SVCB/HTTPS record

Per RFC 9460 + 9461 + 9540

Service binding DNS record (RFC 9460) with ALPN, IPv4/IPv6 hints, ECH and dohpath. Replaces A/AAAA for HTTPS, DoH and DoT.

What is this, and when do I need it?

What is this?

SVCB and HTTPS resource records (RFC 9460) are the modern DNS layer that ties one hostname to the actual transport: ALPN protocols (HTTP/2, HTTP/3), alternative ports, IPv4/IPv6 hints, the ECH config for encrypted ClientHello, and DoH/OHTTP discovery. The HTTPS RR is a specialised SVCB record for HTTPS origins.

Browsers (Chrome, Firefox, Safari) and resolvers query the HTTPS RR before the A/AAAA, which lets you advertise HTTP/3 without an Alt-Svc header and ship ECH without sacrificing SNI privacy.

When do I need it?

Useful as soon as you ship HTTP/3 or want to switch on ECH. Also useful for DoH/DoT resolver discovery (RFC 9461), where the SVCB record holds the dohpath template the client needs to construct DoH requests.

Adoption note: the record is additive - clients that do not understand it fall back to A/AAAA. Drop-in safe.

Should already be in place

  • TLS certificate for the TargetName
Presets:
SvcParams (ServiceMode) When enabled, the client drops the implicit default ALPN (otherwise http/1.1 is added automatically for HTTPS).
When enabled, the record signals that the service accepts OHTTP gateway requests.
DNS record in zone-file format per RFC 9460 + 9461 + 9540
example.com.	3600	IN	HTTPS	1 . alpn="h3,h2"

Kostenlos, ohne Gewähr (Best-Effort). Erzeugte wie geprüfte Angaben sind unverbindlich; für fehlerhafte oder unvollständige Ergebnisse und Konfigurationen übernehmen wir keine Haftung. Anwendung und Prüfung erfolgen in eigener Verantwortung, vor dem Produktiveinsatz bitte testen.

Free, no warranty (best effort). Generated and inspected values are non-binding; we accept no liability for erroneous or incomplete results or configurations. Use and verification are your own responsibility; please test before production use.

How to add this record at your DNS provider

The record generated above has three parts: the record type (typically TXT, occasionally CAA), the host (a subdomain like _dmarc, _smtp._tls or empty for the root domain) and the value (the actual payload in quotes). Every DNS provider asks for these same three fields - only the menu wording differs.

INWX (Dernium default for new customers)
  1. Sign in at www.inwx.de.
  2. Tab Nameserver → pick the domain → Nameserver-Sets verwaltenDNS-Einträge.
  3. Button Neuen Eintrag anlegen.
  4. Pick a type (e.g. TXT), enter the host (empty for the root domain, otherwise e.g. _dmarc), paste the value, leave TTL at 3600.
  5. Save. Propagation typically within 5-15 minutes.
Strato
  1. Sign in to the Strato customer area.
  2. Menu Domains → pick the domain → Verwalten.
  3. Section DNS-VerwaltungNameserver/DNS-Einstellungen anpassen.
  4. Under Eigene DNS-Verwaltung pick the right record type (TXT records have their own block), enter host and value.
  5. Save. Strato typically propagates within 30-60 minutes.
Hetzner DNS Console
  1. Sign in at dns.hetzner.com.
  2. Click on the zone of your domain.
  3. Button Add record → pick a type, enter the name (use @ for the root domain), paste the value.
  4. Save. Propagation typically under 5 minutes.
IONOS (1&1)
  1. Sign in to the IONOS customer center.
  2. Menu Domains & SSL → click the domain → DNS.
  3. Button Eintrag hinzufügen → pick a type, enter the host, paste the value into the content field.
  4. Save. Propagation typically 15-60 minutes.
Cloudflare
  1. Sign in to Cloudflare, pick the domain.
  2. Tab DNSRecords.
  3. Button Add record → pick a type, enter the name (use @ for the root domain), paste the value, leave proxy status on DNS only for TXT/CAA records.
  4. Save. Propagation typically under 2 minutes.

Note: If your DNS provider is not listed, you usually find the right place under headings like "DNS management", "Zone editor", or "Records". When in doubt, your provider's support helps; the paths shown here are vendor-specific and can shift slightly with redesigns.

Check an existing HTTPS/SVCB record live

Fetches the HTTPS or SVCB record via DNS-over-HTTPS (Cloudflare 1.1.1.1, with DNSSEC AD bit) and evaluates priority, TargetName and SvcParams against best practice. Server path: at most 12 requests per minute per IP subnet, no logging.

Examples: · ·