Make the DNS over HTTPS support optional

This commit adds two new autoconf options `--enable-doh` (enabled by
default) and `--with-libnghttp2` (mandatory when DoH is enabled).

When DoH support is disabled the library is not linked-in and support
for http(s) protocol is disabled in the netmgr, named and dig.

PLATFORMS.md

@@ -31,10 +31,13 @@ some of the older systems listed below, you will have to install an updated
 updated packages. The other option is to build and install `libuv` from
 source.
 
-Certain optional BIND features have additional library dependencies.
-These include `libxml2` and `libjson-c` for statistics, `libmaxminddb` for
-geolocation, `libfstrm` and `libprotobuf-c` for DNSTAP, and `libidn2` for
-internationalized domain name conversion.
+Certain optional BIND features have additional library dependencies:
+
+* `libfstrm` and `libprotobuf-c` for DNSTAP
+* `libidn2` for internationalized domain name conversion.
+* `libmaxminddb` for geolocation
+* `libnghttp2` for DNS over HTTPS
+* `libxml2` and `libjson-c` for statistics channel
 
 ISC regularly tests BIND on many operating systems and architectures, but
 lacks the resources to test all of them. Consequently, ISC is only able to

README.md

@@ -188,13 +188,15 @@ installed:
 To see a full list of configuration options, run `configure --help`.
 
 For the server to support DNSSEC, you need to build it with crypto support.
-To use OpenSSL, you should have OpenSSL 1.0.2e or newer installed. If the
+To use OpenSSL, you must have OpenSSL 1.0.2e or newer installed. If the
 OpenSSL library is installed in a nonstandard location, specify the prefix
 using `--with-openssl=<PREFIX>` on the configure command line. To use a
 PKCS#11 hardware service module for cryptographic operations, specify the
 path to the PKCS#11 provider library using `--with-pkcs11=<PREFIX>`, and
 configure BIND with `--enable-native-pkcs11`.
 
+To support DNS over HTTPS, the server must be linked with `libnghttp2`.
+
 To support the HTTP statistics channel, the server must be linked with at
 least one of the following libraries: `libxml2`
 [http://xmlsoft.org](http://xmlsoft.org) or `json-c`

bin/dig/dig.c

@@ -1426,6 +1426,7 @@ plus_option(char *option, bool is_batchfile, bool *need_clone,
 			FULLCHECK6("https", "https-get", "https-post",
 				   "http-plain", "http-plain-get",
 				   "http-plain-post");
+#if HAVE_LIBNGHTTP2
 			if (lookup->https_path != NULL) {
 				isc_mem_free(mctx, lookup->https_path);
 				lookup->https_path = NULL;
@@ -1485,6 +1486,9 @@ plus_option(char *option, bool is_batchfile, bool *need_clone,
 				lookup->https_path = isc_mem_strdup(mctx,
 								    value);
 			}
+#else
+			fprintf(stderr, ";; DoH support not enabled\n");
+#endif
 			break;
 		default:
 			goto invalid_option;

bin/dig/dighost.c

@@ -2796,6 +2796,7 @@ start_tcp(dig_query_t *query) {
 					     &query->sockaddr, tcp_connected,
 					     query, local_timeout, 0,
 					     query->tlsctx);
+#if HAVE_LIBNGHTTP2
 		} else if (query->lookup->https_mode) {
 			char uri[4096] = { 0 };
 			snprintf(uri, sizeof(uri), "https://%s:%u%s",
@@ -2814,6 +2815,7 @@ start_tcp(dig_query_t *query) {
 					   uri, !query->lookup->https_get,
 					   tcp_connected, query, query->tlsctx,
 					   local_timeout, 0);
+#endif
 		} else {
 			isc_nm_tcpdnsconnect(netmgr, &localaddr,
 					     &query->sockaddr, tcp_connected,

bin/named/Makefile.am

@@ -21,6 +21,11 @@ AM_CPPFLAGS +=				\
 	$(JSON_C_CFLAGS)
 endif HAVE_JSON_C
 
+if HAVE_LIBNGHTTP2
+AM_CPPFLAGS +=				\
+	$(LIBNGHTTP2_CFLAGS)
+endif HAVE_LIBNGHTTP2
+
 if HAVE_LIBXML2
 AM_CPPFLAGS +=				\
 	$(LIBXML2_CFLAGS)
@@ -112,5 +117,10 @@ named_LDADD +=					\
 	$(JSON_C_LIBS)
 endif HAVE_JSON_C
 
