Add support for DNS over TLS

[bwelling]

This adds a dns.query.tls() method, which sends DoT queries.

This is similar to tcp(), but adds ssl_context and server_hostname parameters.

[nicki-krizek]

I didn't do a thorough review, but the changes seem to work as expected. I wonder what's would be a proper way of integrating these changes with dns.resolver.Resolver (#358), but it might be out of scope of this PR.

[bwelling]

Not my call, but I think that integrating into dns.resolver.Resolver is a different issue than adding the protocol support, unless there's something needed in the tls() function to support the Resolver integration.

[filips123]

There is one thing I found that needs to be considered. The problem is that ssl module is always imported, even if it is not used. This works normally for most Python installations (which have OpenSSL enabled), but it won't work in some cases where OpenSSL is not installed. In this case, the import will fail so the whole module will not be usable.

The solution would be to create _ssl_compat module which tries to import ssl and then handle import errors. For more details see how websocket-client handles this.

[bwelling]

I believe that replacing the import with something like this would be a lot simpler than adding a new module, if this is a real issue.

try:
    import ssl
except ImportError:
    class ssl(object):
        class WantReadException(Exception):
            pass
        class WantWriteException(Exception):
            pass
        class SSLSocket(object):
            pass
        def create_default_context():
            raise Exception('no ssl support')

[filips123]

@bwelling Yes, this is a better version. In websocket-client, it was done with an additional module because SSL needs to be used across multiple files. But here, SSL is only required in one file, so additional module is not needed.

And yes, I think that forcing SSL could be an issue. SSL can not be available in Python, especially if you are building Python from source or using different and more limited runtime environment (maybe some microcontrollers, WebAssembly, some operating systems...).

[cjsoftuk]

Looking forward to this feature getting merged (as we're building Icinga 2 tests on top of dnspython for DNS checks and a customer has just deployed DoT and DoH). Is there any indication of when this might be available in master?

[filips123]

@rthalley Can you also merge my PR for DNS over HTTPS?

[filips123]

Also, forcing to use ssl is not good solution. You should fix it as in #392 (comment).

[rthalley]

I was committing the ssl fix already :)

[cjsoftuk]

@rthalley - Thank you for such prompt action on this!