New DNS zone entry specifications with RFC 9460

By Frédéric on Nov 30 2023

Table of Contents

The Domain Name System (DNS) has reached a milestone with the new RFC 9460 specifications published in early November 2023. Although subtle, these changes improve website optimization and security. One of the most notable changes is the addition of SVCB (Service Binding) and HTTPS record types.

What benefits do they bring?

These new registration types give domain owners greater flexibility and control:

  • Improved performance: service parameters can be set to optimize performance for your particular needs.
  • Enhanced security: HTTPS enables advanced security settings and strengthens user protection against online threats.
  • Extended compatibility: they are compatible with existing DNS implementations, facilitating adoption and integration.

Use cases and best practices

Adding these types of registration can be beneficial in several scenarios:

  • High-traffic websites: sites with heavy traffic can benefit from specific configurations to improve performance and security.
  • Mission-critical software: the advanced configuration enabled by these registrations enhances access security.

How do you write these recordings?

1. SVCB (Service Binding) record

Declares information about online services.

Example: example.com. IN SVCB 1 . alpn="h3,h2", ipv4hint="192.0.2.1"

  • example.com.: domain name to which the registration is associated. Here “example.com”.
  • IN: record class, generally IN for Internet.
  • SVCB: indicates an SVCB record type.
  • 1: the first numeric parameter specifies the SVCB entry number. In this example, it is set to 1.
  • alpn="h3,h2": specific to the SVCB type. Here, alpn refers to the list of application negotiation protocols (ALPN) supported for this service, configured to support HTTP/3 (h3) and HTTP/2 (h2) protocols.
  • ipv4hint="192.0.2.1": specifies a suggested IPv4 address for the service. here 192.0.2.1.

2. HTTPS record

Specifies secure connection details for a domain.

Example: _443._https.example.com. IN HTTPS 1 . alpn="h2", cert="MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3H6V+aUJ...", target="example.com"

  • _443._https.example.com.: Host name where this HTTPS record will be applied. Here, default HTTPS port 443, for the domain “example.com”.
  • IN: as above, this is the class of the record.
  • HTTPS: indicates an HTTPS record type.
  • 1: HTTPS entry number, similar to the SVCB record.
  • alpn="h2": in this example, the alpn parameter specifies that the supported application negotiation protocol is HTTP/2.
  • cert="MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3H6V+aUJ...": This cert parameter contains the domain’s TLS certificate. Truncated here for length reasons. It would be much longer in real life.
  • target="example.com": the target parameter specifies the name of the server for which this certificate is valid.

3. General best practices

  • Syntax checking: make sure records are syntactically correct by using DNS validation tools.
  • Detailed documentation: write precise documentation for added SVCB and HTTPS records, clearly explaining each parameter and its role.
  • Specification references: regularly consult RFC 9460 and other relevant resources to keep abreast of standards and best practices.

Add and configure SVCB and HTTPS registrations as quickly as possible. You’ll optimize your online services and make them more secure for your users.

What’s the difference with CAA (Certification Authority Authorization)?

Defined in RFC 8659, CAA registration also increases domain name security.

How?

It specifies which Certification Authorities (CAs) are authorized to issue certificates for a specific domain. In this way, it strengthens control over the SSL/TLS certificates issued for their domain, and prevents malicious substitution.

Key differences

  • Purpose: SVCB and HTTPS are used to declare information about online services, while CAA is used to specify the certification authorities authorized to issue certificates for a domain.
  • Content: SVCB and HTTPS are used to specify technical details about services and security, while CAA focuses solely on certificate authority authorizations.
  • Scope: SVCB and HTTPS are broader in scope, covering details and configurations of online services, while CAA is limited to the management of certification authorities.

SVCB and HTTPS offer flexibility in configuring online services and security parameters, while CAA controls which certificate authorities can issue certificates. Each of these DNS record types fulfills a distinct role in managing and securing online services and SSL/TLS certificates.

← Previous article Next article →

Would you like to try happyDomain?

You can choose to try it out:

  1. Online: create your user account on https://happydomain.org/.
  2. On your server: download the binaries here: https://get.happydomain.org/master/. You'll find them for Linux, both for classic machines and servers (amd64), and for recent Raspberry Pi models such as armv7 or arm64, and older ones like armhf.
  3. You can also launch our Docker image: 
    docker container run -e HAPPYDOMAIN_NO_AUTH=1 -p 8081:8081 happydomain/happydomain
    The NO_AUTH option bypasses user account creation, which is ideal for testing. Of course, don't use it in everyday life.
    Then go to http://localhost:8081/ to start managing your domains!

You can help us go further!

happyDomain is growing, and we need your talents to make it even simpler and more useful.

Users, administrators, newcomers, give your opinion to guide future functionalities by suggesting or voting for future features.

Developers, translators, copywriters, screen designers, testers, join the joyeuxDNS team! You'll find us on our Git repository here.

Tags
#happydomain