HTTPS RR in Curl
a year ago
- #HTTPS
- #DNS
- #Security
- RFC 9460 introduces the HTTPS RR (Resource Record) for DNS, providing service meta-data about a target hostname.
- HTTPS RR serves as an alternative to SRV and URI records, and supersedes HSTS and alt-svc headers.
- Key features of HTTPS RR include ECH (Encrypted Client Hello) config, ALPN list, target hostname, port, and IP addresses.
- ECH encrypts the SNI field in TLS handshakes, hiding the intended communication site from active listeners.
- ALPN list indicates supported HTTP versions, potentially upgrading HTTP to HTTPS and supporting HTTP/3 directly.
- HTTPS RR can specify alternative hostnames, ports, and IP addresses for services.
- curl offers experimental support for HTTPS RR, requiring explicit build enablement.
- curl retrieves HTTPS RR via DoH (DNS-over-HTTPS), c-ares, or getaddrinfo() with c-ares for parallel HTTPS RR requests.
- Current limitations include no runtime disable option and partial implementation of HTTPS RR features.
- Cloudflare and other sites already use HTTPS RR, encouraging testing and feedback for future improvements.
- Debian experimental now includes curl with HTTPS RR support, though ECH remains unsupported due to OpenSSL and GnuTLS limitations.