| RFC 9460 | SVCB and HTTPS RRs for DNS | November 2023 |
| Schwartz, et al. | Standards Track | [Page] |
This document specifies the "SVCB" ("Service Binding") and "HTTPS" DNS resource record (RR)types to facilitate the lookup of information needed to make connectionsto network services, such as for HTTP origins. SVCB recordsallow a service to be provided from multiple alternative endpoints,each with associated parameters (such as transport protocolconfiguration), and are extensible to support future uses(such as keys for encrypting the TLS ClientHello). They alsoenable aliasing of apex domains, which is not possible with CNAME.The HTTPS RR is a variation of SVCB for use with HTTP (see RFC 9110, "HTTP Semantics").By providing more information to the client before it attempts toestablish a connection, these records offer potential benefits toboth performance and privacy.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9460.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The SVCB ("Service Binding") and HTTPS resource records (RRs) provide clients with complete instructionsfor access to a service. This information enables improvedperformance and privacy by avoiding transient connections to a suboptimaldefault server, negotiating a preferred protocol, and providing relevantpublic keys.¶
For example, HTTP clients currently resolve only A and/or AAAA records forthe origin hostname, learning only its IP addresses. If an HTTP client learnsmore about the origin before connecting, it may be able to upgrade "http" URLsto "https", enable HTTP/3 or Encrypted ClientHello[ECH],or switch to anoperationally preferable endpoint. It is highly desirable to minimize thenumber of round trips and lookups required tolearn this additional information.¶
The SVCB and HTTPS RRs also help when the operator of a servicewishes to delegate operational control to one or more other domains, e.g.,aliasing the origin "https://example.com" to a serviceoperator endpoint at "svc.example.net". While this case can sometimesbe handled by a CNAME, that does not cover all use cases. CNAME is alsoinadequate when the service operator needs to provide a boundcollection of consistent configuration parameters through the DNS(such as network location, protocol, and keying information).¶
This document first describes the SVCB RR as a general-purpose RR that can be applied directly and efficiently to a wide rangeof services (Section 2). It also describes the rules for defining otherSVCB-compatible RR types (Section 6), starting with the HTTPSRR type (Section 9), which provides improved efficiency and conveniencewith HTTP by avoiding the need for an Attrleaf label[Attrleaf](Section 9.1).¶
The SVCB RR has two modes: 1) "AliasMode", which simply delegates operationalcontrol for a resource and 2) "ServiceMode", which binds togetherconfiguration information for a service endpoint.ServiceMode provides additional key=value parameterswithin each RDATA set.¶
The goal of the SVCB RR is to allow clients to resolve a singleadditional DNS RR in a way that:¶
Additional goals specific to HTTPS RRs and the HTTP use cases include:¶
This subsection briefly describes the SVCB RR with forward references tothe full exposition of each component. (As discussed inSection 6, this allapplies equally to the HTTPS RR, which sharesthe same encoding, format, and high-level semantics.)¶
The SVCB RR has two modes: 1) AliasMode (Section 2.4.2), which aliases a nameto another name and 2) ServiceMode (Section 2.4.3), which provides connectioninformation bound to a service endpoint domain. Placing both forms in a singleRR type allows clients tofetch the relevant information with a single query (Section 2.3).¶
The SVCB RR has two required fields and one optional field. The fields are:¶
Cooperating DNS recursive resolvers will perform subsequent recordresolution (for SVCB, A, and AAAA records) and return them in theAdditional section of the response (Section 4.2). Clients either use responsesincluded in the Additional section returned by the recursive resolveror perform necessary SVCB, A, and AAAA record resolutions (Section 3). DNSauthoritative servers can attach in-bailiwick SVCB, A, AAAA, and CNAMErecords in the Additional section to responses for a SVCB query (Section 4.1).¶
In ServiceMode, the SvcParams of the SVCB RRprovide an extensible data model for describing alternativeendpoints that are authoritative for a service, along withparameters associated with each of these alternative endpoints (Section 7).¶
For HTTP use cases, the HTTPS RR (Section 9) enables many of the benefits of Alt-Svc[AltSvc]without waiting for a full HTTP connection initiation (multiple round trips)before learning of the preferred alternative,and without necessarily revealing the user'sintended destination to all entities along the network path.¶
Terminology in this document is based on the common case where the SVCB record is used toaccess a resource identified by a URI whoseauthority field contains a DNShostname as thehost.¶
authority andscheme of the URI, capable of providing access to the resource. For "https"URIs, the "service" corresponds to an "origin"[RFC6454].¶host portion of the authority.¶Additional DNS terminology intends to be consistentwith[DNSTerm].¶
SVCB is a contraction of "service binding". The SVCB RR, HTTPS RR,and future RR types that share SVCB's formats and registry arecollectively known as SVCB-compatible RR types. The contraction "SVCB" is alsoused to refer to this system as a whole.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14[RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The SVCB DNS RR type (RR type 64)is used to locate alternative endpoints for a service.¶
The algorithm for resolving SVCB records and associatedaddress records is specified inSection 3.¶
Other SVCB-compatible RR typescan also be defined as needed (seeSection 6). In particular, theHTTPS RR (RR type 65) provides special handlingfor the case of "https" origins as described inSection 9.¶
SVCB RRs are extensible by a list of SvcParams, which are pairs consisting of aSvcParamKey and a SvcParamValue. Each SvcParamKey has a presentation name and aregistered number. Values are in a format specific to the SvcParamKey. EachSvcParam has a specified presentation format (used in zone files) andwire encoding(e.g., domain names, binary data, or numeric values). The initial SvcParamKeysand their formats are defined inSection 7.¶
The presentation format<RDATA> of the record ([RFC1035],Section 5.1) hasthe form:¶
SvcPriority TargetName SvcParams¶
The SVCB record is defined specifically withinthe Internet ("IN") Class ([RFC1035],Section 3.2.4).¶
SvcPriority is a number in the range 0-65535,TargetName is a<domain-name> ([RFC1035],Section 5.1),and the SvcParams are a whitespace-separated list with each SvcParamconsisting of a SvcParamKey=SvcParamValue pair or a standalone SvcParamKey.SvcParamKeys are registered by IANA (Section 14.3).¶
Each SvcParamKeySHALL appear at most once in the SvcParams.In presentation format, SvcParamKeys are lowercase alphanumeric strings.Key names contain 1-63 characters from the ranges "a"-"z", "0"-"9", and "-".In ABNF[RFC5234],¶
alpha-lc = %x61-7A ; a-zSvcParamKey = 1*63(alpha-lc / DIGIT / "-")SvcParam = SvcParamKey ["=" SvcParamValue]SvcParamValue = char-string ; See Appendix A.value = *OCTET ; Value before key-specific parsing¶
The SvcParamValue is parsed using thecharacter-string decoding algorithm (Appendix A), producing avalue.Thevalue is then validated and converted into wire format in a mannerspecific to each key.¶
When the optional "=" and SvcParamValue are omitted, thevalue isinterpreted as empty.¶
Arbitrary keys can be represented using the unknown-key presentation format"keyNNNNN" where NNNNN is the numericvalue of the key type without leading zeros.A SvcParam in this formSHALL be parsed as specified above, andthe decodedvalueSHALL be used as its wire-format encoding.¶
For some SvcParamKeys, thevalue corresponds to a list or set ofitems. Presentation formats for such keysSHOULD use a comma-separated list(Appendix A.1).¶
SvcParams in presentation formatMAY appear in any order, but keysMUST NOT berepeated.¶
The RDATA for the SVCB RR consists of:¶
When the list of SvcParams is non-empty, it contains a series ofSvcParamKey=SvcParamValue pairs, represented as:¶
SvcParamKeysSHALL appear in increasing numeric order.¶
ClientsMUST consider an RR malformed if:¶
Note that the second condition implies that there are no duplicateSvcParamKeys.¶
If any RRs are malformed, the clientMUST reject the entire RRset andfall back to non-SVCB connection establishment.¶
When querying the SVCB RR, a service is translated into a QNAME by prependingthe service name with a label indicating the scheme, prefixed with an underscore,resulting in a domain name like "_examplescheme.api.example.com.". Thisfollows the Attrleaf naming pattern[Attrleaf], so the schemeMUST beregistered appropriately with IANA (seeSection 11).¶
