- Create the quic SSL listening context only when needed.

daemon/unbound.c

@@ -505,9 +505,11 @@ setup_sslctxs(struct daemon* daemon, struct config_file* cfg)
 		}
 #endif
 #ifdef HAVE_NGTCP2
-		if(!(daemon->listen_quic_sslctx = quic_sslctx_create(
-			cfg->ssl_service_key, cfg->ssl_service_pem, NULL))) {
-			fatal_exit("could not set up quic SSL_CTX");
+		if(cfg_has_quic(cfg)) {
+			if(!(daemon->listen_quic_sslctx = quic_sslctx_create(
+				cfg->ssl_service_key, cfg->ssl_service_pem, NULL))) {
+				fatal_exit("could not set up quic SSL_CTX");
+			}
 		}
 #endif /* HAVE_NGTCP2 */
 	}

doc/Changelog

@@ -1,6 +1,7 @@
 20 January 2025: Yorgos
 	- Merge #1222: Unique DoT and DoH SSL contexts to allow for different
 	  ALPN.
+	- Create the quic SSL listening context only when needed.
 
 15 January 2025: Yorgos
 	- Merge #1221: Consider auth zones when checking for forwarders.

util/config_file.c

@@ -2866,3 +2866,22 @@ if_is_quic(const char* ifname, const char* port, int quic_port)
 	return 0;
 #endif
 }
+
+/** see if config contains quic turned on */
+int
+cfg_has_quic(struct config_file* cfg)
+{
+#ifndef HAVE_NGTCP2
+	(void)cfg;
+	return 0;
+#else
+	int i;
+	char portbuf[32];
+	snprintf(portbuf, sizeof(portbuf), "%d", cfg->port);
+	for(i = 0; i<cfg->num_ifs; i++) {
+		if(if_is_quic(cfg->ifs[i], portbuf, cfg->quic_port))
+			return 1;
+	}
+	return 0;
+#endif
+}

util/config_file.h

@@ -1419,6 +1419,13 @@ int if_is_dnscrypt(const char* ifname, const char* port, int dnscrypt_port);
 /** see if interface is quic, its port number == the quic port number */
 int if_is_quic(const char* ifname, const char* port, int quic_port);
 
+/**
+ * Return true if the config contains settings that enable quic.
+ * @param cfg: config information.
+ * @return true if quic ports are used for server.
+ */
+int cfg_has_quic(struct config_file* cfg);
+
 #ifdef USE_LINUX_IP_LOCAL_PORT_RANGE
 #define LINUX_IP_LOCAL_PORT_RANGE_PATH "/proc/sys/net/ipv4/ip_local_port_range"
 #endif