HTTPSRR.md (3500B)
1 <!-- 2 Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 3 4 SPDX-License-Identifier: curl 5 --> 6 7 # HTTPS RR 8 9 [RFC 9460](https://www.rfc-editor.org/rfc/rfc9460.html) documents the HTTPS 10 DNS Resource Record. 11 12 curl features **experimental** support for HTTPS RR. 13 14 - The ALPN list from the record is parsed and used 15 - The ECH field is stored - and used if ECH is enabled in the build 16 - The port number is not used (Firefox supports it, Chrome does not) 17 - The target name is not used 18 - The IP addresses (`Ipv6hints`, `Ipv4hints`) from the HTTPS RR are not used 19 - It only supports a single HTTPS RR per hostname 20 - Hostnames without A/AAAA records but *with* HTTPS RR fails 21 - consider service profiles where the RR provides different addresses for TCP 22 vs QUIC etc 23 24 `HTTPSRR` is listed as a feature in the `curl -V` output if curl contains 25 HTTPS RR support. If c-ares is not included in the build, the HTTPS RR support 26 is limited to DoH. 27 28 `asyn-rr` is listed as a feature in the `curl -V` output if c-ares is used for 29 additional resolves in addition to a "normal" resolve done with the threaded 30 resolver. 31 32 The data extracted from the HTTPS RR is stored in the in-memory DNS cache to 33 be reused on subsequent uses of the same hostnames. 34 35 ## limitations 36 37 We have decided to work on the HTTPS RR support by following what seems to be 38 (widely) used, and simply wait with implementing the details of the record 39 that do not seem to be deployed. HTTPS RR is a DNS field with many odd corners 40 and complexities and we might as well avoid them if no one seems to want them. 41 42 ## build 43 44 ./configure --enable-httpsrr 45 46 or 47 48 cmake -DUSE_HTTPSRR=ON 49 50 ## ALPN 51 52 The list of ALPN IDs is parsed but may not be completely respected because of 53 what the HTTP version preference is set to, which is a problem we are working 54 on. Also, getting an `HTTP/1.1` ALPN in the HTTPS RR field for an HTTP:// 55 transfer should imply switching to HTTPS, HSTS style. Which curl currently 56 does not. 57 58 ## DoH 59 60 When HTTPS RR is enabled in the curl build, The DoH code asks for an HTTPS 61 record in addition to the A and AAAA records, and if an HTTPS RR answer is 62 returned, curl parses it and stores the retrieved information. 63 64 ## Non-DoH 65 66 If DoH is not used for name resolving in an HTTPS RR enabled build, we must 67 provide the ability using the regular resolver backends. We use the c-ares DNS 68 library for the HTTPS RR lookup. Version 1.28.0 or later. 69 70 ### c-ares 71 72 If curl is built to use the c-ares library for name resolves, an HTTPS RR 73 enabled build makes a request for the HTTPS RR in addition to the regular 74 lookup. 75 76 ### Threaded resolver 77 78 When built to use the threaded resolver, which is the default, an HTTPS RR 79 build still needs a c-ares installation provided so that a separate request 80 for the HTTPS record can be done in parallel to the regular getaddrinfo() 81 call. 82 83 This is done by specifying both c-ares and threaded resolver to configure: 84 85 ./configure --enable-ares=... --enable-threaded-resolver 86 87 or to cmake: 88 89 cmake -DENABLE_ARES=ON -DENABLE_THREADED_RESOLVER=ON 90 91 Because the HTTPS record is handled separately from the A/AAAA record 92 retrieval, by a separate library, there is a small risk for discrepancies. 93 94 When building curl using the threaded resolver with HTTPS RR support (using 95 c-ares), the `curl -V` output looks exactly like a c-ares resolver build. 96 97 ## HTTPS RR Options 98 99 Because curl is a low level transfer tool for which users sometimes want 100 detailed control, we need to offer options to control HTTPS RR use.