Intent To Ship: Resolving HTTPS records using platform DNS APIs
Valentin Gosu
Summary: We are introducing functionality to resolve HTTPS records, a new DNS record type that provides information about the connection such as alternate endpoints, supported protocols, IP addresses, and Encrypted Client Hello (ECH). Previously, these records were only resolvable via DNS over HTTPS. This update extends the capability to platform DNS APIs, bringing its benefits to users who are not currently using DNS over HTTPS.
Bug: Bug 1852752 - Implement HTTPS records resolution using platform DNS APIs
Specification: HTTPS records are specified in RFC 9460. Resolution is performed via calling DNSQuery_A (Windows), res_query (OSX), res_nquery (Linux), and android_res_query (Android).
Standards Body: The record is standardized by the IETF.
Platform coverage: Available on all supported platforms; however, there are specific platform issues:
- Linux, Windows 11, Android 10+: Works well.
- Windows 10: Issue with DNSQuery_A returning a null pointer despite success code; under investigation by Microsoft.
- Mac OSX: Intermittent crashes in dns_res_send; tracked in Bug 1882856.
- Android 9 and below:
res_queryconsistently returns an error.
Preference: The feature is enabled via network.dns.native_https_query.
DevTools bug: Not applicable.
Link to standards-positions discussion: Not applicable.
Other browsers:
- Blink: Not currently able to resolve HTTPS records without using DNS over HTTPS.
- WebKit: Not currently able to resolve HTTPS records without using DNS over HTTPS.
web-platform-tests: Currently, there are no web-platform-tests for this feature; however, we have created specific xpcshell-tests to ensure functionality.
Performance: Firefox can now use HTTP/3 from the first connection when a HTTPS record containing the alpn SvcParamKey is resolved, leading to several observed performance improvements. However, resolving HTTPS records may cause slight performance degradation as resolution is required before connection establishment. This aligns with the previous performance impact noted with DNS over HTTPS. We will continue to monitor performance closely post-rollout.
Breakage: Initial issues with long connection times to local domains have been addressed by avoiding HTTPS record queries for known local domains (e.g., those listed in /etc/hosts) as they are unlikely to have such records. Additionally, if HTTPS requests are blocked by firewalls, our NetworkConnectivityService now checks and skips resolving HTTPS records to prevent unnecessary delays.
This feature has been enabled on Nightly and Early beta for a couple of months, but if you encounter any issues that seem to be related to it, please file a bug blocking 1852752. Thanks!