Hi,

I've been testing DoH using Unbound 1.13.1 (I installed the prebuilt binary from FreeBSD's port package) on a FreeBSD 12.2 machine, using a Let's Encrypt TLS certificate. Unbound starts and listens on my DoH port, and when I connect to it, the HTTP/2's TLS session is established as expected. I send a simple DNS query and the server sends a response. The response is oddly truncated one byte short such that it is NOT a valid response.

RAW QUERY, 28 BYTES:
58, 102, # Query ID
1, # qr=0 (request), opcode=0, aa=0,
# tc=0, rd=1 (recursion desired)
0, # ra=0, z=0, rcode=0
0, 1, # Number of questions: 1
0, 0, # Number of answers: 0
0, 0, # Authority RRs: 0
0, 0, # Additional RRs: 0
--- QUESTION 1 of 1 ---
6, 103, 111, 111, 103, 108, 101, # label "google"
3, 99, 111, 109, # Label "com"
0, # End of labels
0, 1, # Class "IN" (1)
0, 1 # Resource type "A" (1)

Local Unbound 1.13.1 test server using HTTP/2:
https://unbound.example.org/dns-query?dns=OmYBAAABAAAAAAAABmdvb2dsZQNjb20AAAEAAQ==

HTTP/2 Response Headers:
Content-Type: application/dns-message
Content-Length: 27

RAW REPLY, 27 BYTES:
58, 102, # Query ID (matches question ID)
129, # qr=1 (answer), opcode=0, aa=0,
# rc=0, rd=1 (recursion desired)
1, # ra=0 (recursion NOT available),
# z=0, rcode=1
# rcode=1 (format error) WHAT??
0, 1, # Number of questions: 1
0, 0, # Number of answers: 0
0, 0, # Authority RRs: 0
0, 0, # Additional RRs: 0
--- QUESTION 1 of 1 ---
6, 103, 111, 111, 103, 108, 101,# Label "google"
3, 99, 111, 109, # Label "com"
0, # End of labels
0, 1, # Class "IN" (1)
0, X <<< MISSING BYTE X # Record type MUST BE 2 BYTES not ONE

NOTE the "Content-Length" header indicates the server's response is exactly 27 bytes in length. However, to be valid, it SHOULD have been 28 bytes in length.

(I've posted my questions to the user list regarding why Unbound responded with an error when my query was valid--but that's separate from this bug report that the response with the error is oddly truncated one byte short.)

Thanks!

--Aaron out