Mar 06 2024

HTTPS Record

Posted by Vitalie Cherpec

Today we added support for HTTPS records. The RFC 9460 introduces two new records, one of them is the HTTPS record which improves the speed, security and efficiency of how the browsers connect to servers.

The Problem

Currently the browser sends a HTTP request to the server, the server redirects to HTTPS and then the browser reissues the request over HTTPS where it receives ALPN (Application-Layer Protocol Negotiation) during the HTTPS handshake.

Example

  1. Browser issues the request and server responds with redirect:

      >> GET http://www.example.com/ HTTP/1.1
      >> [...]
    
      << 301 Moved Permanently
      << [...]
      << Location: https://www.example.com/
    
  2. Browser follows the redirect and reissues the request after creating a new connection over HTTPS:

      >> GET https://www.example.com/ HTTP/1.1
      >> [...]
    
      << HTTP/2 200
      << [...]
    

This introduces a latency because of multiple round trips which impacts the Time to First Byte (TTFB).

The HTTPS Record

The RFC 9460 allows specification of connection details into DNS to reduce the steps required to establish the connection and to add failover details. It incorporates the Alt-Svc HTTP header and ALPN TLS extension directly into DNS.

Format:

https(name, target, svc_prio, svc_params, ttl)

A HTTPS record can be configured in two modes Alias Mode (SvcPrio = 0) or Service Mode (SvcPrio != 0).

Alias Mode

In alias mode, svc_prio is zero and svc_params list is empty.

The HTTPS record removes the limitation of CNAME with apex domains when used in alias mode. This was designed as a replacement for ALIAS/ANAME record type workaround.

It instructs the browsers to connect directly to the CDN service specified by target.

-- Create an alias for the apex domain because we can't add a CNAME on the root domain.
-- The CNAME should be alone but we have at least a SOA record and NS records already.
https("", "d8e8fca2dc0f896fd7cb4cb0031ba249.cloudfront.net")

Service Mode

In the service mode the svc_prio is greater than zero and a optional list of key=value (svc_params) are specified.

Examples:

  1. Failover

    A configuration with two services for www name. We instruct browsers to try alternative services in a specific order (svc1, svc2) in the case of failures.

    -- Lower svc_prio numbers have higher priority
    https("www", "svc1.example.net", 10)
    https("www", "svc2.example.net", 20)
    
  2. Load Balancing

    A load balancing configuration with two services (svc1 and svc2) for www, we use the same svc_prio value to distribute the load.

    https("www", "svc1.example.net", 10)
    https("www", "svc2.example.net", 10)
    
  3. Encrypted ClientHello (ECH)

    Distribute public key, it's recommended to enable DNSSEC for better security.

    https("app", "svc3.example.net", 1, {alpn="http/1.1,h2", ech="base64_public_key"})
    

Support

Currently all major browsers support HTTPS record.

  • Chrome 117+
  • Firefox 118+
  • Safari (since September, 2020)