-=Kernel-Error=-Sep 30, 2025

HTTPS RR und SVCB: Moderne DNS-Records für schnellere und sicherere Verbindungen

Wenn ein Browser eine HTTPS-Verbindung aufbaut, braucht er normalerweise mehrere DNS-Lookups und Round-Trips, bevor er überhaupt weiß, welche Protokolle der Server unterstützt. Erst A/AAAA-Record abfragen, dann TCP-Verbindung, dann TLS-Handshake, dann Alt-Svc-Header parsen für HTTP/3. Das ist ineffizient und seit November 2023 gibt es mit RFC 9460 eine saubere Lösung dafür: den HTTPS Resource Record. Die großen Browser Hersteller unterstützen das ebenfalls schon, eigentlich mehr aus […]

https://www.kernel-error.de/2025/09/30/https-rr-svcb-moderne-dns-records-schnellere-sicherere-verbindungen/

Andreas TaudteMar 12

Using #DNS as a bootstrap layer for #AI agent discovery is a compelling idea, especially when it builds on standards like #SVCB, #DNSSEC, & #DANE.

The DNS-AID draft is a valuable contribution: https://datatracker.ietf.org/doc/html/draft-mozleywilliams-dnsop-dnsaid-01

For enterprise adoption, discovery is only the start. The challenge is making such concepts trustworthy, governable, & manageable across enterprise #DNS, #DHCP, and #IPAM.

As seen in @andrew_campling’s weekly "DNS in the News": https://419.consulting/encrypted-dns/f/dns-in-the-news-9th-march-2026

Marud Nov 27
je découvre le truc et je vois pas l'info, mais est-ce qu'il est possible d'utiliser #svcb pour par exemple permettre à un client openvpn de se connecter automatiquement à un lien de secours si le lien principal ne répond pas ?

Ca pourrait marcher ou je capte pas le truc ?
Show threadJdeBPNov 26

@cks @lanodan

Missing from @drscriptt 's list are AAAA, HTTPS, and SVCB records.

AAAA has plenty of obvious choices.

You'll know the . convention for SRV, SVCB, and MX resource record sets, of course.

I shall just drop in my personal experience from earlier this year that an accidentally supplied HTTPS resource record can *definitely* break WWW traffic; because browsers in practice do not obey RFC9460 §2.4.2.

#djbdns
#DomainNameSystem
#SplitHorizon
#ReservedSuperDomains #DNS #HTTPS #SVCB

GripNewsSep 14, 2025
🌘 RFC 9460 - 透過 DNS 指定服務綁定與參數 (SVCB 和 HTTPS 資源紀錄)
➤ DNS 升級:SVCB 和 HTTPS 紀錄如何簡化服務連線與參數指定
https://datatracker.ietf.org/doc/html/rfc9460
這份 RFC 文件介紹了新的 DNS 資源紀錄類型 SVCB 和 HTTPS,旨在提供更詳盡的服務連線資訊。SVCB 紀錄允許服務透過多個替代終端點提供,並附帶傳輸協定配置等參數,且具備擴展性以支援未來用途(如 TLS ClientHello 加密金鑰)。此外,SVCB 也克服了 CNAME 紀錄在根網域別名設定上的限制。HTTPS 紀錄則是 SVCB 針對 HTTP 協議的特化版本。透過在連線建立前提供更多資訊,這些新紀錄能提升效能並加強隱私保護。
+ 這個更新聽起來非常棒,希望能加速 HTTP/3 和 ECH 的普及。
+ 很高興看到 DNS 紀錄能提供更多彈性,特別是對於根網域的別名設定。
#DNS #RFC #SVCB #HTTPS #網路協議 #服務綁定
RFC 9460: Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records)

This document specifies the "SVCB" ("Service Binding") and "HTTPS" DNS resource record (RR) types to facilitate the lookup of information needed to make connections to network services, such as for HTTP origins. SVCB records allow a service to be provided from multiple alternative endpoints, each with associated parameters (such as transport protocol configuration), and are extensible to support future uses (such as keys for encrypting the TLS ClientHello). They also enable aliasing of apex domains, which is not possible with CNAME. The HTTPS RR is a variation of SVCB for use with HTTP (see RFC 9110, "HTTP Semantics"). By providing more information to the client before it attempts to establish a connection, these records offer potential benefits to both performance and privacy.

