Rfc9460: Svcb and HTTPS DNS Records
Posted4 months agoActive4 months ago
datatracker.ietf.orgTechstory
calmmixed
Debate
40/100
DNSHTTPSSvcbNetworking
Key topics
DNS
HTTPS
Svcb
Networking
The RFC9460 standard for SVCB and HTTPS DNS records has been published, sparking discussion on its adoption and implications for HTTPS connections and DNS lookups.
Snapshot generated from the HN discussion
Discussion Activity
Light discussionFirst comment
47m
Peak period
2
3-6h
Avg / period
1.2
Key moments
- 01Story posted
Sep 13, 2025 at 8:26 PM EDT
4 months ago
Step 01 - 02First comment
Sep 13, 2025 at 9:13 PM EDT
47m after posting
Step 02 - 03Peak activity
2 comments in 3-6h
Hottest window of the conversation
Step 03 - 04Latest activity
Sep 15, 2025 at 3:40 PM EDT
4 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45236444Type: storyLast synced: 11/20/2025, 5:23:56 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Assuming you're running your own DNS server, you could also check the logs to see how many queries you get for the "port" SvcParamKey.
My guess is it will be a very small number.
Any DNS responses for an HTTPS/SVCB record will always include all parameters, so you can't really test things that way. But I do run my own DNS server, and in the past 90 days, it issued 206 071 A responses, 122 314 AAAA responses, and 4 426 HTTPS responses, so HTTPS RR requests are still fairly rare.
Your numbers are more than 10 times higher than mine.
The sad thing is that the HTTPS resource record type will not upgrade HTTP directed to one domain into HTTPS directed to another domain. The RFC's examples (in section 10 and elsewhere) indicate that this should work. I made one of my WWW sites inaccessible to several modern WWW browsers for a day learning that in practice it does not.
One could view this as malicious compliance with section 9, as WWW browser writers have a decades long history, including the famous Chrome, Mozilla, and WebKit bugs, of fighting against DNS mechanisms that fix the apex problem.
* https://jdebp.uk/FGA/dns-srv-record-use-by-clients.html#HTTP...
A more charitable view is that, this being the 2020s, they simply did not give much attention to the case of HTTP. The idea exists on paper in the RFC, but in practice I wonder whether I am one of just a few people who has actually tried apex aliasing from HTTP to HTTPS (as opposed to aliasing from HTTPS to HTTPS).
Looks like only about 9% are actually returning HTTPS records; and none of these use non-standard ports or ECH (which mystifyingly hasn't made it out of committe).
Findings: https://dweekly.github.io/9460/ Source: https://github.com/dweekly/9460 ECH draft: https://datatracker.ietf.org/doc/draft-ietf-tls-esni/25/