm the fix.

This bug was fixed in the package unbound - 1.13.1-1ubuntu1

---------------
unbound (1.13.1-1ubuntu1) impish; urgency=medium

  * Enable DNS-over-HTTPS support (LP: #1927877)
    - d/control: add Build-Depends on libnghttp2-dev
    - d/rules: compile with libnghttp2

 -- Athos Ribeiro <email address hidden> Thu, 01 Jul 2021 11:16:26 -0300