Protocol mapping documentsMAY specify additional underscore-prefixed labelsto be prepended. For schemes that specify a port (Section 3.2.3 of [URI]), one reasonable possibility is to prepend the indicated portnumber if a non-default port number is specified. This document terms this behavior"Port Prefix Naming" and uses it in the examples throughout.¶
SeeSection 9.1 for information regarding HTTPS RR behavior.¶
When a prior CNAME or SVCB record has aliased toa SVCB record, each RRSHALL be returned under its own owner name, as inordinary CNAME processing ([RFC1034],Section 3.6.2). For details, seethe recommendations regarding aliases for clients (Section 3),servers (Section 4), and zones (Section 10).¶
Note that none of these forms alter the origin or authority for validationpurposes.For example, TLS clientsMUST continue to validate TLS certificatesfor the original service name.¶
As an example, the owner of "example.com" could publish this record:¶
_8443._foo.api.example.com. 7200 IN SVCB 0 svc4.example.net.¶
This record would indicate that "foo://api.example.com:8443" is aliased to "svc4.example.net".The owner of "example.net", in turn, could publish this record:¶
svc4.example.net. 7200 IN SVCB 3 svc4.example.net. ( alpn="bar" port="8004" )¶
This record would indicate that these services are served on port number 8004,which supports the protocol "bar" and its associated transport inaddition to the default transport protocol for "foo://".¶
(Parentheses are used to ignore a line break in DNS zone-file presentationformat, perSection 5.1 of [RFC1035].)¶
When SvcPriority is 0, the SVCB record is in AliasMode (Section 2.4.2).Otherwise, it is in ServiceMode (Section 2.4.3).¶
Within a SVCB RRset,all RRsSHOULD have the same mode.If an RRset contains a record in AliasMode, the recipientMUST ignoreany ServiceMode records in the set.¶
RRsets are explicitly unordered collections, so theSvcPriority field is used to impose an ordering on SVCB RRs.A smaller SvcPriority indicates that the domain owner recommends the use of thisrecord over ServiceMode RRs with a larger SvcPriority value.¶
When receiving an RRset containing multiple SVCB records with thesame SvcPriority value, clientsSHOULD apply a random shuffle within apriority level to the records before using them, to ensure uniformload balancing.¶
In AliasMode, the SVCB record aliases a service to aTargetName. SVCB RRsetsSHOULD only have a single RR in AliasMode. If multiple AliasMode RRs are present, clients or recursiveresolversSHOULD pick one at random.¶
The primary purpose of AliasMode is to allow aliasing at the zoneapex, where CNAME is not allowed (see, for example,[RFC1912],Section 2.4).In AliasMode, the TargetName willbe the name of a domain that resolves to SVCB,AAAA, and/or A records. (SeeSection 6 for aliasing of SVCB-compatible RR types.)Unlike CNAME, AliasMode records do not affect the resolution of other RRtypes and apply only to a specific service, not an entire domain name.¶
The AliasMode TargetNameSHOULD NOT be equalto the owner name, as this would result in a loop.In AliasMode, recipientsMUST ignore any SvcParams that are present.Zone-file parsersMAY emit a warning if an AliasMode record has SvcParams.The use of SvcParams in AliasMode records is currently not defined, but afuture specification could extend AliasMode records to include SvcParams.¶
For example, the operator of "foo://example.com:8080" couldpoint requests to a service operating at "foosvc.example.net"by publishing:¶
_8080._foo.example.com. 3600 IN SVCB 0 foosvc.example.net.¶
Using AliasMode maintains a separation of concerns: the owner of"foosvc.example.net" can add or remove ServiceMode SVCB records withoutrequiring a corresponding change to "example.com". Note that if"foosvc.example.net" promises to always publish a SVCB record, this AliasModerecord can be replaced by a CNAME at the same owner name.¶
AliasMode is especially useful for SVCB-compatible RR types that do notrequire an underscore prefix, such as the HTTPS RR type. For example,the operator of "https://example.com" could point requests to a serverat "svc.example.net" by publishing this record at the zone apex:¶
example.com. 3600 IN HTTPS 0 svc.example.net.¶
Note that the SVCB record's owner nameMAY be the canonical nameof a CNAME record, and the TargetNameMAY be the owner of a CNAMErecord. Clients and recursive resolversMUST follow CNAMEs as normal.¶
To avoid unbounded alias chains, clients and recursive resolversMUST impose alimit on the total number of SVCB aliases they will follow for each resolutionrequest. This limitMUST NOT be zero, i.e., implementationsMUST be able tofollow at least one AliasMode record. The exact value of this limitis left to implementations.¶
Zones that require following multiple AliasMode records could encountercompatibility and performance issues.¶
As legacy clients will not know to use this record, serviceoperators will likely need to retain fallback AAAA and A recordsalongside this SVCB record, although in a common casethe target of the SVCB record might offer better performance, andtherefore would be preferable for clients implementing this specificationto use.¶
AliasMode records only apply to queries for the specific RR type.For example, a SVCB record cannot alias to an HTTPS record or vice versa.¶
In ServiceMode, the TargetName and SvcParams within each RRassociate an alternative endpoint for the service with its connectionparameters.¶
Each protocol scheme that uses SVCBMUST define a protocol mapping thatexplains how SvcParams are applied for connections of that scheme.Unless specified otherwise by theprotocol mapping, clientsMUST ignore any SvcParam that they donot recognize.¶
Some SvcParams impose requirements on other SvcParams in the RR. AServiceMode RR is called "self-consistent" if its SvcParams all comply witheach other's requirements. ClientsMUST reject any RR whose recognizedSvcParams are not self-consistent andMAY reject the entire RRset. Tohelp zone operators avoid this condition, zone-file implementationsSHOULDenforce self-consistency as well.¶
If TargetName has the value "." (represented in the wire format as azero-length label), special rules apply.¶
For AliasMode SVCB RRs, a TargetName of "." indicates that the serviceis not available or does not exist. This indication is advisory:clients encountering this indicationMAY ignore it and attempt to connectwithout the use of SVCB.¶
For ServiceMode SVCB RRs, if TargetName has the value ".", then theowner name of this recordMUST be used as the effective TargetName.If the record has a wildcard owner name in the zone file, the recipientSHALL use the response's synthesized owner name as the effective TargetName.¶
Here, for example, "svc2.example.net" is the effective TargetName:¶
example.com. 7200 IN HTTPS 0 svc.example.net.svc.example.net. 7200 IN CNAME svc2.example.net.svc2.example.net. 7200 IN HTTPS 1 . port=8002svc2.example.net. 300 IN A 192.0.2.2svc2.example.net. 300 IN AAAA 2001:db8::2¶
"SVCB resolution" is the process of enumerating and ordering the available endpointsfor a service, as performed by the client. SVCB resolution is implemented as follows:¶
This procedure does not rely on any recursive or authoritative DNS server tocomply with this specification or have any awareness of SVCB.¶
A client is called "SVCB-optional" if it can connect without the use ofServiceMode records; otherwise, it is called "SVCB-reliant". Clients for pre-existingprotocols (e.g., HTTP)SHALL implement SVCB-optional behavior (except asnoted inSection 3.1 or when modified by future specifications).¶
SVCB-optional clientsSHOULD issue in parallel any other DNS queries that mightbe needed for connection establishment if the SVCB record is absent, in order to minimize delayin that case and enable the optimizations discussed inSection 5.¶
Once SVCB resolution has concluded, whether successful or not,if at least one AliasMode record was processed,SVCB-optional clientsSHALL append to the list of endpoints anendpoint consisting of the final value of $QNAME, the authorityendpoint's port number, and no SvcParams. (This endpoint will beattempted before falling back to non-SVCB connection modes. This ensures thatSVCB-optional clients will make use of an AliasMode record whose TargetName hasA and/or AAAA records but no SVCB records.)¶
The client proceeds with connection establishment using this list ofendpoints. ClientsSHOULD try higher-priority alternatives first, withfallback to lower-priority alternatives. Clients resolve AAAA and/or Arecords for the selected TargetName andMAY choose between them using anapproach such as Happy Eyeballs[HappyEyeballsV2].¶
If the client is SVCB-optional and connecting using this list of endpoints hasfailed, the client now attempts to use non-SVCB connection modes.¶
