Bootstrapping TLS Encrypted ClientHello with DNS Service Bindings

Bootstrapping TLS Encrypted ClientHello with DNS Service Bindings Meta Platforms, Inc.

ietf@bemasc.net

Akamai Technologies

mbishop@evequefou.be

Akamai Technologies

erik+ietf@nygren.org

SEC tls ech SvcParamKey ech SvcParam ECH SVCB HTTPS Resource Records TLS SNI Encrypted SNI Server Name Indication Encrypted Server Name Indication To use TLS Encrypted ClientHello (ECH), the client needs to learn the ECH configuration for a server before it attempts a connection to the server. This specification provides a mechanism for conveying the ECH configuration information via DNS, using a SVCB or HTTPS resource record (RR).

Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at .

Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents () in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.

Table of Contents

. Overview
. Terminology
. SvcParam for ECH Configuration
. Requirements for Server Deployments
. Requirements for Client Implementations
- . Disabling Fallback
- . ClientHello Construction
- . Performance Optimizations
. Interaction with HTTP Alt-Svc
. Examples
. Security Considerations
. IANA Considerations
. References
- . Normative References
- . Informative References
Authors' Addresses

Overview The Service Bindings framework allows server operators to publish a detailed description of their service in the Domain Name System (DNS) (see and ) using SVCB or HTTPS records. Each SVCB record describes a single "alternative endpoint" and contains a collection of "SvcParams" that can be extended with new kinds of information that may be of interest to a client. Clients can use the SvcParams to improve the privacy, security, and performance of their connection to this endpoint. This specification defines a new SvcParam to enable the use of TLS Encrypted ClientHello in TLS-based protocols. This SvcParam can be used in SVCB, HTTPS, or any future SVCB-compatible DNS records and is intended to serve as the primary bootstrap mechanism for ECH.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

SvcParam for ECH Configuration The "ech" SvcParamKey conveys the ECH configuration of an alternative endpoint. It is applicable to all schemes that use TLS-based protocols (including DTLS and QUIC version 1 ) unless otherwise specified. In wire format, the value of the parameter is an ECHConfigList (), including the redundant length prefix. In presentation format, the value is the ECHConfigList in Base 64 encoding (). Base 64 is used here to simplify integration with TLS server software. To enable simpler parsing, this SvcParam MUST NOT contain escape sequences. This example uses line wrapping per .

ECH SvcParam with a public_name of "ech-sites.example.net" ech="AEj+DQBEAQAgACAdd+scUi0IYFsXnUIU7ko2Nd9+F8M26pAGZVpz/KrWPgAEAAE\ AAWQVZWNoLXNpdGVzLmV4YW1wbGUubmV0AAA="

Requirements for Server Deployments When publishing a record containing an "ech" parameter, the publisher MUST ensure that all IP addresses of TargetName correspond to servers that have access to the corresponding private key or are authoritative for the public name. (See Sections and of for requirements related to the public name.) Otherwise, connections will fail entirely. These servers SHOULD support a protocol version that is compatible with ECH. At the time of writing, the compatible versions are TLS 1.3, DTLS 1.3, and QUIC version 1. If the server does not support a compatible version, each connection attempt will have to be retried, delaying the connection and wasting resources.

Requirements for Client Implementations This section describes client behavior in using ECH configurations provided in SVCB or HTTPS records.

Disabling Fallback The SVCB-optional client behavior specified in permits clients to fall back to a direct connection if all SVCB options fail. This behavior is not suitable for ECH, because fallback would negate the privacy benefits of ECH. Accordingly, ECH-capable, SVCB-optional clients MUST switch to SVCB-reliant connection establishment if SVCB resolution succeeded (as defined in ) and all alternative endpoints have an "ech" SvcParam.

ClientHello Construction When ECH is in use, the TLS ClientHello is divided into an unencrypted "outer" and an encrypted "inner" ClientHello. The outer ClientHello is an implementation detail of ECH, and its contents are controlled by the ECHConfig in accordance with . The inner ClientHello is used for establishing a connection to the service, so its contents may be influenced by other SVCB parameters. For example, the requirements related to Application-Layer Protocol Negotiation (ALPN) protocol identifiers in apply only to the inner ClientHello. Similarly, it is the inner ClientHello whose Server Name Indication (SNI) identifies the desired service.

Performance Optimizations Prior to retrieving the SVCB records, the client does not know whether they contain an "ech" parameter. As a latency optimization, clients MAY prefetch DNS records that will only be used if this parameter is not present (i.e., only in SVCB-optional mode). The "ech" SvcParam alters the contents of the TLS ClientHello if it is present. Therefore, clients that support ECH MUST NOT issue any TLS ClientHello until after SVCB resolution has completed. (See .)

