stub-first fails with stub-tls-upstream

[isbear]

Hello.

When both stub-first and stub-tls-upstream options are enabled, unbound tries to use parent NS, but it uses TLS with them, while accessing them on the default port (53). I think it should either not use TLS on parent NS in this case, make it configurable, use tls-port, or document that this use case will fail.

[isbear]

As it turns out, I am slightly wrong here. It works, for the first query only. Then it fails for every query, that is not in the cache.
It seems, that first query on fallback sets it's iq->dp here:

unbound/iterator/iterator.c

Line 1435 in 1e0c957

if(!prime_root(qstate, iq, id, iq->qchase.qclass))

All subsequent queries on fallback set their iq->dp here:

unbound/iterator/iterator.c

Line 1616 in 1e0c957

if(prime_stub(qstate, iq, id, delname, iq->qchase.qclass)) {

In the first case copied value of dp->ssl_upstream is false, in second case it is true.
I still know too little to really understand, what all of this code does, but maybe it will help others to pinpoint the problem.
Edits: grammar