+if HAVE_LIBNGHTTP2
+named_LDADD +=					\
+	$(LIBNGHTTP2_LIBS)
+endif HAVE_LIBNGHTTP2
+
 MAINTAINERCLEANFILES =				\
 	named.conf.rst

bin/named/config.c

@@ -89,9 +89,12 @@ options {\n\
 	nta-recheck 300;\n\
 #	pid-file \"" NAMED_LOCALSTATEDIR "/run/named/named.pid\"; \n\
 	port 53;\n\
-	tls-port 853;\n\
-	http-port 80;\n\
-	https-port 443;\n\
+	tls-port 853;\n"
+#if HAVE_LIBNGHTTP2
+			    "http-port 80;\n"
+			    "https-port 443;\n"
+#endif
+			    "\
 	prefetch 2 9;\n\
 	recursing-file \"named.recursing\";\n\
 	recursive-clients 1000;\n\

bin/named/main.c

@@ -485,7 +485,6 @@ printversion(bool verbose) {
 	cfg_obj_t *config = NULL;
 	const cfg_obj_t *defaults = NULL, *obj = NULL;
 #endif /* if defined(HAVE_GEOIP2) */
-	nghttp2_info *nginfo = NULL;
 
 	printf("%s%s <id:%s>\n", PACKAGE_STRING, PACKAGE_DESCRIPTION,
 	       PACKAGE_SRCID);
@@ -527,9 +526,12 @@ printversion(bool verbose) {
 	printf("compiled with libuv version: %d.%d.%d\n", UV_VERSION_MAJOR,
 	       UV_VERSION_MINOR, UV_VERSION_PATCH);
 	printf("linked to libuv version: %s\n", uv_version_string());
+#if HAVE_LIBNGHTTP2
+	nghttp2_info *nginfo = NULL;
 	printf("compiled with libnghttp2 version: %s\n", NGHTTP2_VERSION);
 	nginfo = nghttp2_version(1);
 	printf("linked to libnghttp2 version: %s\n", nginfo->version_str);
+#endif
 #ifdef HAVE_LIBXML2
 	printf("compiled with libxml2 version: %s\n", LIBXML_DOTTED_VERSION);
 	printf("linked to libxml2 version: %s\n", xmlParserVersion);

bin/named/server.c

@@ -8626,6 +8626,7 @@ load_configuration(const char *filename, named_server_t *server,
 	maps[i++] = named_g_defaults;
 	maps[i] = NULL;
 
+#if HAVE_LIBNGHTTP2
 	obj = NULL;
 	result = named_config_get(maps, "http-port", &obj);
 	INSIST(result == ISC_R_SUCCESS);
@@ -8635,6 +8636,7 @@ load_configuration(const char *filename, named_server_t *server,
 	result = named_config_get(maps, "https-port", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	named_g_httpsport = (in_port_t)cfg_obj_asuint32(obj);
+#endif
 
 	/*
 	 * If bind.keys exists, load it.  If "dnssec-validation auto"

bin/tests/system/checkconf/tests.sh

@@ -75,6 +75,12 @@ do
 	n=`expr $n + 1`
 	echo_i "checking that named-checkconf detects no error in $good ($n)"
 	ret=0
+	if ! $FEATURETEST --with-libnghttp2
+	then
+		case $good in
+		good-doh-*.conf) continue;
+		esac
+	fi
 	$CHECKCONF $good > checkconf.out$n 2>&1
 	if [ $? != 0 ]; then echo_i "failed"; ret=1; fi
 	status=`expr $status + $ret`

bin/tests/system/feature-test.c

@@ -44,6 +44,7 @@ usage(void) {
 	fprintf(stderr, "\t--with-dlz-filesystem\n");
 	fprintf(stderr, "\t--with-idn\n");
 	fprintf(stderr, "\t--with-lmdb\n");
+	fprintf(stderr, "\t--with-libnghttp2\n");
 }
 
 int
@@ -171,6 +172,14 @@ main(int argc, char **argv) {
 #endif /* ifdef HAVE_LMDB */
 	}
 
+	if (strcmp(argv[1], "--with-libnghttp2") == 0) {
+#ifdef HAVE_LIBNGHTTP2
+		return (0);
+#else  /* ifdef HAVE_LMDB */
+		return (1);
+#endif /* ifdef HAVE_LMDB */
+	}
+
 	fprintf(stderr, "unknown arg: %s\n", argv[1]);
 	usage();
 	return (1);

bin/tests/test_client.c

@@ -392,6 +392,7 @@ connect_cb(isc_nmhandle_t *handle, isc_result_t eresult, void *cbarg) {
 	isc_nm_send(handle, &message, send_cb, NULL);
 }
 