Some important optimizations are discussed inSection 5to avoid additional latency in comparison to ordinary AAAA/A lookups.¶
If DNS responses are cryptographically protected (e.g., using DNSSEC orTLS[DoT][DoH]) and SVCB resolution failsdue to an authentication error, SERVFAIL response, transport error, ortimeout, the clientSHOULD abandon its attempt to reach the service, evenif the client is SVCB-optional. Otherwise, an active attackercould mount a downgrade attack by denying the user access to the SvcParams.¶
A SERVFAIL error can occur if the domain is DNSSEC-signed, the recursiveresolver is DNSSEC-validating, and the attacker is between the recursiveresolver and the authoritative DNS server. A transport error or timeout canoccur if an active attacker between the client and the recursive resolver isselectively dropping SVCB queries or responses, based on their size orother observable patterns.¶
If the client enforces DNSSEC validation on A/AAAA responses, itSHOULDapply the same validation policy to SVCB. Otherwise, an attacker coulddefeat the A/AAAA protection by forging SVCB responses that direct theclient to other IP addresses.¶
If DNS responses are not cryptographically protected, clientsMAY treatSVCB resolution failure as fatal or nonfatal.¶
If the client is unable to complete SVCB resolution due to its chain lengthlimit, the clientMUST fall back to the authority endpoint, as if theservice's SVCB record did not exist.¶
Clients using a domain-oriented transport proxy like HTTP CONNECT([RFC7231],Section 4.3.6) or SOCKS5[RFC1928] have the option ofusing named destinations, in which case the client does not performany A or AAAA queries for destination domains. If the client is configuredto use nameddestinations with a proxy that does not provide SVCB query capability(e.g., through an affiliated DNS resolver), the client would have to performSVCB resolution separately, likely disclosing the destinations to additional parties and not just the proxy.Clients in this configurationSHOULD arrange for a separate SVCB resolutionprocedure with appropriate privacy properties. If this is not possible,SVCB-optional clientsMUST disable SVCB resolution entirely, and SVCB-reliantclientsMUST treat the configuration as invalid.¶
If the client does use SVCB and named destinations, the clientSHOULD followthe standard SVCB resolution process, selecting the smallest-SvcPriorityoption that is compatible with the client and the proxy. When connectingusing a SVCB record, clientsMUST provide the final TargetName and port to theproxy, which will perform any required A and AAAA lookups.¶
This arrangement has several benefits:¶
When replying to a SVCB query, authoritative DNS serversSHOULD returnA, AAAA, and SVCB records in the Additional section for any TargetNamesthat are in the zone. If the zone is signed, the serverSHOULD alsoinclude DNSSEC records authenticating the existence or nonexistence of these recordsin the Additional section.¶
SeeSection 4.4 for exceptions.¶
Whether the recursive resolver is aware of SVCB or not, the normal responseconstruction process used for unknown RR types[RFC3597]generates the Answer section of the response.Recursive resolvers that are aware of SVCBSHOULD help the client toexecute the procedure inSection 3 with minimum overalllatency by incorporating additional useful information into theAdditional section of the response as follows:¶
If any of the resolved SVCB records are in AliasMode, choose one of themat random, and resolve SVCB, A, and AAAA records for itsTargetName.¶
In this procedure, "resolve" means the resolver's ordinary recursiveresolution procedure, as if processing a query for that RRset.This includes following any aliases that the resolver would ordinarilyfollow (e.g., CNAME, DNAME[DNAME]). Errors or anomalies inobtaining additional recordsMAY cause this process to terminate butMUST NOT themselves cause the resolver to send a failure response.¶
SeeSection 2.4.2 for additional safeguards for recursive resolversto implement to mitigate loops.¶
SeeSection 5.2 for possible optimizations of this procedure.¶
DNS64 resolvers synthesize responses to AAAA queries for names that onlyhave an A record (Section 5.1.7 of [RFC6147]). SVCB-aware DNS64resolversSHOULD apply the same synthesis logic when resolving AAAArecords for the TargetName for inclusion in the Additional section (Step 2 inSection 4.2) andMAY omit the A records from this section.¶
DNS64 resolversMUST NOT extrapolate the AAAA synthesis logic to the IPhints in the SvcParams (Section 7.3). Modifying the IP hintswould break DNSSEC validation for the SVCB record and would not improveperformance when the above recommendation is implemented.¶
Recursive resolversMUST be able to convey SVCB records with unrecognizedSvcParamKeys. ResolversMAY accomplish this by treatingthe entire SvcParams portion of the record as opaque, even if the contentsare invalid. If a recognized SvcParamKey is followed by a value that isinvalid according to the SvcParam's specification, a recursive resolverMAY report an error such as SERVFAIL instead of returningthe record.For complex value types whose interpretation might differbetween implementations or have additional futureallowed values added (e.g., URIs or "alpn"), resolversSHOULD limit validation to specified constraints.¶
When responding to a query that includes the DNSSEC OK bit[RFC3225],DNSSEC-capable recursive and authoritative DNS serversMUST accompanyeach RRset in the Additional section with the same DNSSEC-related recordsthat they would send when providing that RRset as an Answer (e.g., RRSIG, NSEC,NSEC3).¶
According toSection 5.4.1 of [RFC2181], "Unauthenticated RRs receivedand cached from ... the additional data section ... should not be cached insuch a way that they would ever be returned as answers to a received query.They may be returned as additional information where appropriate."Recursive resolvers thereforeMAY cache records from the Additional sectionfor use in populating Additional section responses andMAY cache themfor general use if they are authenticated by DNSSEC.¶
The EDNS Client Subnet (ECS) option[RFC7871] allows recursiveresolvers to request IP addresses that are suitable for a particular clientIP range. SVCB records may contain IP addresses (in ipv*hint SvcParams)or direct users to a subnet-specific TargetName, so recursive resolversSHOULD include the same ECS option in SVCB queries as in A/AAAA queries.¶
According toSection 7.3.1 of [RFC7871], "Any records from [theAdditional section]MUST NOT be tied to a network." Accordingly,when processing a response whose QTYPE is SVCB-compatible,resolversSHOULD treat any records in the Additional section as havingSOURCE PREFIX-LENGTH set to zero and SCOPE PREFIX-LENGTH as specifiedin the ECS option. Authoritative serversMUST omit such records if they arenot suitable for use by any stub resolvers that set SOURCE PREFIX-LENGTH tozero. This will cause the resolver to perform a follow-up query that canreceive a properly tailored ECS. (This is similar to the usage of CNAME withthe ECS option as discussed in[RFC7871],Section 7.2.1.)¶
Authoritative servers that omit Additional records can avoid the addedlatency of a follow-up query by following the advice inSection 10.2.¶
For optimal performance (i.e., minimum connection setup time), clientsSHOULD implement a client-side DNS cache.Responses in the Additional section of a SVCB responseSHOULD be placedin cache before performing any follow-up queries.With this behavior, and with conforming DNS servers,using SVCB does not add network latency to connection setup.¶
To improve performance when using a non-conforming recursive resolver, clientsSHOULD issue speculative A and/or AAAA queries in parallel with each SVCBquery, based on a predicted value of TargetName (seeSection 10.2).¶
After a ServiceMode RRset is received, clientsMAY try more than one optionin parallel andMAY prefetch A and AAAA records for multiple TargetNames.¶
If an address response arrives before the corresponding SVCB response, theclientMAY initiate a connection as if the SVCB query returned NODATA butMUST NOT transmit any information that could be altered by the SVCB responseuntil it arrives. For example, future SvcParamKeys could be defined thatalter the TLS ClientHello.¶
Clientsimplementing this optimizationSHOULD wait for 50 milliseconds beforestarting optimistic pre-connection, as per the guidance in[HappyEyeballsV2].¶
A SVCB record is consistent with a connectionif the client would attempt an equivalent connection when making use ofthat record. If a SVCB record is consistent with an active or in-progressconnection C, the clientMAY prefer that record and use C as its connection.For example, suppose the client receives this SVCB RRset for a protocolthat uses TLS over TCP:¶
