too easy to configure unencrypted DoH
Unencrypted DoH sessions may be useful in some operational circumstances (for instance, when load-sharing behind a reverse proxy), but those cases are not typical. If someone omits the
tls parameter in a
listen-on statement that specifies
http, it's more likely they did so by mistake than on purpose. We should prevent this by requiring a
tls parameter whenever
http is used. If encryption is not wanted,
tls none can be used.