+#if HAVE_LIBNGHTTP2
 static void
 sockaddr_to_url(isc_sockaddr_t *sa, const bool https, char *outbuf,
 		size_t outbuf_len, const char *append) {
@@ -418,6 +419,7 @@ sockaddr_to_url(isc_sockaddr_t *sa, const bool https, char *outbuf,
 		 saddr, sa_family == AF_INET ? "" : "]", sa_port,
 		 append ? append : "");
 }
+#endif
 
 static void
 run(void) {
@@ -437,6 +439,7 @@ run(void) {
 				     connect_cb, NULL, timeout, 0, tls_ctx);
 		break;
 	}
+#if HAVE_LIBNGHTTP2
 	case HTTP_GET:
 	case HTTPS_GET:
 	case HTTPS_POST:
@@ -455,6 +458,7 @@ run(void) {
 				   req_url, is_post, connect_cb, NULL, tls_ctx,
 				   timeout, 0);
 	} break;
+#endif
 	default:
 		INSIST(0);
 		ISC_UNREACHABLE();

bin/tests/test_server.c

@@ -282,6 +282,7 @@ run(void) {
 					     tls_ctx, &sock);
 		break;
 	}
+#if HAVE_LIBNGHTTP2
 	case HTTPS:
 	case HTTP: {
 		bool is_https = protocol == HTTPS;
@@ -295,6 +296,7 @@ run(void) {
 						      read_cb, NULL, 0);
 		}
 	} break;
+#endif
 	default:
 		INSIST(0);
 		ISC_UNREACHABLE();

configure.ac

@@ -572,14 +572,27 @@ AC_MSG_CHECKING([for libuv])
 PKG_CHECK_MODULES([LIBUV], [libuv >= 1.0.0], [],
 		  [AC_MSG_ERROR([libuv not found])])
 
-# libnghttp2
-AC_MSG_CHECKING([for libnghttp2])
-PKG_CHECK_MODULES([LIBNGHTTP2], [libnghttp2 >= 1.6.0], [],
-		  [AC_MSG_ERROR([libnghttp2 not found])])
-AX_SAVE_FLAGS([libnghttp2])
+# [pairwise: --enable-doh --with-libnghttp2=auto, --enable-doh --with-libnghttp2=yes, --disable-doh]
+AC_ARG_ENABLE([doh],
+	      [AS_HELP_STRING([--disable-doh], [enable DNS over HTTPS, requires libnghttp2 (default=yes)])],
+	      [], [enable_doh=yes])
 
-CFLAGS="$CFLAGS $LIBNGHTTP2_CFLAGS"
-LIBS="$LIBS $LIBNGHTTP2_LIBS"
+# [pairwise: skip]
+AC_ARG_WITH([libnghttp2],
+	    [AS_HELP_STRING([--with-libnghttp2],
+			    [build with libnghttp2 library [yes|no|auto] (default is auto)])],
+	    [], [with_libnghttp2="auto"])
+
+AS_IF([test "$enable_doh" = "yes"],
+      [AS_CASE([$with_libnghttp2],
+	       [no],[AC_MSG_ERROR([Use '--disable-doh' to disable DoH])],
+	       [auto|yes],[PKG_CHECK_MODULES([LIBNGHTTP2], [libnghttp2 >= 1.6.0],
+					     [AC_DEFINE([HAVE_LIBNGHTTP2], [1], [Build with DoH support])],
+					     [AC_MSG_ERROR([DoH requested, but libnghttp2 not found])])],
+	       [AC_MSG_ERROR([Specifying libnghttp2 installation path is not supported, adjust PKG_CONFIG_PATH instead])])])
+
+AM_CONDITIONAL([HAVE_LIBNGHTTP2], [test -n "$LIBNGHTTP2_LIBS"])
+					  
 
 #
 # flockfile is usually provided by pthreads

lib/bind9/Makefile.am

@@ -29,3 +29,7 @@ libbind9_la_LIBADD =		\
 libbind9_la_LDFLAGS =		\
 	$(AM_LDFLAGS)		\
 	-release "$(PACKAGE_VERSION)"
+
+if HAVE_DNSTAP
+libbind9_la_CPPFLAGS += $(DNSTAP_CFLAGS)
+endif

lib/isc/Makefile.am

@@ -123,13 +123,11 @@ libisc_la_SOURCES =		\
 	$(libisc_la_HEADERS)	\
 	$(pk11_HEADERS)		\
 	$(pkcs11_HEADERS)	\
-	netmgr/http.c		\
 	netmgr/netmgr-int.h	\
 	netmgr/netmgr.c		\
 	netmgr/tcp.c		\
 	netmgr/tcpdns.c		\
 	netmgr/tlsdns.c		\
-	netmgr/tlsstream.c	\
 	netmgr/udp.c		\
 	netmgr/uv-compat.c	\
 	netmgr/uv-compat.h	\
@@ -246,6 +244,18 @@ libisc_la_LIBADD =		\
 	$(OPENSSL_LIBS)		\
 	$(ZLIB_LIBS)
 