_1234._bar.example.com. 300 IN SVCB 1 svc1.example.net. ( ipv6hint=2001:db8::1 port=1234 ) SVCB 2 svc2.example.net. ( ipv6hint=2001:db8::2 port=1234 )¶
If the client has an in-progress TCP connection to[2001:db8::2]:1234,itMAY proceed with TLS on that connection, eventhough the other record in the RRset has higher priority.¶
If none of the SVCB records are consistentwith any active or in-progress connection,clients proceed with connection establishment as described inSection 3.¶
When following the procedure inSection 4.2, recursiveresolversMAY terminate the procedure early and produce a reply that omitssome of the associated RRsets. This isREQUIRED when the chain length limitis reached (Step 1 inSection 4.2) but might also be appropriatewhen the maximum response size is reached or when responding before fullychasing dependencies would improve performance. When omitting certainRRsets, recursive resolversSHOULD prioritize information forsmaller-SvcPriority records.¶
As discussed inSection 3, clientsMUST be able to fetch additionalinformation that is required to use a SVCB record, if it is not includedin the initial response. As a performance optimization, if some of the SVCBrecords in the response can be used without requiring additional DNS queries,the clientMAY prefer those records, regardless of their priorities.¶
An RR type is called "SVCB-compatible" if it permits an implementation that isidentical to SVCB in its:¶
This allows authoritative and recursive DNS servers to apply identicalprocessing to all SVCB-compatible RR types.¶
All other behaviors described as applying to the SVCB RR also applyto all SVCB-compatible RR types unless explicitly stated otherwise.When following an AliasMode record (Section 2.4.2) of RR type $T, thefollow-up query to the TargetNameMUST also be for type $T.¶
This document defines one SVCB-compatible RR type (other than SVCB itself):the HTTPS RR type (Section 9), which avoids Attrleaf label prefixes[Attrleaf] in order to improvecompatibility with wildcards and CNAMEs, which are widely used with HTTP.¶
Standards authors should consider carefully whether to use SVCB or define anew SVCB-compatible RR type, as this choice cannot easily be reversed afterdeployment.¶
A few initial SvcParamKeys are defined here. These keys are useful for the"https" scheme, and most are expected to be generally applicable to otherschemes as well.¶
Each new protocolmapping documentMUST specify which keys are applicable and safe to use.Protocol mappingsMAY alter the interpretation of SvcParamKeys butMUST NOTalter their presentation or wire formats.¶
The "alpn" and "no-default-alpn" SvcParamKeys togetherindicate the set of Application-Layer Protocol Negotiation (ALPN)protocol identifiers[ALPN]and associated transport protocols supported by this service endpoint (the"SVCB ALPN set").¶
As with Alt-Svc[AltSvc], each ALPN protocol identifier is used toidentify the application protocol and associated suiteof protocols supported by the endpoint (the "protocol suite").The presence of an ALPN protocol identifier in the SVCB ALPN set indicates that thisservice endpoint, described by TargetName and the other parameters (e.g.,"port"), offers service with the protocol suite associated with this ALPN identifier.¶
Clients filter the set of ALPN identifiers to match the protocol suites theysupport, and this informs the underlying transport protocol used (suchas QUIC over UDP or TLS over TCP). ALPN protocol identifiers that do not uniquelyidentify a protocol suite (e.g., an Identification Sequence thatcan be used with both TLS and DTLS) are not compatible with thisSvcParamKey andMUST NOT be included in the SVCB ALPN set.¶
ALPNs are identified by their registered "Identification Sequence"(alpn-id), which is a sequence of 1-255 octets.¶
alpn-id = 1*255OCTET¶
For "alpn", the presentationvalueSHALL bea comma-separated list (Appendix A.1)of one or morealpn-ids. Zone-file implementationsMAY disallow the"," and "\" characters in ALPN IDs instead of implementing thevalue-list escapingprocedure, relying on the opaque key format (e.g.,key1=\002h2) in theevent that these characters are needed.¶
The wire-format value for "alpn" consists of at least onealpn-id prefixed by its length as a single octet, and these length-valuepairs are concatenated to form the SvcParamValue. These pairsMUST exactlyfill the SvcParamValue; otherwise, the SvcParamValue is malformed.¶
For "no-default-alpn", the presentation and wire-format valuesMUST beempty. When "no-default-alpn" is specified in an RR,"alpn" must also be specified in order for the RRto be "self-consistent" (Section 2.4.3).¶
Each scheme that uses this SvcParamKey defines a "default set" of ALPN IDsthat are supported by nearly all clients and servers; this setMAYbe empty. To determine the SVCB ALPN set, the client starts with the list ofalpn-ids from the "alpn" SvcParamKey, and it adds the default set unless the"no-default-alpn" SvcParamKey is present.¶
To establish a connection to the endpoint, clientsMUST¶
For example, if the SVCB ALPN set is ["http/1.1", "h3"] and the clientsupports HTTP/1.1, HTTP/2, and HTTP/3, the client could attempt to connect usingTLS over TCP with a ProtocolNameList of ["http/1.1", "h2"] and could alsoattempt a connection using QUIC with a ProtocolNameList of ["h3"].¶
Once the client has constructed a ClientHello, protocol negotiation in thathandshake proceeds as specified in[ALPN], without regard to the SVCB ALPNset.¶
ClientsMAY implement a fallback procedure, using a less-preferred transportif more-preferred transports fail to connect. This fallback behavior isvulnerable to manipulation by a network attacker who blocks the more-preferredtransports, but it may be necessary for compatibility with existing networks.¶
With this procedure in place, an attacker who can modify DNS and networktraffic can prevent a successful transport connection but cannot otherwiseinterfere with ALPN protocol selection. This procedure also ensures thateach ProtocolNameList includes at least one protocol from the SVCB ALPN set.¶
ClientsSHOULD NOT attempt connection to a service endpoint whose SVCBALPN set does not contain any supported protocols.¶
To ensureconsistency of behavior, clientsMAY reject the entire SVCB RRset and fallback to basic connection establishment if all of the compatible RRs indicate"no-default-alpn", even if connection could have succeeded using anon-default ALPN protocol.¶
Zone operatorsSHOULD ensure that at least one RR in each RRset supports thedefault transports. This enables compatibility with the greatest number ofclients.¶
The "port" SvcParamKey defines the TCP or UDP portthat should be used to reach this alternative endpoint.If this key is not present, clientsSHALL use the authority endpoint's portnumber.¶
The presentationvalue of the SvcParamValue is a single decimal integerbetween 0 and 65535 in ASCII. Any othervalue (e.g., an empty value)is a syntax error. To enable simpler parsing, this SvcParamValueMUST NOT containescape sequences.¶
The wire format of the SvcParamValueis the corresponding 2-octet numeric value in network byte order.¶
If a port-restricting firewall is in place between some client and the serviceendpoint, changing the port number might cause that client to lose access tothe service, so operators should exercise caution when using this SvcParamKeyto specify a non-default port.¶
The "ipv4hint" and "ipv6hint" keys convey IP addresses that clientsMAY use toreach the service. If A and AAAA records for TargetName are locallyavailable, the clientSHOULD ignore these hints. Otherwise, clientsSHOULD perform A and/or AAAA queries for TargetName perSection 3, and clientsSHOULD use the IP address in thoseresponses for future connections. ClientsMAY opt to terminate anyconnections using the addresses in hints and instead switch to theaddresses in response to the TargetName query. Failure to use A and/orAAAA response addresses could negatively impact load balancing or othergeo-aware features and thereby degrade client performance.¶
The presentationvalueSHALL be a comma-separated list (Appendix A.1)of one or more IP addresses of the appropriatefamily in standard textual format[RFC5952][RFC4001]. To enable simpler parsing,this SvcParamValueMUST NOT contain escape sequences.¶
The wire format for each parameter is a sequence of IP addresses in networkbyte order (for the respective address family).Like an A or AAAA RRset, the list of addresses represents anunordered collection, and clientsSHOULD pick addresses to use in a random order.An empty list of addresses is invalid.¶
When selecting between IPv4 and IPv6 addresses to use, clients may use anapproach such as Happy Eyeballs[HappyEyeballsV2].When only "ipv4hint" is present, NAT64 clients may synthesizeIPv6 addresses as specified in[RFC7050] or ignore the "ipv4hint" key andwait for AAAA resolution (Section 3).For best performance, server operatorsSHOULD include an "ipv6hint" parameterwhenever they include an "ipv4hint" parameter.¶