Interaction with HTTP Alt-Svc HTTP clients that implement both HTTP Alt-Svc and the HTTPS record type can use them together, provided that they only perform connection attempts that are "consistent" with both sets of parameters (). At the time of writing, there is no defined parameter related to ECH for Alt-Svc. Accordingly, a connection attempt that uses ECH is considered "consistent" with an Alt-Svc field value that does not mention ECH. Origins that publish an "ech" SvcParam in their HTTPS record SHOULD also publish an HTTPS record with the "ech" SvcParam for every alt-authority offered in its Alt-Svc field values. Otherwise, clients might reveal the name of the server in an unencrypted ClientHello to an alt-authority. If all HTTPS records for an alt-authority contain "ech" SvcParams, the client MUST adopt SVCB-reliant behavior (as in ) for that resource record set (RRSet). This precludes the use of certain connections that Alt-Svc would otherwise allow, as discussed in .

Examples

Simple Example Zone with the Same Configuration on the Apex and Web Domain $ORIGIN simple.example. ; Simple example zone @ 300 IN A 192.0.2.1 AAAA 2001:db8::1 HTTPS 1 . ech=ABC... www 300 IN A 192.0.2.1 AAAA 2001:db8::1 HTTPS 1 . ech=ABC... The example above is compatible with clients that do or do not support HTTPS records.

Service That Allows Clients to Choose Between Two Server Pools with Different ECH Configurations $ORIGIN heterogeneous.example. ; Example zone with 2 pools of servers pool1 300 IN A 192.0.2.1 AAAA 2001:db8:1::a pool2 300 IN A 192.0.2.2 AAAA 2001:db8:2::a service 300 IN SVCB 1 pool1 ech=ABC... SVCB 1 pool2 ech=DEF... A 192.0.2.1 A 192.0.2.2 AAAA 2001:db8:1::a AAAA 2001:db8:2::a

ECH Usage Pattern for an Aliasing-Based CDN $ORIGIN cdn.example. ; CDN operator zone pool 300 IN A 192.0.2.1 AAAA 2001:db8::1 HTTPS 1 . ech=ABC... $ORIGIN customer.example. ; CDN customer's zone @ 3600 IN HTTPS 0 pool.cdn.example. ; Apex IP records for compatibility with clients that do not support ; HTTPS records. @ 300 IN A 192.0.2.1 AAAA 2001:db8::1 www 300 IN CNAME pool.cdn.example.

A Domain That is Only Reachable Using ECH $ORIGIN secret.example. ; High confidentiality zone www 3600 IN HTTPS 1 backend ech=ABC... mandatory=ech backend 300 IN A 192.0.2.1 AAAA 2001:db8::1

Multi-CDN Configuration Using Server-Side Selection $ORIGIN cdn1.example. ; First CDN operator zone pool 300 IN A 192.0.2.1 AAAA 2001:db8::1 HTTPS 1 . ech=ABC... $ORIGIN cdn2.example. ; Second CDN operator zone pool 300 IN A 192.0.2.2 AAAA 2001:db8::2 HTTPS 1 . ech=DEF... ;; Multi-CDN customer zone (version 1) $ORIGIN customer.example. @ 3600 IN HTTPS 0 pool.cdn1.example. ; Apex IP records for compatibility with clients that do not support ; HTTPS records. @ 300 IN A 192.0.2.1 AAAA 2001:db8::1 www 3600 IN CNAME pool.cdn1.example. ;; Multi-CDN customer zone (version 2) @ 3600 IN HTTPS 0 pool.cdn2.example. @ 300 IN A 192.0.2.2 AAAA 2001:db8::2 www 3600 IN CNAME pool.cdn2.example.

Example of a DNS Server That Supports ECH $ORIGIN dns.example. ; DNS server example. @ 3600 IN A 192.0.2.1 AAAA 2001:db8::1 HTTPS 1 . ech=ABC... alpn=h3 dohpath=/q{?dns} _dns 3600 IN SVCB 1 @ ech=ABC... alpn=dot,doq,h3 dohpath=/q{?dns}