+if HAVE_LIBNGHTTP2
+libisc_la_SOURCES +=		\
+	netmgr/http.c		\
+	netmgr/tlsstream.c
+
+libisc_la_CPPFLAGS +=		\
+	$(LIBNGHTTP2_CFLAGS)
+
+libisc_la_LIBADD +=		\
+	$(LIBNGHTTP2_LIBS)
+endif
+
 if HAVE_JSON_C
 libisc_la_CPPFLAGS +=		\
 	$(JSON_C_CFLAGS)

lib/isc/include/isc/netmgr.h

@@ -456,17 +456,6 @@ isc_nm_setstats(isc_nm_t *mgr, isc_stats_t *stats);
  *	full range of socket-related stats counter numbers.
  */
 
-isc_result_t
-isc_nm_listentls(isc_nm_t *mgr, isc_sockaddr_t *iface,
-		 isc_nm_accept_cb_t accept_cb, void *accept_cbarg,
-		 size_t extrahandlesize, int backlog, isc_quota_t *quota,
-		 isc_tlsctx_t *sslctx, isc_nmsocket_t **sockp);
-
-void
-isc_nm_tlsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
-		  isc_nm_cb_t cb, void *cbarg, isc_tlsctx_t *ctx,
-		  unsigned int timeout, size_t extrahandlesize);
-
 void
 isc_nm_tcpdnsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
 		     isc_nm_cb_t cb, void *cbarg, unsigned int timeout,
@@ -489,6 +478,18 @@ isc_nm_tlsdnsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
  * 'cb'.
  */
 
+#if HAVE_LIBNGHTTP2
+isc_result_t
+isc_nm_listentls(isc_nm_t *mgr, isc_sockaddr_t *iface,
+		 isc_nm_accept_cb_t accept_cb, void *accept_cbarg,
+		 size_t extrahandlesize, int backlog, isc_quota_t *quota,
+		 isc_tlsctx_t *sslctx, isc_nmsocket_t **sockp);
+
+void
+isc_nm_tlsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
+		  isc_nm_cb_t cb, void *cbarg, isc_tlsctx_t *ctx,
+		  unsigned int timeout, size_t extrahandlesize);
+
 void
 isc_nm_httpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
 		   const char *uri, bool POST, isc_nm_cb_t cb, void *cbarg,
@@ -503,6 +504,7 @@ isc_nm_listenhttp(isc_nm_t *mgr, isc_sockaddr_t *iface, int backlog,
 isc_result_t
 isc_nm_http_endpoint(isc_nmsocket_t *sock, const char *uri, isc_nm_recv_cb_t cb,
 		     void *cbarg, size_t extrahandlesize);
+#endif
 
 bool
 isc_nm_is_http_handle(isc_nmhandle_t *handle);

lib/isc/netmgr/netmgr-int.h

@@ -1522,17 +1522,6 @@ void
 isc__nm_tlsdns_send(isc_nmhandle_t *handle, isc_region_t *region,
 		    isc_nm_cb_t cb, void *cbarg);
 
-void
-isc__nm_tls_send(isc_nmhandle_t *handle, const isc_region_t *region,
-		 isc_nm_cb_t cb, void *cbarg);
-
-void
-isc__nm_tls_cancelread(isc_nmhandle_t *handle);
-
-/*%<
- * Back-end implementation of isc_nm_send() for TLSDNS handles.
- */
-
 void
 isc__nm_tlsdns_shutdown(isc_nmsocket_t *sock);
 
@@ -1582,6 +1571,18 @@ isc__nm_tlsdns_cancelread(isc_nmhandle_t *handle);
  * Stop reading on a connected TLSDNS handle.
  */
 
+#if HAVE_LIBNGHTTP2
+void
+isc__nm_tls_send(isc_nmhandle_t *handle, const isc_region_t *region,
+		 isc_nm_cb_t cb, void *cbarg);
+
+void
+isc__nm_tls_cancelread(isc_nmhandle_t *handle);
+
+/*%<
+ * Back-end implementation of isc_nm_send() for TLSDNS handles.
+ */
+
 void
 isc__nm_tls_read(isc_nmhandle_t *handle, isc_nm_recv_cb_t cb, void *cbarg);
 
@@ -1680,6 +1681,8 @@ isc__nm_httpsession_attach(isc_nm_http_session_t *source,
 void
 isc__nm_httpsession_detach(isc_nm_http_session_t **sessionp);
 
+#endif
+
 #define isc__nm_uverr2result(x) \
 	isc___nm_uverr2result(x, true, __FILE__, __LINE__, __func__)
 isc_result_t

lib/isc/netmgr/netmgr.c

@@ -954,12 +954,6 @@ process_netievent(isc__networker_t *worker, isc__netievent_t *ievent) {
 		NETIEVENT_CASE(tcpdnsread);
 		NETIEVENT_CASE(tcpdnsstop);
 
