1<!-- 2Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 3 4SPDX-License-Identifier: curl 5--> 6 7# HTTPS RR 8 9[RFC 9460](https://www.rfc-editor.org/rfc/rfc9460.html) documents the HTTPS 10DNS Resource Record. 11 12curl features **experimental** support for HTTPS RR. 13 14- The ALPN list from the retrieved HTTPS record is parsed 15- The ECH field is stored (when DoH is used) 16- The port number from the HTTPS RR is not used 17- The target name is not used 18- The IP addresses from the HTTPS RR are not used 19- It only supports a single HTTPS RR per hostname 20- consider cases without A/AAAA records but *with* HTTPS RR 21- consider service profiles where the RR provides different addresses for TCP 22 vs QUIC etc 23 24`HTTPSRR` is listed as a feature in the `curl -V` output if curl contains 25HTTPS RR support. If c-ares is not included in the build, the HTTPS RR support 26is limited to DoH. 27 28`asyn-rr` is listed as a feature in the `curl -V` output if c-ares is used for 29additional resolves in addition to a "normal" resolve done with the threaded 30resolver. 31 32The data extracted from the HTTPS RR is stored in the in-memory DNS cache to 33be reused on subsequent uses of the same hostnames. 34 35## limitations 36 37We have decided to work on the HTTPS RR support by following what seems to be 38(widely) used, and simply wait with implementing the details of the record 39that do not seem to be deployed. HTTPS RR is a DNS field with many odd corners 40and complexities and we might as well avoid them if no one seems to want them. 41 42## build 43 44 ./configure --enable-httpsrr 45 46or 47 48 cmake -DUSE_HTTPSRR=ON 49 50## ALPN 51 52The list of ALPN IDs is parsed but may not be completely respected because of 53what the HTTP version preference is set to, which is a problem we are working 54on. Also, getting an `HTTP/1.1` ALPN in the HTTPS RR field for an HTTP:// 55transfer should imply switching to HTTPS, HSTS style. Which curl currently 56does not. 57 58## DoH 59 60When HTTPS RR is enabled in the curl build, The DoH code asks for an HTTPS 61record in addition to the A and AAAA records, and if an HTTPS RR answer is 62returned, curl parses it and stores the retrieved information. 63 64## Non-DoH 65 66If DoH is not used for name resolving in an HTTPS RR enabled build, we must 67provide the ability using the regular resolver backends. We use the c-ares DNS 68library for the HTTPS RR lookup. Version 1.28.0 or later. 69 70### c-ares 71 72If curl is built to use the c-ares library for name resolves, an HTTPS RR 73enabled build makes a request for the HTTPS RR in addition to the regular 74lookup. 75 76### Threaded resolver 77 78When built to use the threaded resolver, which is the default, an HTTPS RR 79build still needs a c-ares installation provided so that a separate request 80for the HTTPS record can be done in parallel to the regular getaddrinfo() 81call. 82 83This is done by specifying both c-ares and threaded resolver to configure: 84 85 ./configure --enable-ares=... --enable-threaded-resolver 86 87or to cmake: 88 89 cmake -DENABLE_ARES=ON -DENABLE_THREADED_RESOLVER=ON 90 91Because the HTTPS record is handled separately from the A/AAAA record 92retrieval, by a separate library, there is a small risk for discrepancies. 93 94When building curl using the threaded resolver with HTTPS RR support (using 95c-ares), the `curl -V` output looks exactly like a c-ares resolver build. 96 97## HTTPS RR Options 98 99Because curl is a low level transfer tool for which users sometimes want 100detailed control, we need to offer options to control HTTPS RR use. 101