Security Considerations A SVCB RRSet containing some RRs with "ech" and some without is vulnerable to a downgrade attack: A network intermediary can block connections to the endpoints that support ECH, causing the client to fall back to a non-ECH endpoint. This configuration is NOT RECOMMENDED, but it may be unavoidable when combining endpoints from different providers or conducting a staged rollout. Zone owners who do use such a mixed configuration SHOULD mark the RRs with "ech" as more preferred (i.e., lower SvcPriority value) than those without, in order to maximize the likelihood that ECH will be used in the absence of an active adversary. When Encrypted ClientHello is deployed, the inner TLS SNI is protected from disclosure to attackers. However, there are still many ways that an attacker might infer the SNI. Even in an idealized deployment, ECH's protection is limited to an anonymity set consisting of all the ECH-enabled server domains supported by a given client-facing server that share an ECH configuration. An attacker who can enumerate this set can always guess the encrypted SNI with a probability of at least 1/K, where K is the number of domains in the set. Some attackers may achieve much greater accuracy using traffic analysis, popularity weighting, and other mechanisms (e.g., see ). ECH ensures that TLS does not disclose the SNI, but the same information is also present in the DNS queries used to resolve the server's hostname. This specification does not conceal the server name from the DNS resolver. If DNS messages are sent between the client and resolver without authenticated encryption, an attacker on this path can also learn the destination server name. A similar attack applies if the client can be linked to a request from the resolver to a DNS authority. An attacker who can prevent SVCB resolution can deny clients any associated security benefits. A hostile recursive resolver can always deny service to SVCB queries, but network intermediaries can often prevent resolution as well, even when the client and recursive resolver validate DNSSEC and use a secure transport. These downgrade attacks can prevent a client from being aware that "ech" is configured, which could result in the client sending the ClientHello in cleartext. To prevent downgrades, recommends that clients abandon the connection attempt when such an attack is detected.

IANA Considerations IANA has modified the entry for "ech" in the "DNS SVCB Service Parameter Keys (SvcParamKeys)" registry in the "DNS Service Bindings (SVCB)" registry group as follows:

Number	Name	Meaning	Change Controller	Reference
5	ech	TLS Encrypted ClientHello Config	IETF	RFC 9848

References Normative References TLS Encrypted Client Hello Independent Fastly Cryptography Consulting LLC Cloudflare Domain names - concepts and facilities This RFC is the revised basic definition of The Domain Name System. It obsoletes RFC-882. This memo describes the domain style names and their used for host address look up and electronic mail forwarding. It discusses the clients and servers in the domain name system and the protocol used between them. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. The Base16, Base32, and Base64 Data Encodings This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK] Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. DNS Security Extensions (DNSSEC) This document describes the DNS Security Extensions (commonly called "DNSSEC") that are specified in RFCs 4033, 4034, and 4035, as well as a handful of others. One purpose is to introduce all of the RFCs in one place so that the reader can understand the many aspects of DNSSEC. This document does not update any of those RFCs. A second purpose is to state that using DNSSEC for origin authentication of DNS data is the best current practice. A third purpose is to provide a single reference for other documents that want to refer to DNSSEC. Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records) This document specifies the "SVCB" ("Service Binding") and "HTTPS" DNS resource record (RR) types to facilitate the lookup of information needed to make connections to network services, such as for HTTP origins. SVCB records allow a service to be provided from multiple alternative endpoints, each with associated parameters (such as transport protocol configuration), and are extensible to support future uses (such as keys for encrypting the TLS ClientHello). They also enable aliasing of apex domains, which is not possible with CNAME. The HTTPS RR is a variation of SVCB for use with HTTP (see RFC 9110, "HTTP Semantics"). By providing more information to the client before it attempts to establish a connection, these records offer potential benefits to both performance and privacy. Informative References DNS Terminology The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document. This document updates RFC 2308 by clarifying the definitions of "forwarder" and "QNAME". It obsoletes RFC 8499 by adding multiple terms and clarifications. Comprehensive lists of changed and new definitions can be found in Appendices A and B. I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis Lecture Notes in Computer Science, vol. 8555, pp. 143-163 HTTP Alternative Services This document specifies "Alternative Services" for HTTP, which allow an origin's resources to be authoritatively available at a separate network location, possibly accessed with a different protocol configuration. Handling Long Lines in Content of Internet-Drafts and RFCs This document defines two strategies for handling long lines in width-bounded text content. One strategy, called the "single backslash" strategy, is based on the historical use of a single backslash ('\') character to indicate where line-folding has occurred, with the continuation occurring with the first character that is not a space character (' ') on the next line. The second strategy, called the "double backslash" strategy, extends the first strategy by adding a second backslash character to identify where the continuation begins and is thereby able to handle cases not supported by the first strategy. Both strategies use a self-describing header enabling automated reconstitution of the original content. Using TLS to Secure QUIC This document describes how Transport Layer Security (TLS) is used to secure QUIC. The Datagram Transport Layer Security (DTLS) Protocol Version 1.3 This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol. This document obsoletes RFC 6347.

Authors' Addresses Meta Platforms, Inc.

ietf@bemasc.net

Akamai Technologies

mbishop@evequefou.be

Akamai Technologies

erik+ietf@nygren.org