Service binding DNS record (RFC 9460) with ALPN, IPv4/IPv6 hints, ECH and dohpath. Replaces A/AAAA for HTTPS, DoH and DoT.
What is this, and when do I need it?
What is this?
SVCB and HTTPS resource records (RFC 9460) are the modern DNS layer that ties one hostname
to the actual transport: ALPN protocols (HTTP/2, HTTP/3), alternative ports, IPv4/IPv6
hints, the ECH config for encrypted ClientHello, and DoH/OHTTP discovery. The HTTPS RR is a
specialised SVCB record for HTTPS origins.
Browsers (Chrome, Firefox, Safari) and resolvers query the HTTPS RR before the A/AAAA, which
lets you advertise HTTP/3 without an Alt-Svc header and ship ECH without sacrificing SNI
privacy.
When do I need it?
Useful as soon as you ship HTTP/3 or want to switch on ECH. Also useful for DoH/DoT resolver
discovery (RFC 9461), where the SVCB record holds the dohpath template the client
needs to construct DoH requests.
Adoption note: the record is additive - clients that do not understand it fall
back to A/AAAA. Drop-in safe.
DNS record in zone-file formatper RFC 9460 + 9461 + 9540
example.com. 3600 IN HTTPS 1 . alpn="h3,h2"
How to add this record at your DNS provider
The record generated above has three parts: the record type (typically TXT,
occasionally CAA), the host (a subdomain like _dmarc, _smtp._tls or empty for the root domain) and the value (the actual
payload in quotes). Every DNS provider asks for these same three fields - only the menu wording
differs.
Button Add record → pick a type, enter the name (use @ for the
root domain), paste the value.
Save. Propagation typically under 5 minutes.
IONOS (1&1)
Sign in to the IONOS customer center.
Menu Domains & SSL → click the domain → DNS.
Button Eintrag hinzufügen → pick a type, enter the host, paste the value into
the content field.
Save. Propagation typically 15-60 minutes.
Cloudflare
Sign in to Cloudflare, pick the domain.
Tab DNS → Records.
Button Add record → pick a type, enter the name (use @ for
the root domain), paste the value, leave proxy status on DNS only for TXT/CAA records.
Save. Propagation typically under 2 minutes.
Note: If your DNS provider is not listed, you usually find the right place under headings like
"DNS management", "Zone editor", or "Records". When in doubt, your provider's support helps;
the paths shown here are vendor-specific and can shift slightly with redesigns.
Check an existing HTTPS/SVCB record live
Fetches the HTTPS or SVCB record via DNS-over-HTTPS (Cloudflare 1.1.1.1, with DNSSEC AD bit) and evaluates priority, TargetName and SvcParams against best practice. Server path: at most 12 requests per minute per IP subnet, no logging.