Unbound DNS over TLS problem on master?

is anyone using Unbound DoT on master? my build from Aug or so was fine, my build from 62a11cd722 gets error: SSL_write syscall: Connection reset by peer errors, connecting to Google or Cloudflare DNS. on debug it seems to get through the handshake just fine, so it's not that, the connections just die immediately.

well it seems to be unbound-specific, both kdig and knot-resolver (kresd) on the R7800 can use DoT.

unbound doesn't seem to have been updated since my previous build, the only thing that looked vaguely relevant was that openssl was updated to 1.1.1l, but there is nothing obvious in the changelog for that.

downgrading libopenssl to 1.1.1k (the previous version) didn't fix the problem either, so i'm at a bit of a loss.

looking at wireshark unbound appears to be trying to send 16k (16401, every time) over the TLS connection initially, when i try to run a single query. i have no idea why, by comparison knot-resolver is send a few tens of bytes. i think the upstream DNS servers don't like whatever this 16k is and kill the connection.

Works for me, installed from scratch following the wiki on the latest OpenWrt x86-64 snapshot:

what architecture? i should have said this is on ipq806x as possibly relevant.

ramips mt7621, doesn't work here either