dns: add ForceAttemptHTTP2 (#7215)

Per https://pkg.go.dev/net/http#hdr-HTTP_2: > The http package's Transport and Server both automatically enable HTTP/2 support for simple configurations. and https://pkg.go.dev/net/http#Transport: > // If non-nil, HTTP/2 support may not be enabled by default. > TLSClientConfig *tls.Config Since we were setting a non-default TLSClientConfig to trust custom roots, we accidentally turned off HTTP/2 support. And Unbound requires HTTP/2 to serve DoH queries. Also, clone the TLS config just to be safe against possible mutation in other packages.
letsencrypt · Dec 14, 2023 · 81e04ab · 81e04ab
1 parent 289284a
commit 81e04ab
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/bdns/dns.go b/bdns/dns.go
@@ -198,7 +198,8 @@ func New(
 			hc: http.Client{
 				Timeout: readTimeout,
 				Transport: &http.Transport{
-					TLSClientConfig: tlsConfig,
+					ForceAttemptHTTP2: true,
+					TLSClientConfig:   tlsConfig.Clone(),
 				},
 			},
 		}