These parameters are intended to minimize additional connection latencywhen a recursive resolver is not compliant with the requirements inSection 4 andSHOULD NOT be included if most clients are usingcompliant recursive resolvers. When TargetName is the service nameor the owner name (which can be written as "."), server operatorsSHOULD NOT include these hints, because they are unlikely to convey anyperformance benefit.¶
In a ServiceMode RR, a SvcParamKey is considered "mandatory" if the RR will notfunction correctly for clients that ignore this SvcParamKey. Each SVCBprotocol mappingSHOULD specify a set of keys that are "automaticallymandatory", i.e., mandatory if they are present in an RR. The SvcParamKey"mandatory" is used to indicate any mandatory keys for this RR, in addition toany automatically mandatory keys that are present.¶
A ServiceMode RR is considered "compatible" by a client if the clientrecognizes all the mandatory keys and their values indicate that successfulconnection establishment is possible. Incompatible RRs are ignored (see step 5 of the procedure defined inSection 3).¶
The presentationvalueSHALL be a comma-separated list(Appendix A.1) of one or more validSvcParamKeys, either by their registered name or in the unknown-key format(Section 2.1). KeysMAY appear in any order butMUST NOT appear morethan once. For self-consistency (Section 2.4.3), listed keysMUST alsoappear in the SvcParams.¶
To enable simpler parsing, thisSvcParamValueMUST NOT contain escape sequences.¶
For example, the following is a valid list of SvcParams:¶
ipv6hint=... key65333=ex1 key65444=ex2 mandatory=key65444,ipv6hint¶
In wire format, the keys are represented by their numeric values innetwork byte order, concatenated in strictly increasing numeric order.¶
This SvcParamKey is always automatically mandatory andMUST NOT appear in itsown value-list. Other automatically mandatory keysSHOULD NOT appear in thelist either. (Including them wastes space and otherwise has no effect.)¶
The use of any protocol with SVCB requires a protocol-specific mappingspecification. This section specifies the mapping for the "http" and "https"URI schemes[HTTP].¶
To enable special handling for HTTP use cases,the HTTPS RR type is defined as a SVCB-compatible RR type,specific to the "https" and "http" schemes. ClientsMUST NOTperform SVCB queries or accept SVCB responses for "https"or "http" schemes.¶
The presentation format of the record is:¶
Name TTL IN HTTPS SvcPriority TargetName SvcParams¶
All the SvcParamKeys defined inSection 7 are permitted for use inHTTPS RRs. The default set of ALPN IDs is the single value "http/1.1".The "automatically mandatory" keys (Section 8) are "port"and "no-default-alpn". (As described inSection 8, clients musteither implement these keys or ignore any RR in which they appear.)Clients that restrict the destination port in "https" URIs(e.g., using the "bad ports" list from[FETCH])SHOULD apply thesame restriction to the "port" SvcParam.¶
The presence of an HTTPS RR for an origin also indicatesthat clients should connect securely and use the "https" scheme, asdiscussed inSection 9.5. This allows HTTPS RRs to apply topre-existing "http" scheme URLs, while ensuring that the client uses asecure and authenticated connection.¶
The HTTPS RR parallels the conceptsintroduced in "HTTP Alternative Services"[AltSvc]. Clients and servers that implement HTTPS RRs arenot required to implement Alt-Svc.¶
The HTTPS RR uses Port Prefix Naming (Section 2.3),with one modification: if the scheme is "https" and the port is 443,then the client's original QNAME isequal to the service name (i.e., the origin's hostname),without any prefix labels.¶
By removing the Attrleaf labels[Attrleaf]used in SVCB, this construction enables offline DNSSEC signing ofwildcard domains, which are commonly used with HTTP. Using theservice name as the owner name of the HTTPS record, without prefixes,also allows the targets of existing CNAME chains(e.g., CDN hosts) to start returning HTTPS RR responses withoutrequiring origin domains to configure and maintain an additionaldelegation.¶
The procedure for following HTTPS AliasMode RRs and CNAME aliases is unchanged from SVCB (as described in Sections 2.4.2 and3).¶
Clients always convert "http" URLs to "https" before performing anHTTPS RR query using the process described inSection 9.5, so domain ownersMUST NOT publish HTTPS RRs with a prefix of "_http".¶
Note that none of these forms alter the HTTPS origin or authority.For example, clientsMUST continue to validate TLS certificatehostnames based on the origin.¶
Publishing a ServiceMode HTTPS RR in DNS is intendedto be similar to transmitting an Alt-Svc field value overHTTP, and receiving an HTTPS RR is intended to be similar toreceiving that field value over HTTP. However, there are somedifferences in the intended client and server behavior.¶
Unlike Alt-Svc field values, HTTPS RRs can contain multiple ALPN IDs. Themeaning and use of these IDs are discussed inSection 7.1.2.¶
HTTPS records do not require or provide any assurance of authenticity. (DNSSECsigning and verification, which would provide such assurance, areOPTIONAL.)The DNS resolution process is modeled as an untrusted channel that might becontrolled by an attacker, soAlt-Svc parameters that cannot be safely received in this modelMUST NOThave a corresponding defined SvcParamKey. For example, there is noSvcParamKey corresponding to the Alt-Svc "persist" parameter, becausethis parameter is not safe to accept over an untrusted channel.¶
There is no SvcParamKey corresponding to the Alt-Svc "ma" (max age) parameter.Instead, server operators encode the expiration time in the DNS TTL.¶
The appropriate TTL value might be different from the "ma" valueused for Alt-Svc, depending on the desired efficiency andagility. Some DNS caches incorrectly extend the lifetime of DNSrecords beyond the stated TTL, so server operators cannot rely onHTTPS RRs expiring on time. Shortening the TTL to compensatefor incorrect caching isNOT RECOMMENDED, as this practice impairs theperformance of correctly functioning caches and does not guaranteefaster expiration from incorrect caches. Instead, server operatorsSHOULD maintain compatibility with expired records until they observethat nearly all connections have migrated to the new configuration.¶
Sending Alt-Svc over HTTP allows the server to tailor the Alt-Svcfield value specifically to the client. When using an HTTPS RR,groups of clients will necessarily receive the same SvcParams.Therefore, HTTPS RRs are not suitable for uses that requiresingle-client granularity.¶
Clients that implement support for both Alt-Svc and HTTPS records andare making a connection based on a cached Alt-Svc responseSHOULDretrieve any HTTPS records for the Alt-Svc alt-authority and ensure thattheir connection attempts are consistent with both the Alt-Svc parametersand any received HTTPS SvcParams. If present, the HTTPS record's TargetNameand port are used for connection establishment (perSection 3).For example, suppose that"https://example.com" sends an Alt-Svc field value of:¶
Alt-Svc: h2="alt.example:443", h2="alt2.example:443", h3=":8443"¶
The client would retrieve the following HTTPS records:¶
alt.example. IN HTTPS 1 . alpn=h2,h3 foo=...alt2.example. IN HTTPS 1 alt2b.example. alpn=h3 foo=..._8443._https.example.com. IN HTTPS 1 alt3.example. ( port=9443 alpn=h2,h3 foo=... )¶
Based on these inputs, the following connection attempts would always beallowed:¶
alt.example:443¶alt3.example:9443¶The following connection attempts would not be allowed:¶
alt.example:443 (not consistent with Alt-Svc)¶alt2b.example (no ALPN ID consistent with both the HTTPSrecord and Alt-Svc)¶alt3.example (not consistent with Alt-Svc)¶Suppose that "foo" is a SvcParamKey that renders the client SVCB-reliant.The following Alt-Svc-only connection attempts would be allowed only ifthe client does not support "foo", as they rely on SVCB-optional fallbackbehavior:¶
Alt-authoritiesSHOULD carry the same SvcParams as the origin unlessa deviation is specifically known to be safe.As noted inSection 2.4 of [AltSvc], clientsMAY disallow any Alt-Svcconnection according to their own criteria, e.g., disallowing Alt-Svcconnections that lack support for privacy features that are available onthe authority endpoint.¶
ClientsMUST NOT use an HTTPS RR response unless theclient supports the TLS Server Name Indication (SNI) extension andindicates the origin name in the TLS ClientHello (which might beencrypted via a future specification such as[ECH]).This supports the conservation of IP addresses.¶
Note that the TLS SNI (and also the HTTP "Host" or ":authority") will indicatethe origin, not the TargetName.¶