-		NETIEVENT_CASE(tlsstartread);
-		NETIEVENT_CASE(tlssend);
-		NETIEVENT_CASE(tlsclose);
-		NETIEVENT_CASE(tlsdobio);
-		NETIEVENT_CASE(tlscancel);
-
 		NETIEVENT_CASE(tlsdnscycle);
 		NETIEVENT_CASE(tlsdnsaccept);
 		NETIEVENT_CASE(tlsdnslisten);
@@ -971,9 +965,17 @@ process_netievent(isc__networker_t *worker, isc__netievent_t *ievent) {
 		NETIEVENT_CASE(tlsdnsstop);
 		NETIEVENT_CASE(tlsdnsshutdown);
 
+#if HAVE_LIBNGHTTP2
+		NETIEVENT_CASE(tlsstartread);
+		NETIEVENT_CASE(tlssend);
+		NETIEVENT_CASE(tlsclose);
+		NETIEVENT_CASE(tlsdobio);
+		NETIEVENT_CASE(tlscancel);
+
 		NETIEVENT_CASE(httpstop);
 		NETIEVENT_CASE(httpsend);
 		NETIEVENT_CASE(httpclose);
+#endif
 
 		NETIEVENT_CASE(connectcb);
 		NETIEVENT_CASE(readcb);
@@ -1281,8 +1283,10 @@ nmsocket_cleanup(isc_nmsocket_t *sock, bool dofree FLARG) {
 	isc_mem_free(sock->mgr->mctx, sock->ah_handles);
 	isc_mutex_destroy(&sock->lock);
 	isc_condition_destroy(&sock->scond);
+#if HAVE_LIBNGHTTP2
 	isc__nm_tls_cleanup_data(sock);
 	isc__nm_http_cleanup_data(sock);
+#endif
 #ifdef NETMGR_TRACE
 	LOCK(&sock->mgr->lock);
 	ISC_LIST_UNLINK(sock->mgr->active_sockets, sock, active_link);
@@ -1395,15 +1399,17 @@ isc___nmsocket_prep_destroy(isc_nmsocket_t *sock FLARG) {
 		case isc_nm_tcpdnssocket:
 			isc__nm_tcpdns_close(sock);
 			return;
-		case isc_nm_tlssocket:
-			isc__nm_tls_close(sock);
-			break;
 		case isc_nm_tlsdnssocket:
 			isc__nm_tlsdns_close(sock);
 			return;
+#if HAVE_LIBNGHTTP2
+		case isc_nm_tlssocket:
+			isc__nm_tls_close(sock);
+			break;
 		case isc_nm_httpsocket:
 			isc__nm_http_close(sock);
 			return;
+#endif
 		default:
 			break;
 		}
@@ -1551,7 +1557,9 @@ isc___nmsocket_init(isc_nmsocket_t *sock, isc_nm_t *mgr, isc_nmsocket_type type,
 
 	atomic_init(&sock->active_child_connections, 0);
 
+#if HAVE_LIBNGHTTP2
 	isc__nm_http_initsocket(sock);
+#endif
 
 	sock->magic = NMSOCK_MAGIC;
 }
@@ -1699,10 +1707,12 @@ isc___nmhandle_get(isc_nmsocket_t *sock, isc_sockaddr_t *peer,
 		break;
 	}
 
+#if HAVE_LIBNGHTTP2
 	if (sock->type == isc_nm_httpsocket && sock->h2.session) {
 		isc__nm_httpsession_attach(sock->h2.session,
 					   &handle->httpsession);
 	}
+#endif
 
 	return (handle);
 }
@@ -1839,9 +1849,11 @@ nmhandle_detach_cb(isc_nmhandle_t **handlep FLARG) {
 		handle->doreset(handle->opaque);
 	}
 
+#if HAVE_LIBNGHTTP2
 	if (sock->type == isc_nm_httpsocket && handle->httpsession != NULL) {
 		isc__nm_httpsession_detach(&handle->httpsession);
 	}
+#endif
 
 	nmhandle_deactivate(sock, handle);
 
@@ -2335,12 +2347,14 @@ isc_nmhandle_cleartimeout(isc_nmhandle_t *handle) {
 	REQUIRE(VALID_NMSOCK(handle->sock));
 
 	switch (handle->sock->type) {
+#if HAVE_LIBNGHTTP2
 	case isc_nm_httpsocket:
 		isc__nm_http_cleartimeout(handle);
 		return;
 	case isc_nm_tlssocket:
 		isc__nm_tls_cleartimeout(handle);
 		return;
+#endif
 	default:
 		handle->sock->read_timeout = 0;
 
