too easy to configure unencrypted DoH

Unencrypted DoH sessions may be useful in some operational circumstances (for instance, when load-sharing behind a reverse proxy), but those cases are not typical. If someone omits the tls parameter in a listen-on statement that specifies http, it's more likely they did so by mistake than on purpose. We should prevent this by requiring a tls parameter whenever http is used. If encryption is not wanted, tls none can be used.