Re: [dns-operations] Testing of SVCB/HTTPS records
--- Begin Message --- Stephane Bortzmeyer wrote: > Does anyone know a tool (online or local) to test that published > SVCB/HTTPS records are correct? At least checking requirments like all > parameter keys in order, and ideally try to connect to check the > parameters. I'm not aware of such a tool, but I've done some digging into in how far popular browsers currently support or implement HTTPS records. That support is still lacking in many parts, with only certain parameters being supported and inconsistent follow-through on e.g., alias-mode etc. (I've been meaning to summarize my results in blog form, but haven't gotten around to it.) I've opened some tickets with Chrome, Safari, and Mozilla (e.g., https://bugzilla.mozilla.org/show_bug.cgi?id=1869075); I believe Chrome is currently focused on use of HTTPS records for ECH; Safari looks to me to have the best support (but is still lacking in some parts). On the server side, I did an analysis of use of HTTPS records by domain last year that, if a tangent, may be of interest here, too: https://www.netmeister.org/blog/https-rrs.html -Jan --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Testing of SVCB/HTTPS records
On 08/04/2024 09:54, Stephane Bortzmeyer wrote: Does anyone know a tool (online or local) to test that published SVCB/HTTPS records are correct? At least checking requirments like all parameter keys in order, and ideally try to connect to check the parameters. Prototype 'proto9' of our connectbyname prototype (https://github.com/NLnetLabs/connectbyname) supports the HTTPS record. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Testing of SVCB/HTTPS records
On 10 Apr 2024, at 12:47, Alarig Le Lay via dns-operations wrote: > I don’t know any tool either, Neither do I. I have a related question: does anyone know of plans among resolver developers to implement alias-chasing according to section 4.2 of RFC9460? In my domestic set-up, which includes BIND named, unbound, and kresd, I'm not seeing this available yet. [More about ECH and curl below, in context ...] > but curl plans to implement it: > https://curl.se/dev/roadmap.html > > the next few years - perhaps > > Roadmap of things Daniel Stenberg wants to work on next. It is [...] > HTTPS DNS records > > As a DNS version of alt-svc and also a pre-requisite for ECH > (see below). > > See: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-02 > > ECH (Encrypted Client Hello - formerly known as ESNI) > > See Daniel's post on Support of Encrypted SNI on the mailing > list. > > Initial work exists in PR 4011 This PR 4011 was a POC for ESNI, (2019) before it became ECH, so it's been overtaken by events. It was part of the DEfO project (defo.ie), which is continuing. By now,Stephen Farrell has developed ECH support in (his fork of) OpenSSL, and has implemented ECH support on a number of server codes. On the client side, he and I have added ECH support to libcurl, and partial HTTPS RR support into its DoH component. Making ECH work, rather than checking all the structure of the HTTPS RDATA, has been our focus. As of yesterday (https://github.com/niallor/curl/tree/ECH-follow-alias-20240410) we have alias-following working, but only for the first AliasMode RR; limited iteration is on the TODO list. I can't say how soon we'll succeed in having some of this work accepted upstream; we're at different stages of engagement with a number of developer teams. /Niall ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Testing of SVCB/HTTPS records
--- Begin Message --- On Mon 08 Apr 2024 09:54:57 GMT, Stephane Bortzmeyer wrote: > Does anyone know a tool (online or local) to test that published > SVCB/HTTPS records are correct? At least checking requirments like all > parameter keys in order, and ideally try to connect to check the > parameters. I don’t know any tool either, but curl plans to implement it: https://curl.se/dev/roadmap.html > the next few years - perhaps > > Roadmap of things Daniel Stenberg wants to work on next. It is > intended to serve as a guideline for others for information, > feedback and possible participation. > > "Complete" the HTTP/3 support > curl has experimental support for HTTP/3 since a good while > back. There are some functionality missing and once the final > specs are published we want to eventually remove the > "experimental" label from this functionality. > > HTTPS DNS records > As a DNS version of alt-svc and also a pre-requisite for ECH > (see below). > See: > https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-02 > > ECH (Encrypted Client Hello - formerly known as ESNI) > See Daniel's post on Support of Encrypted SNI on the mailing > list. > Initial work exists in PR 4011 --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[dns-operations] Testing of SVCB/HTTPS records
Does anyone know a tool (online or local) to test that published SVCB/HTTPS records are correct? At least checking requirments like all parameter keys in order, and ideally try to connect to check the parameters. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