An HTTPS RR directs the client to communicate with this host only over asecure transport, similar to HSTS[HSTS].Prior to making an "http" scheme request, the clientSHOULD perform a lookupto determine if any HTTPS RRs exist for that origin. To do so,the clientSHOULD construct a corresponding "https" URL as follows:¶
This construction is equivalent toSection 8.3 of [HSTS], Step 5.¶
If an HTTPS RR query for this "https" URL returns any AliasMode HTTPS RRsor any compatible ServiceMode HTTPS RRs (seeSection 8), the clientSHOULD behave as if it has received an HTTP 307 (Temporary Redirect) status codewith this "https" URL in the "Location" field. (Receipt of an incompatible ServiceMode RR does nottrigger the redirect behavior.)Because HTTPS RRs are received over an often-insecure channel (DNS),clientsMUST NOT place any more trust in this signal than if theyhad received a 307 (Temporary Redirect) response over cleartext HTTP.¶
Publishing an HTTPS RR can potentially lead to unexpected resultsor a loss in functionality in cases where the "http" resource neitherredirects to the "https" resource nor references the same underlying resource.¶
When an "https" connection fails due to an error in the underlying securetransport, such as an error in certificate validation, some clientscurrently offer a "user recourse" that allows the user to bypass thesecurity error and connect anyway.When making an "https" scheme request to an origin with an HTTPS RR,either directly or via the above redirect, such a clientMAY remove the userrecourse option. Origins that publish HTTPS RRs thereforeMUST NOT relyon user recourse for access. For more information, see Sections8.4 and12.1 of[HSTS].¶
All HTTP connections to named origins are eligible to use HTTPS RRs, evenwhen HTTP is used as part of another protocol or without an explicit HTTP-related URIscheme (Section 4.2 of [HTTP]). For example, clients thatsupport HTTPS RRs and implement[WebSocket] using the alteredopening handshake from[FETCH-WEBSOCKETS]SHOULD use HTTPS RRsfor therequestURL.¶
When HTTP is used in a context where URLs or redirects are not applicable(e.g., connections to an HTTP proxy), clients that find a corresponding HTTPS RRSHOULD implement security upgrade behavior equivalent to thatspecified inSection 9.5.¶
Such protocolsMAY define their own SVCB mappings, whichMAYbe defined to take precedence over HTTPS RRs.¶
Each ServiceMode RRset can only serve a single scheme. The scheme is indicatedby the owner name and the RR type. For the generic SVCB RR type, this means thateach owner name can only be used for a single scheme. The underscore prefixingrequirement (Section 2.3) ensures that this is true for the initial query,but it is the responsibility of zone owners to choose names that satisfy thisconstraint when using aliases, including CNAME and AliasMode records.¶
When using the generic SVCB RR type with aliasing, zone ownersSHOULD choose aliastarget names that indicate the scheme in use (e.g., "foosvc.example.net" for"foo" schemes). This will help to avoid confusion when another scheme needs tobe added to the configuration. When multiple port numbers are in use, it may behelpful to repeat the prefix labels in the alias target name (e.g.,"_1234._foo.svc.example.net").¶
To avoid a delay for clients using a non-conforming recursive resolver,domain ownersSHOULD minimize the use of AliasMode records andSHOULDchoose TargetName according to a predictable convention that is knownto the client, so that clients can issue A and/or AAAA queries for TargetNamein advance (seeSection 5). Unless otherwise specified, theconvention is to set TargetName to the service name for an initialServiceMode record, or to "." if it is reached via an alias.¶
$ORIGIN example.com. ; Originfoo 3600 IN CNAME foosvc.example.net._8080._foo.foo 3600 IN CNAME foosvc.example.net.bar 300 IN AAAA 2001:db8::2_9090._bar.bar 3600 IN SVCB 1 bar key65444=...$ORIGIN example.net. ; Service provider zonefoosvc 3600 IN SVCB 1 . key65333=...foosvc 300 IN AAAA 2001:db8::1
Domain ownersSHOULD avoid using a TargetName that is below a DNAME, asthis is likely unnecessary and makes responses slower and larger.Also, zone structures that require following more than eight aliases(counting both AliasMode and CNAME records) areNOT RECOMMENDED.¶
Some authoritative DNS servers may not allow A or AAAA records on namesstarting with an underscore (e.g.,[BIND-CHECK-NAMES]).This could create an operational issue when the TargetName contains an Attrleaf label,or when using a TargetName of "." if the owner name contains an Attrleaf label.¶
Consider a simple zone of the form:¶
$ORIGIN simple.example. ; Simple example zone@ 300 IN A 192.0.2.1 AAAA 2001:db8::1¶
The domain owner could add this record:¶
@ 7200 IN HTTPS 1 . alpn=h3¶
This record would indicate that "https://simple.example" supports QUICin addition to HTTP/1.1 over TLS over TCP (the implicit default).The record could also include other information (e.g., a non-standard port).For "https://simple.example:8443", the record would be:¶
_8443._https 7200 IN HTTPS 1 . alpn=h3¶
These records also respectively tell clients to replace the scheme with "https" whenloading "http://simple.example" or "http://simple.example:8443".¶
Consider a zone that is using CNAME aliasing:¶
$ORIGIN aliased.example. ; A zone that is using a hosting service; Subdomain aliased to a high-performance server poolwww 7200 IN CNAME pool.svc.example.; Apex domain on fixed IPs because CNAME is not allowed at the apex@ 300 IN A 192.0.2.1 IN AAAA 2001:db8::1¶
With HTTPS RRs, the owner of aliased.example could alias the apex byadding one additional record:¶
@ 7200 IN HTTPS 0 pool.svc.example.¶
With this record in place, HTTPS-RR-aware clients will use the sameserver pool for aliased.example and www.aliased.example. (They willalso upgrade "http://aliased.example/..." to "https".) Non-HTTPS-RR-awareclients will just ignore the new record.¶
Similar to CNAME, HTTPS RRs have no impact on the origin name.When connecting, clients will continue to treat the authoritativeorigins as "https://www.aliased.example" and "https://aliased.example",respectively, and will validate TLS server certificates accordingly.¶
Suppose that svc.example's primary server pool supports HTTP/3 but itsbackup server pool does not. This can be expressed in the following form:¶
$ORIGIN svc.example. ; A hosting providerpool 7200 IN HTTPS 1 . alpn=h2,h3 HTTPS 2 backup alpn=h2 port=8443pool 300 IN A 192.0.2.2 AAAA 2001:db8::2backup 300 IN A 192.0.2.3 AAAA 2001:db8::3¶
This configuration is entirely compatible with the "apex aliasing" example,whether the client supports HTTPS RRs or not. If the client does supportHTTPS RRs, all connections will be upgraded to HTTPS, and clients willuse HTTP/3 if they can. Parameters are "bound" to each server pool, soeach server pool can have its own protocol, port number, etc.¶
The HTTPS RR is intended to support HTTPS services operated bymultiple independent entities, such as different CDNs or different hosting providers. This includesthe case where a service is migrated from one operator to another,as well as the case where the service is multiplexed betweenmultiple operators for performance, redundancy, etc.¶
This example shows such a configuration, with www.customer.examplehaving different DNS responses to different queries, either over timeor due to logic within the authoritative DNS server:¶
; This zone contains/returns different CNAME records ; at different points in time. The RRset for "www" can ; only ever contain a single CNAME. ; Sometimes the zone has: $ORIGIN customer.example. ; A multi-CDN customer domain www 900 IN CNAME cdn1.svc1.example. ; and other times it contains: $ORIGIN customer.example. www 900 IN CNAME customer.svc2.example. ; and yet other times it contains: $ORIGIN customer.example. www 900 IN CNAME cdn3.svc3.example. ; With the following remaining constant and always included: $ORIGIN customer.example. ; A multi-CDN customer domain ; The apex is also aliased to www to match its configuration. @ 7200 IN HTTPS 0 www ; Non-HTTPS-aware clients use non-CDN IPs. A 203.0.113.82 AAAA 2001:db8:203::2 ; Resolutions following the cdn1.svc1.example ; path use these records. ; This CDN uses a different alternative service for HTTP/3. $ORIGIN svc1.example. ; domain for CDN 1 cdn1 1800 IN HTTPS 1 h3pool alpn=h3 HTTPS 2 . alpn=h2 A 192.0.2.2 AAAA 2001:db8:192::4 h3pool 300 IN A 192.0.2.3 AAAA 2001:db8:192:7::3 ; Resolutions following the customer.svc2.example ; path use these records. ; Note that this CDN only supports HTTP/2. $ORIGIN svc2.example. ; domain operated by CDN 2 customer 300 IN HTTPS 1 . alpn=h2 60 IN A 198.51.100.2 A 198.51.100.3 A 198.51.100.4 AAAA 2001:db8:198::7 AAAA 2001:db8:198::12 ; Resolutions following the cdn3.svc3.example ; path use these records. ; Note that this CDN has no HTTPS records. $ORIGIN svc3.example. ; domain operated by CDN 3 cdn3 60 IN A 203.0.113.8 AAAA 2001:db8:113::8¶
