happyDomain
/
blog
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
blog/content/rfc-9460.en.md

4.8 KiB
Raw Permalink Blame History

layout title date author image
post New DNS zone entry specifications with RFC 9460 2023-11-30 Frédéric https://source.unsplash.com/56cd371ee9a7/1920x1920

The Domain Name System (DNS) has reached a milestone with the new RFC 9460 specifications published in early November 2023. Although subtle, these changes improve website optimization and security. One of the most notable changes is the addition of SVCB (Service Binding) and HTTPS record types.

What benefits do they bring?

These new registration types give domain owners greater flexibility and control:

  • Improved performance: service parameters can be set to optimize performance for your particular needs.
  • Enhanced security: HTTPS enables advanced security settings and strengthens user protection against online threats.
  • Extended compatibility: they are compatible with existing DNS implementations, facilitating adoption and integration.

Use cases and best practices

Adding these types of registration can be beneficial in several scenarios:

  • High-traffic websites: sites with heavy traffic can benefit from specific configurations to improve performance and security.
  • Mission-critical software: the advanced configuration enabled by these registrations enhances access security.

How do you write these recordings?

1. SVCB (Service Binding) record

Declares information about online services.

Example: example.com. IN SVCB 1 . alpn="h3,h2", ipv4hint="192.0.2.1"

  • example.com.: domain name to which the registration is associated. Here "example.com".
  • IN: record class, generally IN for Internet.
  • SVCB: indicates an SVCB record type.
  • 1: the first numeric parameter specifies the SVCB entry number. In this example, it is set to 1.
  • alpn="h3,h2": specific to the SVCB type. Here, alpn refers to the list of application negotiation protocols (ALPN) supported for this service, configured to support HTTP/3 (h3) and HTTP/2 (h2) protocols.
  • ipv4hint="192.0.2.1": specifies a suggested IPv4 address for the service. here 192.0.2.1.

2. HTTPS record

Specifies secure connection details for a domain.

Example: _443._https.example.com. IN HTTPS 1 . alpn="h2", cert="MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3H6V+aUJ...", target="example.com"

  • _443._https.example.com.: Host name where this HTTPS record will be applied. Here, default HTTPS port 443, for the domain "example.com".
  • IN: as above, this is the class of the record.
  • HTTPS: indicates an HTTPS record type.
  • 1: HTTPS entry number, similar to the SVCB record.
  • alpn="h2": in this example, the alpn parameter specifies that the supported application negotiation protocol is HTTP/2.
  • cert="MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3H6V+aUJ...": This cert parameter contains the domain's TLS certificate. Truncated here for length reasons. It would be much longer in real life.
  • target="example.com": the target parameter specifies the name of the server for which this certificate is valid.

3. General best practices

  • Syntax checking: make sure records are syntactically correct by using DNS validation tools.
  • Detailed documentation: write precise documentation for added SVCB and HTTPS records, clearly explaining each parameter and its role.
  • Specification references: regularly consult RFC 9460 and other relevant resources to keep abreast of standards and best practices.

Add and configure SVCB and HTTPS registrations as quickly as possible. You'll optimize your online services and make them more secure for your users.

What's the difference with CAA (Certification Authority Authorization)?

Defined in RFC 8659, CAA registration also increases domain name security.

How?

It specifies which Certification Authorities (CAs) are authorized to issue certificates for a specific domain. In this way, it strengthens control over the SSL/TLS certificates issued for their domain, and prevents malicious substitution.

Key differences

  • Purpose: SVCB and HTTPS are used to declare information about online services, while CAA is used to specify the certification authorities authorized to issue certificates for a domain.
  • Content: SVCB and HTTPS are used to specify technical details about services and security, while CAA focuses solely on certificate authority authorizations.
  • Scope: SVCB and HTTPS are broader in scope, covering details and configurations of online services, while CAA is limited to the management of certification authorities.

SVCB and HTTPS offer flexibility in configuring online services and security parameters, while CAA controls which certificate authorities can issue certificates. Each of these DNS record types fulfills a distinct role in managing and securing online services and SSL/TLS certificates.