From 81e04ab14cc7f511590d623df329ed94c0b2a1a9 Mon Sep 17 00:00:00 2001
From: Jacob Hoffman-Andrews <jsha+github@letsencrypt.org>
Date: Wed, 13 Dec 2023 19:18:00 -0800
Subject: [PATCH] dns: add ForceAttemptHTTP2 (#7215)

Per https://pkg.go.dev/net/http#hdr-HTTP_2:

> The http package's Transport and Server both automatically enable
HTTP/2 support for simple configurations.

and https://pkg.go.dev/net/http#Transport:

> // If non-nil, HTTP/2 support may not be enabled by default.
>	TLSClientConfig *tls.Config

Since we were setting a non-default TLSClientConfig to trust custom
roots, we accidentally turned off HTTP/2 support. And Unbound requires
HTTP/2 to serve DoH queries.

Also, clone the TLS config just to be safe against possible mutation in
other packages.
---
 bdns/dns.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/bdns/dns.go b/bdns/dns.go
index 32a7ad9177a..cb5febbe641 100644
--- a/bdns/dns.go
+++ b/bdns/dns.go
@@ -198,7 +198,8 @@ func New(
 			hc: http.Client{
 				Timeout: readTimeout,
 				Transport: &http.Transport{
-					TLSClientConfig: tlsConfig,
+					ForceAttemptHTTP2: true,
+					TLSClientConfig:   tlsConfig.Clone(),
 				},
 			},
 		}