Hello,

> 
> The unbound init and the cgi scripts use dig 9.11.3, which has no
> native support for TLS.  I'm trying to configure stunnel to act as MITM
> so that dig can succeed.  I hope to restrict unbound to port 853 for
> listen and send, and use stunnel to listen on port 53 and forward to
> 853.

as far as I am aware, the knot-utils from CZ.NIC are capable of
DNS over TLS. Maybe we should think about moving to them, or wait
until bind-utils/dig are updated (not sure if we are running the latest
version anyway).

Best regards,
Peter Müller