Skip to content

FEATURE: Support ignoring the ech= parameter in HTTPS/SVCB RR types #3485

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 11, 2025
Merged

FEATURE: Support ignoring the ech= parameter in HTTPS/SVCB RR types #3485

merged 2 commits into from
Jun 11, 2025

Conversation

gucci-on-fleek
Copy link
Contributor

@gucci-on-fleek gucci-on-fleek commented Mar 8, 2025
edited
Loading

ECH (Encrypted Client Hello) is a new-ish TLS feature that lets clients communicate with a server, without revealing the SNI (desired domain) in plaintext. To solve the bootstrapping problem (how do you encrypt data to a server without knowing its public key?), you typically need to publish the server's public key in the DNS. This effectively leaves us with 3 options:

  1. Manage the DNS exclusively with DNSControl. This means that you'll have to manually generate and rotate keys for all of your servers, which is both crypographically-unwise (since key management can't be automated), and a giant pain (since you'll need to manually copy-and-paste random base64-encoded strings into your dnsconfig.js).

  2. Ignore the HTTPS/SVCB records by placing IGNORE(<name>, "HTTPS") into your dnsconfig.js. This means that if you want to change the TTL, target, or other SvcParams, you'll need to do this outside of DNSControl. But it's typically web servers that will be setting the ech= key, and since most web servers don't provide an interface to set arbitrary DNS records, there isn't any good way to change these parameters.

  3. Modify DNSControl to support ignoring the ech= key (while still allowing to change everything else). That's what this PR implements.

I've tested this PR and it works as expected on my server, but the implementation is a bit of a mess. Some possible questions:

  1. What should happen in the case of multiple HTTPS/SVCB RRs for a single FQDN?
  2. Should this implementation be extended to support setting any SvcParam key to IGNORE?
  3. Is diff2.diffTargets() the correct place to implement this logic?
  4. Is there a better way to do this than using regexes on strings?
  5. How should I test this? I had to comment out a few of my added tests because they were failing (even though I think that they should work?).

Thanks!

@gucci-on-fleek
Copy link
Contributor Author

@tlimoncelli Could you please take a look at this? No problem at all if you're busy though.

@gucci-on-fleek
Copy link
Contributor Author

Ok, I've rebased onto main, and all the tests still pass. This isn't ready to be merged quite yet, but I'd like some feedback on the implementation, so I'm going to mark this as “Ready for review”.

@gucci-on-fleek gucci-on-fleek marked this pull request as ready for review June 4, 2025 22:02
@tlimoncelli tlimoncelli merged commit 3ea7ea8 into StackExchange:main Jun 11, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tlimoncelli tlimoncelli tlimoncelli approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gucci-on-fleek @tlimoncelli