@@ -2356,12 +2370,14 @@ isc_nmhandle_settimeout(isc_nmhandle_t *handle, uint32_t timeout) {
 	REQUIRE(VALID_NMSOCK(handle->sock));
 
 	switch (handle->sock->type) {
+#if HAVE_LIBNGHTTP2
 	case isc_nm_httpsocket:
 		isc__nm_http_settimeout(handle, timeout);
 		return;
 	case isc_nm_tlssocket:
 		isc__nm_tls_settimeout(handle, timeout);
 		return;
+#endif
 	default:
 		handle->sock->read_timeout = timeout;
 		isc__nmsocket_timer_restart(handle->sock);
@@ -2472,15 +2488,17 @@ isc_nm_send(isc_nmhandle_t *handle, isc_region_t *region, isc_nm_cb_t cb,
 	case isc_nm_tcpdnssocket:
 		isc__nm_tcpdns_send(handle, region, cb, cbarg);
 		break;
-	case isc_nm_tlssocket:
-		isc__nm_tls_send(handle, region, cb, cbarg);
-		break;
 	case isc_nm_tlsdnssocket:
 		isc__nm_tlsdns_send(handle, region, cb, cbarg);
 		break;
+#if HAVE_LIBNGHTTP2
+	case isc_nm_tlssocket:
+		isc__nm_tls_send(handle, region, cb, cbarg);
+		break;
 	case isc_nm_httpsocket:
 		isc__nm_http_send(handle, region, cb, cbarg);
 		break;
+#endif
 	default:
 		INSIST(0);
 		ISC_UNREACHABLE();
@@ -2508,15 +2526,17 @@ isc_nm_read(isc_nmhandle_t *handle, isc_nm_recv_cb_t cb, void *cbarg) {
 	case isc_nm_tcpdnssocket:
 		isc__nm_tcpdns_read(handle, cb, cbarg);
 		break;
-	case isc_nm_tlssocket:
-		isc__nm_tls_read(handle, cb, cbarg);
-		break;
 	case isc_nm_tlsdnssocket:
 		isc__nm_tlsdns_read(handle, cb, cbarg);
 		break;
+#if HAVE_LIBNGHTTP2
+	case isc_nm_tlssocket:
+		isc__nm_tls_read(handle, cb, cbarg);
+		break;
 	case isc_nm_httpsocket:
 		isc__nm_http_read(handle, cb, cbarg);
 		break;
+#endif
 	default:
 		INSIST(0);
 		ISC_UNREACHABLE();
@@ -2540,9 +2560,11 @@ isc_nm_cancelread(isc_nmhandle_t *handle) {
 	case isc_nm_tlsdnssocket:
 		isc__nm_tlsdns_cancelread(handle);
 		break;
+#if HAVE_LIBNGHTTP2
 	case isc_nm_tlssocket:
 		isc__nm_tls_cancelread(handle);
 		break;
+#endif
 	default:
 		INSIST(0);
 		ISC_UNREACHABLE();
@@ -2559,9 +2581,11 @@ isc_nm_pauseread(isc_nmhandle_t *handle) {
 	case isc_nm_tcpsocket:
 		isc__nm_tcp_pauseread(handle);
 		break;
+#if HAVE_LIBNGHTTP2
 	case isc_nm_tlssocket:
 		isc__nm_tls_pauseread(handle);
 		break;
+#endif
 	default:
 		INSIST(0);
 		ISC_UNREACHABLE();
@@ -2578,9 +2602,11 @@ isc_nm_resumeread(isc_nmhandle_t *handle) {
 	case isc_nm_tcpsocket:
 		isc__nm_tcp_resumeread(handle);
 		break;
+#if HAVE_LIBNGHTTP2
 	case isc_nm_tlssocket:
 		isc__nm_tls_resumeread(handle);
 		break;
+#endif
 	default:
 		INSIST(0);
 		ISC_UNREACHABLE();
@@ -2601,15 +2627,17 @@ isc_nm_stoplistening(isc_nmsocket_t *sock) {
 	case isc_nm_tcplistener:
 		isc__nm_tcp_stoplistening(sock);
 		break;
-	case isc_nm_tlslistener:
-		isc__nm_tls_stoplistening(sock);
-		break;
 	case isc_nm_tlsdnslistener:
 		isc__nm_tlsdns_stoplistening(sock);
 		break;
+#if HAVE_LIBNGHTTP2
+	case isc_nm_tlslistener:
+		isc__nm_tls_stoplistening(sock);
+		break;
 	case isc_nm_httplistener:
 		isc__nm_http_stoplistening(sock);
 		break;
+#endif
 	default:
 		INSIST(0);
 		ISC_UNREACHABLE();

lib/isc/tests/Makefile.am

@@ -19,7 +19,6 @@ check_PROGRAMS =	\
 	buffer_test	\
 	counter_test	\
 	crc64_test	\
-	doh_test	\
 	errno_test	\
 	file_test	\
 	hash_test	\
@@ -48,15 +47,21 @@ check_PROGRAMS =	\
 	time_test	\
 	timer_test
 
