[dns-operations] Testing of SVCB/HTTPS records
Niall O'Reilly
niall.oreilly at ucd.ie
Thu Apr 11 09:16:47 UTC 2024
On 10 Apr 2024, at 12:47, Alarig Le Lay via dns-operations wrote:
> I don’t know any tool either,
Neither do I.
I have a related question: does anyone know of plans among resolver
developers to implement alias-chasing according to section 4.2 of
RFC9460? In my domestic set-up, which includes BIND named, unbound,
and kresd, I'm not seeing this available yet.
[More about ECH and curl below, in context ...]
> but curl plans to implement it:
> https://curl.se/dev/roadmap.html
>
> the next few years - perhaps
>
> Roadmap of things Daniel Stenberg wants to work on next. It is
[...]
> HTTPS DNS records
>
> As a DNS version of alt-svc and also a pre-requisite for ECH
> (see below).
>
> See: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-02
>
> ECH (Encrypted Client Hello - formerly known as ESNI)
>
> See Daniel's post on Support of Encrypted SNI on the mailing
> list.
>
> Initial work exists in PR 4011
This PR 4011 was a POC for ESNI, (2019) before it became ECH, so it's
been overtaken by events. It was part of the DEfO project (defo.ie),
which is continuing. By now,Stephen Farrell has developed ECH support
in (his fork of) OpenSSL, and has implemented ECH support on a number
of server codes. On the client side, he and I have added ECH support
to libcurl, and partial HTTPS RR support into its DoH component.
Making ECH work, rather than checking all the structure of the HTTPS
RDATA, has been our focus. As of yesterday
(https://github.com/niallor/curl/tree/ECH-follow-alias-20240410)
we have alias-following working, but only for the first AliasMode RR;
limited iteration is on the TODO list.
I can't say how soon we'll succeed in having some of this work
accepted upstream; we're at different stages of engagement with
a number of developer teams.
/Niall
More information about the dns-operations
mailing list