Login

OARC 44 (Atlanta, Georgia, USA)

6–7 Feb 2025
Atlanta Marriott Marquis
America/New_York timezone

OARC Meeting Admin

Exploration of the deployment and use of the DNS HTTPS Resource Record

6 Feb 2025, 14:25
20m
Imperial Salon B ( Atlanta Marriott Marquis)

Imperial Salon B

Atlanta Marriott Marquis

265 Peachtree Center Ave NE Atlanta GA 30303 United States
In-Person Standard Presentation Main Session OARC 44 Day 1

Speakers

Hongying Dong (University of Virginia) Yizhe Zhang (University of Virginia)

Description

The HTTPS DNS resource record (RR), defined in RFC 9460, is a new DNS record designed for the delivery of configuration information and parameters required to initiate connections to HTTPS network services. It can coexist with other record types (unlike the CNAME record) and thus allows name redirection at zone apexes and any arbitrary location in a zone where CNAME could not. It can also enable enhanced privacy by providing cryptographic keying material needed to encrypt the initial exchange in TLS (using the new Encrypted Client Hello mechanism). While relatively new, the HTTPS record already has many implementations and has seen quite a bit of deployment in the field.

We conduct a detailed longitudinal study of real-world implementations of the HTTPS RR, focusing on the primary apex domains and their corresponding www subdomains in the Tranco List of popular domains since May 2023. Moreover, we perform investigations into the behavior of client-side support for the HTTPS RR.

This research is published in a peer-reviewed paper presented at the Internet Measurement Conference (IMC) 2024, and we aim to share these findings more broadly with the DNS-focused community. The talk will showcase the up-to-date findings from both server-side analysis and client-side behavior studies.

Aspects of this study we will share include:
1. Server-side HTTPS RR deployment:
- Overall HTTPS RR adoption and the changing trend
- Name servers supporting HTTPS RR
- HTTPS RR parameters used by domains, including IP mismatches between IP hint and A/AAAA records
- Encrypted ClientHello (ECH) deployment and major involvers
- DNSSEC signing of HTTPS records
2. Client-side HTTPS RR support
- Major browser’s support of HTTPS RR parameters
- Major browser’s support and fall back mechanisms of ECH

What will the audience take away from this talk?

An understanding of the benefits of the DNS HTTPS record, how it can improve the privacy of HTTPS connections, a picture of the scale of its current deployment and observed issues, and the state of client support in web browsers.

Summary

A talk about the benefits of the DNS HTTPS record, how it can improve the privacy of HTTPS connections, a picture of the scale of its current deployment and observed issues, and the state of client support in web browsers.

Talk duration 20 Minutes (+5 for Q&A)

Primary authors

Hongying Dong (University of Virginia) Yizhe Zhang (University of Virginia)

Co-authors

Hyeonmin Lee (Seoul National University) Shumon Huque (Salesforce) Prof. Yixin Sun (University of Virginia)

Presentation materials

There are no materials yet.
Powered by Indico v3.3.3