+if HAVE_LIBNGHTTP2
+check_PROGRAMS +=	\
+	doh_test
+
 doh_test_CPPFLAGS =	\
 	$(AM_CPPFLAGS)	\
 	$(LIBUV_CFLAGS)	\
+	$(LIBNGHTTP2_CFLAGS)	\
 	$(OPENSSL_CFLAGS)
 
 doh_test_LDADD =	\
 	$(LDADD)	\
-	$(LIBUV_LIBS)	\
-	$(OPENSSL_LIBS)
+	$(LIBNGHTTP2_LIBS)	\
+	$(LIBUV_LIBS)
+endif HAVE_LIBNGHTTP2
 
 hmac_test_CPPFLAGS =	\
 	$(AM_CPPFLAGS)	\

lib/isc/tests/netmgr_test.c

@@ -1145,14 +1145,18 @@ tcp_connect(isc_nm_t *nm) {
 			  connect_connect_cb, NULL, T_CONNECT, 0);
 }
 
+#if HAVE_LIBNGHTTP2
 static void
 tls_connect(isc_nm_t *nm);
+#endif
 
 static stream_connect_function
 get_stream_connect_function(void) {
+#if HAVE_LIBNGHTTP2
 	if (stream_use_TLS) {
 		return (tls_connect);
 	}
+#endif
 	return (tcp_connect);
 }
 
@@ -1161,16 +1165,19 @@ stream_listen(isc_nm_accept_cb_t accept_cb, void *accept_cbarg,
 	      size_t extrahandlesize, int backlog, isc_quota_t *quota,
 	      isc_nmsocket_t **sockp) {
 	isc_result_t result = ISC_R_SUCCESS;
+
+#if HAVE_LIBNGHTTP2
 	if (stream_use_TLS) {
 		result = isc_nm_listentls(listen_nm, &tcp_listen_addr,
 					  accept_cb, accept_cbarg,
 					  extrahandlesize, backlog, quota,
 					  tcp_listen_tlsctx, sockp);
-	} else {
-		result = isc_nm_listentcp(
-			listen_nm, &tcp_listen_addr, accept_cb, accept_cbarg,
-			extrahandlesize, backlog, quota, sockp);
+		return (result);
 	}
+#endif
+	result = isc_nm_listentcp(listen_nm, &tcp_listen_addr, accept_cb,
+				  accept_cbarg, extrahandlesize, backlog, quota,
+				  sockp);
 
 	return (result);
 }
@@ -1178,15 +1185,16 @@ stream_listen(isc_nm_accept_cb_t accept_cb, void *accept_cbarg,
 static void
 stream_connect(isc_nm_cb_t cb, void *cbarg, unsigned int timeout,
 	       size_t extrahandlesize) {
+#if HAVE_LIBNGHTTP2
 	if (stream_use_TLS) {
 		isc_nm_tlsconnect(connect_nm, &tcp_connect_addr,
 				  &tcp_listen_addr, cb, cbarg,
 				  tcp_connect_tlsctx, timeout, extrahandlesize);
-	} else {
-		isc_nm_tcpconnect(connect_nm, &tcp_connect_addr,
-				  &tcp_listen_addr, cb, cbarg, timeout,
-				  extrahandlesize);
+		return;
 	}
+#endif
+	isc_nm_tcpconnect(connect_nm, &tcp_connect_addr, &tcp_listen_addr, cb,
+			  cbarg, timeout, extrahandlesize);
 }
 
 static void
@@ -2121,6 +2129,7 @@ tcpdns_half_recv_half_send(void **state __attribute__((unused))) {
 
 /* TLS */
 
+#if HAVE_LIBNGHTTP2
 static void
 tls_connect(isc_nm_t *nm) {
 	isc_nm_tlsconnect(nm, &tcp_connect_addr, &tcp_listen_addr,
@@ -2301,6 +2310,7 @@ tls_half_recv_half_send_quota_sendback(void **state) {
 	atomic_store(&check_listener_quota, true);
 	stream_half_recv_half_send(state);
 }
+#endif
 
 /* TLSDNS */
 
@@ -2833,6 +2843,7 @@ main(void) {
 		cmocka_unit_test_setup_teardown(tcpdns_half_recv_half_send,
 						nm_setup, nm_teardown),
 
+#if HAVE_LIBNGHTTP2
 		/* TLS */
 		cmocka_unit_test_setup_teardown(tls_noop, nm_setup,
 						nm_teardown),
@@ -2886,6 +2897,7 @@ main(void) {
 		cmocka_unit_test_setup_teardown(
 			tls_half_recv_half_send_quota_sendback, nm_setup,
 			nm_teardown),
+#endif
 
