dnsdist: Add initial DNS over TLS support

[rgacogne]

Short description

This PR adds basic support for DNS over TLS (rfc7858) using either OpenSSL or GnuTLS. It has room for improvement:

• documentation is very sparse ;
• regression tests are almost non-existent ;
• session resumption with the GnuTLS provider only supports tickets (rfc5077) ;
• client-side authentication is not supported ;
• EDNS0 Padding (rfc7830) and EDNS0 Keepalive (rfc7828) are not supported.

Comments are welcome!
Merry Christmas!

Closes #3980.

Checklist

I have:

• read the CONTRIBUTING.md document
• compiled and tested this code
• included documentation (including possible behaviour changes)
• documented the code
• added or modified regression test(s)
• added or modified unit test(s)

[johnhtodd]

Having separate counters on this that were exposed in the metrics views would be great, so extensive protobuf tagging and post-processing isn't required to get counts of TLS-enabled queries. Thanks for doing this patch!

[HLFH]

@rgacogne Hi. Since you closed this issue: #3980
Is DNS over TLS supported for pdns-auth?

[Habbie]

@HLFH put dnsdist in front of it!

[HLFH]

@Habbie I understand now it is an initial DNS over TLS support on dnsdist. Shouldn't pdns-recursor support it also after a new PR on pdns repo to comply with rfc7858? And then pdns-auth, but we have to wait for new RFC because rfc7858 does not think about DNS over TLS for recursive-to-authoritative traffic. Correct?

[Habbie]

@HLFH do you have a reason to not put dnsdist in front?

[HLFH]

@Habbie I use two nameservers pdns-auth on two separate DigitalOcean droplets, one resolver pdns-recursor on a dedicated server. I can't say I need a DNS load-balancer. Do you have a good post so I can set up dnsdist with my use case, since I want DNS over TLS support?

[Habbie]

Just deploy dnsdist with a single backend defined, and configure TLS. For further support, please find us on IRC or our mailinglists - https://www.powerdns.com/opensource.html