[dns-operations] HTTPS record support

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Sep 9 16:12:02 UTC 2025 

On Tue, Sep 09, 2025 at 05:52:18PM +0200, Florian Weimer via dns-operations wrote:

> >> I've got an RFE to add HTTPS/SVCB support to glibc's getaddrinfo
> >> implementation.
> >
> > Why?  It seems an unnatural layer violation.  The IP addressses of a DNS
> > name are NOT provided by its HTTPS or SVCB records.  IP address lookups
> > make sense only *after* a higher layer application API that understands
> > whether or not and which of either SVCB or HTTPS records may be
> > relevant, processes those records and determines which target IP
> > addresses and ports it wants to connect to, and over what transports.
> 
> The getaddrinfo specification and its refinements that make it clear
> that this interface is not just there to get the raw address information
> out of DNS, but also to perform address sorting based on various
> factors, including network topology information.  It's not much of a
> stretch to include address priority information from DNS as well.

The result of a call to getaddinfo(3) is a list of:

           struct addrinfo {
               int              ai_flags;
               int              ai_family;
               int              ai_socktype;
               int              ai_protocol;
               socklen_t        ai_addrlen;
               struct sockaddr *ai_addr;
               char            *ai_canonname;
               struct addrinfo *ai_next;
           };

Which cannot even approximately express the content of an HTTPS or SVCB
RRset.  Nor is the (node, service) lookup key able to clearly express
whether such RRsets are relevant to resolving the node and service to a
list of "addrinfo"

> I'm not saying that we should go down this path, I'm just trying to
> explain why I didn't want to close the RFE immediately.

The RFE should be closed.  The the meaning of HTTPS/SVCB records is not
aligned with the getaddrinfo(3) API for (node, service) even if the
service happens to be "https".

The getaddrinfo() API has never resolved MX records when handling (node,
"smtp"), or nSRV records when handling ("node", "xmpp-server"), and I
see no reson why it has any business attempting anything of the sort
with HTTPS or SVCB.  That logic belongs in "libcurl", ... not
getaddrinfo().

-- 
    Viktor.  🇺🇦 Слава Україні!

More information about the dns-operations mailing list