 		/* TLSDNS */
 		cmocka_unit_test_setup_teardown(tlsdns_recv_one, nm_setup,

lib/isc/tests/result_test.c

@@ -14,6 +14,7 @@
 #include <setjmp.h>
 #include <stdarg.h>
 #include <stddef.h>
+#include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 
@@ -73,6 +74,7 @@ tables(void **state) {
 		assert_non_null(str);
 		assert_string_not_equal(str, "(result code text not "
 					     "available)");
+		fprintf(stderr, "%u < %u\n", result, (unsigned)ISC_R_NRESULTS);
 	}
 
 	str = isc_result_toid(result);

lib/isc/tls.c

@@ -10,7 +10,9 @@
  */
 
 #include <inttypes.h>
+#if HAVE_LIBNGHTTP2
 #include <nghttp2/nghttp2.h>
+#endif /* HAVE_LIBNGHTTP2 */
 
 #include <openssl/bn.h>
 #include <openssl/conf.h>
@@ -388,6 +390,7 @@ isc_tls_free(isc_tls_t **tlsp) {
 	*tlsp = NULL;
 }
 
+#if HAVE_LIBNGHTTP2
 #ifndef OPENSSL_NO_NEXTPROTONEG
 /*
  * NPN TLS extension client callback.
@@ -480,3 +483,4 @@ isc_tls_get_http2_alpn(isc_tls_t *tls, const unsigned char **alpn,
 	}
 #endif
 }
+#endif /* HAVE_LIBNGHTTP2 */

lib/isccfg/namedconf.c

@@ -161,8 +161,13 @@ static cfg_type_t cfg_type_tkey_dhkey = { "tkey-dhkey",	   cfg_parse_tuple,
 static cfg_tuplefielddef_t listenon_tuple_fields[] = {
 	{ "port", &cfg_type_optional_port, 0 },
 	{ "dscp", &cfg_type_uint32, 0 },
+#if HAVE_LIBNGHTTP2
 	{ "tls", &cfg_type_astring, 0 },
 	{ "http", &cfg_type_astring, 0 },
+#else
+	{ "tls", &cfg_type_astring, CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "http", &cfg_type_astring, CFG_CLAUSEFLAG_NOTCONFIGURED },
+#endif
 	{ NULL, NULL, 0 }
 };
 static cfg_type_t cfg_type_listen_tuple = {
@@ -1244,8 +1249,13 @@ static cfg_clausedef_t options_clauses[] = {
 	{ "pid-file", &cfg_type_qstringornone, 0 },
 	{ "port", &cfg_type_uint32, 0 },
 	{ "tls-port", &cfg_type_uint32, 0 },
+#if HAVE_LIBNGHTTP2
 	{ "http-port", &cfg_type_uint32, 0 },
 	{ "https-port", &cfg_type_uint32, 0 },
+#else
+	{ "http-port", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "https-port", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTCONFIGURED },
+#endif
 	{ "querylog", &cfg_type_boolean, 0 },
 	{ "random-device", &cfg_type_qstringornone, 0 },
 	{ "recursing-file", &cfg_type_qstring, 0 },

lib/ns/interfacemgr.c

@@ -540,6 +540,7 @@ ns_interface_listentls(ns_interface_t *ifp, isc_tlsctx_t *sslctx) {
 static isc_result_t
 ns_interface_listenhttp(ns_interface_t *ifp, isc_tlsctx_t *sslctx, char **eps,
 			size_t neps) {
+#if HAVE_LIBNGHTTP2
 	isc_result_t result;
 	isc_nmsocket_t *sock = NULL;
 
@@ -581,6 +582,13 @@ ns_interface_listenhttp(ns_interface_t *ifp, isc_tlsctx_t *sslctx, char **eps,
 	}
 
 	return (result);
+#else
+	UNUSED(ifp);
+	UNUSED(sslctx);
+	UNUSED(eps);
+	UNUSED(neps);
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
 }
 
 static isc_result_t

lib/ns/query.c

@@ -12029,6 +12029,7 @@ ns_query_start(ns_client_t *client, isc_nmhandle_t *handle) {
 			break; /* Let the query logic handle it. */
 		case dns_rdatatype_ixfr:
 		case dns_rdatatype_axfr:
+#if HAVE_LIBNGHTTP2
 			if (isc_nm_is_http_handle(handle)) {
 				/* We cannot use DoH for zone transfers.
 				 * According to RFC8484 a DoH request contains
@@ -12044,9 +12045,10 @@ ns_query_start(ns_client_t *client, isc_nmhandle_t *handle) {
 				 * the best thing we can do is to return "not
 				 * implemented". */
 				query_error(client, DNS_R_NOTIMP, __LINE__);
-			} else {
-				ns_xfr_start(client, rdataset->type);
+				return;
 			}
+#endif
+			ns_xfr_start(client, rdataset->type);
 			return;
 		case dns_rdatatype_maila:
 		case dns_rdatatype_mailb: