use custom CA pool for DoT

main.go

@@ -290,7 +290,7 @@ func run() int {
 		mainLogger.Info("Using fixed API host address = %s", args.apiAddress)
 		seclientDialer = dialer.NewFixedDialer(args.apiAddress, seclientDialer)
 	} else if len(args.bootstrapDNS.values) > 0 {
-		resolver, err := resolver.FastFromURLs(args.bootstrapDNS.values...)
+		resolver, err := resolver.FastFromURLs(caPool, args.bootstrapDNS.values...)
 		if err != nil {
 			mainLogger.Critical("Unable to instantiate DNS resolver: %v", err)
 			return 4

resolver/factory.go

@@ -1,6 +1,8 @@
 package resolver
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"net"
 	"net/url"
@@ -9,7 +11,7 @@ import (
 	"github.com/ncruces/go-dns"
 )
 
-func FromURL(u string) (*net.Resolver, error) {
+func FromURL(u string, caPool *x509.CertPool) (*net.Resolver, error) {
 begin:
 	parsed, err := url.Parse(u)
 	if err != nil {
@@ -54,7 +56,12 @@ begin:
 			port = "853"
 		}
 		hp := net.JoinHostPort(host, port)
-		return dns.NewDoTResolver(hp, dns.DoTAddresses(hp))
+		return dns.NewDoTResolver(hp,
+			dns.DoTAddresses(hp),
+			dns.DoTConfig(&tls.Config{
+				RootCAs: caPool,
+			}),
+		)
 	default:
 		return nil, errors.New("not implemented")
 	}

resolver/fast.go

@@ -2,6 +2,7 @@ package resolver
 
 import (
 	"context"
+	"crypto/x509"
 	"fmt"
 	"net/netip"
 
@@ -16,10 +17,10 @@ type FastResolver struct {
 	upstreams []LookupNetIPer
 }
 
-func FastFromURLs(urls ...string) (LookupNetIPer, error) {
+func FastFromURLs(caPool *x509.CertPool, urls ...string) (LookupNetIPer, error) {
 	resolvers := make([]LookupNetIPer, 0, len(urls))
 	for i, u := range urls {
-		res, err := FromURL(u)
+		res, err := FromURL(u, caPool)
 		if err != nil {
 			return nil, fmt.Errorf("unable to construct resolver #%d (%q): %w", i, u, err)
 		}