Add more configuration options to control TLS context (enough to implement Perfect Forward Secrecy)

It would be nice for us to borrow more configuration options from NGINX, which is an industry standard. As far as I can tell, borrowing the following options will make it possible to implement Perfect Forward Secrecy in BIND:

An ability to specify supported ciphers: ssl_ciphers;
An ability to specify Diffie-Hellman parameters for DHE ciphers: ssl_dhparam;
An ability to inform client that server ciphers should be preferred: ssl_prefer_server_ciphers;
An ability to enable/disable TLS session tickets: ssl_session_tickets).

Implementing this is hugely beneficial for both DoH and DoT.

The end result could look like this:

tls some-tls {
    ...
    ciphers "HIGH:!aNULL:!MD5";
    dhparam-file "/path/to/dh3072.pem"; // theoretically, we could compile in a default value for it. this needs more research.
    prefer-server-ciphers yes;
    session-tickets no;
    ...
};

Loosely related to #2775 (closed)

Edited Sep 28, 2021 by Artem Boldariev

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information