How-to, notes, thoughts

Speed up HTTPS via DNS

Some time ago Cloudflare shared intersting article about Speeding up HTTPS and HTTP/3 negotiation with… DNS. These days the draft behind it: RFC 9460 moved to RFC Proposed Standard!

The concept behind this initiative to speed up HTTPS and HTTP/3 negotiation involves leveraging DNS (Domain Name System) to provide additional information alongside IP addresses. Traditional HTTPS negotiation involves the browser making an initial request over plaintext HTTP, and only after redirection or specific headers indicating HTTPS support, does the browser fetch the resource securely. This process introduces latency and potential security vulnerabilities.

To address this, DNS providers introduce a new DNS resource record type called “SVCB” (Service Binding) and a record “HTTPS.” This record type is capable of negotiating parameters for various application protocols, with a focus on the HTTP protocol. The HTTPS record includes information such as supported HTTP versions (e.g., HTTP/3, HTTP/2) and other potential features.

By including this information in DNS records, the client can determine the best way to establish a connection without the need for initial plaintext HTTP requests. This is achieved by providing IP addresses and additional parameters directly within the DNS record. The “ipv4hint” and “ipv6hint” parameters offer lists of IPv4 and IPv6 addresses that can be used by the client, bypassing the need to query A and AAAA records separately.

Moreover, SVCB and HTTPS records can be used to define alternative endpoints, allowing for a form of load balancing or redundancy. This concept also addresses challenges related to using CNAME records at the apex domain, offering an alternative format known as the “alias form” within SVCB and HTTPS records.

The adoption of these records contributes to a more efficient and secure internet by automating the negotiation of secure connections and reducing latency associated with traditional HTTPS setup. It also paves the way for supporting newer privacy-enhancing technologies, such as Encrypted SNI/Encrypted ClientHello, by incorporating parameters like “echconfig” into the SVCB and HTTPS records. The collaboration with browser vendors aims to ensure widespread support for these records, enhancing the overall user experience.

November 20, 2023