Note that in the above example, the different CDNs have differentconfigurations and different capabilities, but clients will use HTTPS RRsas a bound-together unit.¶
Domain owners should be cautious when using a multi-CDN configuration, as itintroduces a number of complexities highlighted by this example:¶
For protocols other than HTTP, the SVCB RR and an Attrleaf label[Attrleaf]will be used. For example, to reach an example resource of"baz://api.example.com:8765", the following SVCBrecord would be used to alias it to "svc4-baz.example.net.",which in turn could return AAAA/A records and/or SVCBrecords in ServiceMode:¶
_8765._baz.api.example.com. 7200 IN SVCB 0 svc4-baz.example.net.¶
HTTPS RRs use similar Attrleaf labels if the origin containsa non-default port.¶
This standard is intended to reduce connection latency andimprove user privacy. Server operators implementing this standardSHOULD also implement TLS 1.3[RFC8446] andOnline Certificate Status Protocol (OCSP) Stapling (i.e., Certificate StatusRequest inSection 8 of [RFC6066]),both of which confer substantial performance and privacybenefits when used in combination with SVCB records.¶
To realize the greatest privacy benefits, this proposal is intended foruse over a privacy-preserving DNS transport (like DNS over TLS[DoT] or DNS over HTTPS[DoH]).However, performance improvements, and some modest privacy improvements,are possible without the use of those standards.¶
Any specification for the use of SVCB with a protocolMUST have an entry for itsscheme under the SVCB RR type in the IANA DNS "Underscored and Globally Scoped DNS Node Names" registry[Attrleaf]. The schemeMUST have an entry in the "Uniform Resource Identifier (URI) Schemes" registry[RFC7595] andMUST have a defined specification for usewith SVCB.¶
SVCB/HTTPS RRs permit distribution over untrustedchannels, and clients areREQUIRED to verify that the alternative endpointis authoritative for the service (similar toSection 2.1 of [AltSvc]).Therefore, DNSSEC signing and validation areOPTIONAL for publishingand using SVCB and HTTPS RRs.¶
ClientsMUST ensure that their DNS cache is partitioned for each localnetwork, or flushed on network changes, to prevent a local adversary in onenetwork from implanting a forged DNS record that allows them totrack users or hinder their connections after they leave that network.¶
An attacker who can prevent SVCB resolution can deny clients any associatedsecurity benefits. A hostile recursive resolver can always deny service toSVCB queries, but network intermediaries can often prevent resolution as well,even when the client and recursive resolver validate DNSSEC and use a securetransport. These downgrade attacks can prevent the "https" upgrade provided bythe HTTPS RR (Section 9.5) and can disable any other protections coordinated viaSvcParams. To prevent downgrades,Section 3.1recommends that clients abandon the connection attempt when such an attack isdetected.¶
A hostile DNS intermediary might forge AliasMode "." records (Section 2.5.1) asa way to block clients from accessing particular services. Such an adversarycould already block entire domains by forging erroneous responses, but thismechanism allows them to target particular protocols or ports within a domain.Clients that might be subject to such attacksSHOULD ignore AliasMode "."records.¶
A hostile DNS intermediary or authoritative server can return SVCB records indicating any IPaddress and port number, including IP addresses inside the local network andport numbers assigned to internal services. If the attacker can influence theclient's payload (e.g., TLS session ticket contents) and an internal servicehas a sufficiently lax parser, the attacker could gain access to theinternal service. (The same concerns apply to SRV records, HTTP Alt-Svc,and HTTP redirects.) As a mitigation, SVCB mapping documentsSHOULD indicateany port number restrictions that are appropriate for the supported transports.¶
Standard address queries reveal the user's intent to access a particulardomain. This information is visible to the recursive resolver, and tomany other parties when plaintext DNS transport is used. SVCB queries,like queries for SRV records and other specific RR types, additionallyreveal the user's intent to use a particular protocol. This is notnormally sensitive information, but it should be considered when addingSVCB support in a new context.¶
IANA has registered the following new DNS RR type in the "Resource Record (RR) TYPEs"registry on the "Domain Name System (DNS) Parameters" page:¶
IANA has registered the following new DNS RR type in the "Resource Record (RR) TYPEs" registry on the "Domain Name System (DNS) Parameters" page:¶
IANA has created the "Service Parameter Keys (SvcParamKeys)"registry in the "Domain Name System (DNS) Parameters" categoryon a new page entitled "DNS Service Bindings (SVCB)". This registrydefines the namespacefor parameters, including string representations and numericSvcParamKey values. This registry is shared with other SVCB-compatibleRR types, such as the HTTPS RR.¶
A registrationMUST include the following fields:¶
The characters in the registered Name field entryMUST be lowercase alphanumeric or "-"(Section 2.1). The nameMUST NOT start with "key" or "invalid".¶
The registration policy for new entries is Expert Review ([RFC8126],Section 4.5). The designated expertMUST ensure thatthe reference is stable and publicly available and that it specifieshow to convert the SvcParamValue's presentation format to wire format. ThereferenceMAY be any individual's Internet-Draft or a document fromany other source with similar assurances of stability and availability.An entryMAY specify a reference ofthe form "Same as (other key name)" if it uses the same presentation and wireformats as an existing key.¶
This arrangement supports the development of new parameters while ensuring thatzone files can be made interoperable.¶
The "Service Parameter Keys (SvcParamKeys)" registry has beenpopulated with the following initial registrations:¶
| Number | Name | Meaning | Reference | Change Controller |
|---|---|---|---|---|
| 0 | mandatory | Mandatory keys in this RR | RFC 9460,Section 8 | IETF |
| 1 | alpn | Additional supported protocols | RFC 9460,Section 7.1 | IETF |
| 2 | no-default-alpn | No support for default protocol | RFC 9460,Section 7.1 | IETF |
| 3 | port | Port for alternative endpoint | RFC 9460,Section 7.2 | IETF |
| 4 | ipv4hint | IPv4 address hints | RFC 9460,Section 7.3 | IETF |
| 5 | ech | RESERVED (held for Encrypted ClientHello) | N/A | IETF |
| 6 | ipv6hint | IPv6 address hints | RFC 9460,Section 7.3 | IETF |
| 65280-65534 | N/A | Reserved for Private Use | RFC 9460 | IETF |
| 65535 | N/A | Reserved ("Invalid key") | RFC 9460 | IETF |
Per[Attrleaf], the following entry has been added to the DNS "Underscored and Globally Scoped DNS Node Names" registry:¶
| RR Type | _NODE NAME | Reference |
|---|---|---|
| HTTPS | _https | RFC 9460 |
DNS zone files are capable of representing arbitrary octet sequences inbasic ASCII text, using various delimiters and encodings, according to an algorithmdefined inSection 5.1 of [RFC1035].The following summarizes some allowed inputs to that algorithm, using ABNF:¶
; non-special is VCHAR minus DQUOTE, ";", "(", ")", and "\".non-special = %x21 / %x23-27 / %x2A-3A / %x3C-5B / %x5D-7E; non-digit is VCHAR minus DIGIT.non-digit = %x21-2F / %x3A-7E; dec-octet is a number 0-255 as a three-digit decimal number.dec-octet = ( "0" / "1" ) 2DIGIT / "2" ( ( %x30-34 DIGIT ) / ( "5" %x30-35 ) )escaped = "\" ( non-digit / dec-octet )contiguous = 1*( non-special / escaped )quoted = DQUOTE *( contiguous / ( ["\"] WSP ) ) DQUOTEchar-string = contiguous / quoted¶The decoding algorithm allowschar-string to represent any*OCTET,using quoting to group values (e.g., those with internal whitespace), andescaping to represent each non-printable octet as a singleescaped sequence.In this document, this algorithm is referred to as "character-string decoding", becauseSection 5.1 of [RFC1035] uses thisalgorithm to produce a<character-string>. Note that whilethe length of a<character-string> is limited to 255 octets, thecharacter-string decoding algorithm can produce output of any length.¶
In order to represent lists of items in zone files, this specification usescomma-separated lists. When the allowed items in the list cannot contain ","or "\", this is trivial. (For simplicity, empty items are not allowed.)A value-list parser that splits on "," and prohibits items containing "\"is sufficient to comply with all requirements in this document. Thiscorresponds to thesimple-comma-separated syntax:¶
