Can't believe that two versions after introducing support for DNS-over-TLS, unbound still makes a new TLS connection (handshake and everything) *for every DNS request*.

I'm convinced that while DNS-over-TLS makes more sense as a protocol than DNS-over-HTTPS (DNS requests are small and have unique IDs), the DNS software ecosystem is just unprepared to handle DoT, while there's solid software to reuse for DoH.

Today my DNS resolver broke, as it does (is it the chroot? the python bindings? the DNSSEC anchor? the DoT proxy? who knows!), so I decided to take another look at connection reuse support, 6 months later. AFAICT, nope. Nothing.

What I _did_ find is that when linked against OpenSSL 1.0.2 (the Homebrew default), Unbound does not check TLS certificates. There's a note in the docs so I guess it's fine.

> The cert name match code needs OpenSSL 1.1.0 or later to be enabled.

(╯°□°）╯︵ ┻━┻

Everywhere I look in the ecosystem there are C parsers, frustrating UX, suspect OpenSSL bindings, hand-rolled concurrency, bad connection management.

Thing is, Go spoiled me. I want to rebuild it all with miekg/dns, some goroutines, net/http and crypto/tls.

(The DNS-over-HTTPS stub part, that is. I am cursed with DNS opinions and there's no chance I'm reimplementing any of the actual cache, hardening, minimisation, prefetching, DNSSEC, and recursion logic. I blame @OGudm.)