IETF Datatracker
N-gated Hacker NewsSep 14, 2025
🚨 BREAKING: #RFC9460 claims to revolutionize the #DNS landscape with #SVCB and #HTTPS records, but spoiler alert—it's just another jargon-filled proposal destined to collect digital dust. 🌐📜 Meanwhile, DNS admins everywhere are thrilled to have more acronyms to ignore. 🙄✨
https://datatracker.ietf.org/doc/html/rfc9460 #DigitalDust #DNSAdmins #HackerNews #ngated
RFC 9460: Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records)

This document specifies the "SVCB" ("Service Binding") and "HTTPS" DNS resource record (RR) types to facilitate the lookup of information needed to make connections to network services, such as for HTTP origins. SVCB records allow a service to be provided from multiple alternative endpoints, each with associated parameters (such as transport protocol configuration), and are extensible to support future uses (such as keys for encrypting the TLS ClientHello). They also enable aliasing of apex domains, which is not possible with CNAME. The HTTPS RR is a variation of SVCB for use with HTTP (see RFC 9110, "HTTP Semantics"). By providing more information to the client before it attempts to establish a connection, these records offer potential benefits to both performance and privacy.

IETF Datatracker
Hacker NewsSep 14, 2025

RFC9460: SVCB and HTTPS DNS Records

https://datatracker.ietf.org/doc/html/rfc9460

#HackerNews #RFC9460 #SVCB #HTTPS #DNS #Records #IETF #TechNews #Networking

RFC 9460: Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records)

This document specifies the "SVCB" ("Service Binding") and "HTTPS" DNS resource record (RR) types to facilitate the lookup of information needed to make connections to network services, such as for HTTP origins. SVCB records allow a service to be provided from multiple alternative endpoints, each with associated parameters (such as transport protocol configuration), and are extensible to support future uses (such as keys for encrypting the TLS ClientHello). They also enable aliasing of apex domains, which is not possible with CNAME. The HTTPS RR is a variation of SVCB for use with HTTP (see RFC 9110, "HTTP Semantics"). By providing more information to the client before it attempts to establish a connection, these records offer potential benefits to both performance and privacy.

IETF Datatracker
Show threadJdeBPAug 21, 2025

@ermo

There are a much smaller number of people doing SVCB lookups, too. But, interestingly, they are doing them wrongly.

And with a direct correlation to some other abuses.

Which does make me think that, in an ironic twist, it is the bad actors running robot vulnerability probes and scrapers that are the early adopters of SVCB, here.

#djbwares #DomainNameSystem #svcb

Fabio Alessandro "Fale" LocatiAug 18, 2025
Today I discovered the RFC 9460 and therefore the SVCB and HTTPS resource records. Very interesting and useful innovation :)

https://www.rfc-editor.org/rfc/rfc9460

#RFC9460 #RFC #DNS #SVCB #HTTPS
RFC 9460: Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records)

This document specifies the "SVCB" ("Service Binding") and "HTTPS" DNS resource record (RR) types to facilitate the lookup of information needed to make connections to network services, such as for HTTP origins. SVCB records allow a service to be provided from multiple alternative endpoints, each with associated parameters (such as transport protocol configuration), and are extensible to support future uses (such as keys for encrypting the TLS ClientHello). They also enable aliasing of apex domains, which is not possible with CNAME. The HTTPS RR is a variation of SVCB for use with HTTP (see RFC 9110, "HTTP Semantics"). By providing more information to the client before it attempts to establish a connection, these records offer potential benefits to both performance and privacy.

OpenStreetMap Ops TeamFeb 25, 2025
We now publish DNS HTTPS IP hint records for all #OpenStreetMap web services per #RFC9460 Why? Small incremental improvement to performance and privacy. Our DNS handles over 2,000 requests per second. DNS HTTPS query is our 2nd most common query. #DNScontrol #SVCB 🚀 🤓