; item-allowed is OCTET minus "," and "\".item-allowed = %x00-2B / %x2D-5B / %x5D-FFsimple-item = 1*item-allowedsimple-comma-separated = [simple-item *("," simple-item)]¶For implementations that allow "," and "\" in item values, the followingescaping syntax applies:¶
item = 1*OCTETescaped-item = 1*(item-allowed / "\," / "\\")comma-separated = [escaped-item *("," escaped-item)]¶Decoding of value-lists happens after character-string decoding.For example, consider thesechar-string SvcParamValues:¶
"part1,part2,part3\\,part4\\\\"part1\,\p\a\r\t2\044part3\092,part4\092\\¶
These inputs are equivalent: character-string decoding either of them wouldproduce the samevalue:¶
part1,part2,part3\,part4\\¶
Applying comma-separated list decoding to thisvalue would produce a listof threeitems:¶
part1part2part3,part4\¶
This table serves as a non-normative summary of the HTTP mapping for SVCB(Section 9). Future protocol mappings may provide a similar summary table.¶
| Mapped scheme | "https" |
| Other affected schemes | "http", "wss", "ws", (other HTTP-based) |
| RR type | HTTPS (65) |
| Name prefix | None for port 443, else_$PORT._https |
| Automatically mandatory keys | port,no-default-alpn |
| SvcParam defaults | alpn: ["http/1.1"] |
| Special behaviors | Upgrade from HTTP to HTTPS |
| Keys that records must include | None |
The SVCB and HTTPS RR types closely resemble,and are inspired by, some existingrecord types and proposals. One complaint regarding all of the alternativesis that web clients have seemed unenthusiastic about implementingthem. The hope here is that an extensible solution thatsolves multiple problems will overcome this inertia and have a pathto achieve client implementation.¶
An SRV record[SRV] can perform a function similarto that of the SVCB record,informing a client to look in a different location for a service.However, there are several differences:¶
Unlike[HTTP-DNS-RR], this approach isextensible to cover Alt-Svc and Encrypted ClientHello use cases. Like thatproposal, this addresses the zone-apex CNAME challenge.¶
Like that proposal, it remains necessary to continue to includeaddress records at the zone apex for legacy clients.¶
Unlike[ANAME-DNS-RR], this approach is extensible tocover Alt-Svc and Encrypted ClientHello use cases. This approach also does notrequire any changes or special handling on either authoritative orprimary servers, beyond optionally returning in-bailiwick additional records.¶
Like that proposal, this addresses the zone-apex CNAME challengefor clients that implement this.¶
However, with this SVCB proposal, it remains necessary to continueto include address records at the zone apex for legacy clients.If deployment of this standard is successful, the number of legacy clientswill fall over time. As the number of legacy clients declines, the operationaleffort required to serve these users without the benefit of SVCB indirectionshould fall. Server operators can easily observe how much traffic reaches thislegacy endpoint and may remove the apex's address records if the observed legacytraffic has fallen to negligible levels.¶
Abstractly, functions of AliasMode and ServiceMode are independent,so it might be tempting to specify them as separate RR types. However,this would result in serious performance impairment, because clientscannot rely on their recursive resolver to follow SVCB aliases (unlikeCNAME). Thus, clients would have to issue queries for both RR typesin parallel, potentially at each step of the alias chain. Recursiveresolvers that implement the specification would, upon receipt of aServiceMode query, emit both a ServiceMode query and an AliasMode query tothe authoritative DNS server. Thus, splitting the RR type would double, or insome cases triple, the load on clients and servers, and would notreduce implementation complexity.¶
These test vectors only contain the RDATA portion of SVCB/HTTPS records inpresentation format, generic format[RFC3597], and wire format. The wireformat uses hexadecimal (\xNN) for each non-ASCII byte. As the wire format islong, it is broken into several lines.¶
example.com. HTTPS 0 foo.example.com.\# 19 (00 00 ; priority03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target)\x00\x00 # priority\x03foo\x07example\x03com\x00 # target
example.com. SVCB 1 .\# 3 (00 01 ; priority00 ; target (root label))\x00\x01 # priority\x00 # target (root label)
example.com. SVCB 16 foo.example.com. port=53\# 25 (00 10 ; priority03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target00 03 ; key 300 02 ; length 200 35 ; value)\x00\x10 # priority\x03foo\x07example\x03com\x00 # target\x00\x03 # key 3\x00\x02 # length 2\x00\x35 # value
example.com. SVCB 1 foo.example.com. key667=hello\# 28 (00 01 ; priority03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target02 9b ; key 66700 05 ; length 568 65 6c 6c 6f ; value)\x00\x01 # priority\x03foo\x07example\x03com\x00 # target\x02\x9b # key 667\x00\x05 # length 5hello # value
example.com. SVCB 1 foo.example.com. key667="hello\210qoo"\# 32 (00 01 ; priority03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target02 9b ; key 66700 09 ; length 968 65 6c 6c 6f d2 71 6f 6f ; value)\x00\x01 # priority\x03foo\x07example\x03com\x00 # target\x02\x9b # key 667\x00\x09 # length 9hello\xd2qoo # value
example.com. SVCB 1 foo.example.com. ( ipv6hint="2001:db8::1,2001:db8::53:1" )\# 55 (00 01 ; priority03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target00 06 ; key 600 20 ; length 3220 01 0d b8 00 00 00 00 00 00 00 00 00 00 00 01 ; first address20 01 0d b8 00 00 00 00 00 00 00 00 00 53 00 01 ; second address)\x00\x01 # priority\x03foo\x07example\x03com\x00 # target\x00\x06 # key 6\x00\x20 # length 32\x20\x01\x0d\xb8\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00\x01 # first address\x20\x01\x0d\xb8\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x53\x00\x01 # second address
example.com. SVCB 1 example.com. ( ipv6hint="2001:db8:122:344::192.0.2.33" )\# 35 (00 01 ; priority07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ; target00 06 ; key 600 10 ; length 1620 01 0d b8 01 22 03 44 00 00 00 00 c0 00 02 21 ; address)\x00\x01 # priority\x07example\x03com\x00 # target\x00\x06 # key 6\x00\x10 # length 16\x20\x01\x0d\xb8\x01\x22\x03\x44 \x00\x00\x00\x00\xc0\x00\x02\x21 # address
example.com. SVCB 16 foo.example.org. ( alpn=h2,h3-19 mandatory=ipv4hint,alpn ipv4hint=192.0.2.1 )\# 48 (00 10 ; priority03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 6f 72 67 00 ; target00 00 ; key 000 04 ; param length 400 01 ; value: key 100 04 ; value: key 400 01 ; key 100 09 ; param length 902 ; alpn length 268 32 ; alpn value05 ; alpn length 568 33 2d 31 39 ; alpn value00 04 ; key 400 04 ; param length 4c0 00 02 01 ; param value)\x00\x10 # priority\x03foo\x07example\x03org\x00 # target\x00\x00 # key 0\x00\x04 # param length 4\x00\x01 # value: key 1\x00\x04 # value: key 4\x00\x01 # key 1\x00\x09 # param length 9\x02 # alpn length 2h2 # alpn value\x05 # alpn length 5h3-19 # alpn value\x00\x04 # key 4\x00\x04 # param length 4\xc0\x00\x02\x01 # param value
example.com. SVCB 16 foo.example.org. alpn="f\\\\oo\\,bar,h2"example.com. SVCB 16 foo.example.org. alpn=f\\\092oo\092,bar,h2\# 35 (00 10 ; priority03 66 6f 6f 07 65 78 61 6d 70 6c 65 03 6f 72 67 00 ; target00 01 ; key 100 0c ; param length 1208 ; alpn length 866 5c 6f 6f 2c 62 61 72 ; alpn value02 ; alpn length 268 32 ; alpn value)\x00\x10 # priority\x03foo\x07example\x03org\x00 # target\x00\x01 # key 1\x00\x0c # param length 12\x08 # alpn length 8f\oo,bar # alpn value\x02 # alpn length 2h2 # alpn value
This subsection contains test vectors that are notcompliant with this document. The various reasons for non-complianceare explained with each example.¶
example.com. SVCB 1 foo.example.com. ( key123=abc key123=def )
example.com. SVCB 1 foo.example.com. mandatoryexample.com. SVCB 1 foo.example.com. alpnexample.com. SVCB 1 foo.example.com. portexample.com. SVCB 1 foo.example.com. ipv4hintexample.com. SVCB 1 foo.example.com. ipv6hint
example.com. SVCB 1 foo.example.com. no-default-alpn=abc
example.com. SVCB 1 foo.example.com. mandatory=key123
example.com. SVCB 1 foo.example.com. mandatory=mandatory
example.com. SVCB 1 foo.example.com. ( mandatory=key123,key123 key123=abc )
Over the years, IETF participants have proposed a wide range of solutions tothe "CNAME at the zone apex" challenge, including[HTTP-DNS-RR],[ANAME-DNS-RR], and others. The authors are gratefulfor their work to elucidate the problem and identify promising strategies toaddress it, some of which are reflected in this document.¶
Thank you toIan Swett,Ralf Weber,Jon Reed,Martin Thomson,Lucas Pardue,Ilari Liusvaara,Tim Wicinski,Tommy Pauly,Chris Wood,David Benjamin,Mark Andrews,Emily Stark,Eric Orth,Kyle Rose,Craig Taylor,Dan McArdle,Brian Dickson,Willem Toorop,Pieter Lexis,Puneet Sood,Olivier Poitrey,Mashooq Muhaimen,Tom Carpay, and many others for their feedbackand suggestions on this document.¶