Adding a Hypertext Transfer Protocol Secure (HTTPS) record - BlueCat Integrity - 26.1.0

Address Manager Administration Guide
ft:locale
en-US
Product name
BlueCat Integrity
Version
26.1.0

HTTPS records (and similarly, SVCB records) allow for the aliasing of a full domain at the zone apex (AliasMode). They are also used to configure multiple endpoints and provide clients with connection information such as supported protocols, IP addresses, and ports (ServiceMode).

Note: The usage of HTTPS and SVCB records for domain aliasing does not provide the same functionality as CNAME records. CNAME records cannot be used at the zone apex due to DNS limitations that require the apex to contain other records like SOA and NS, which conflict with the CNAME record. While HTTPS and SVCB records can be used for domain aliasing, not all clients support HTTPS lookups and some may need additional settings to enable this feature.

To add an HTTPS record to a zone:

  1. Select the DNS tab in the sidebar, then select Views.
  2. Navigate to the level (DNS zone or DNS sub-zone) where you want to add an HTTPS record.
  3. Select the Resource records tab.
  4. Select New > Hypertext transfer protocol secure record (HTTPS).
  5. Under General, configure the following parameters:
    • Name—select one of the following options:
      • Same as zone—to use the zone name for the name of the HTTPS record, select this option.
      • Specify name—to specify a name for the record, select this option and enter a name.
    • Priority—enter a value to indicate the priority of the record relative to others. Select the Enable alias mode checkbox to set a value of zero, indicating AliasMode. Set a non-zero value to indicate ServiceMode.
      Note: For ServiceMode only: Configuring multiple HTTPS records with the same domain name and priority will trigger a simple load-distribution scheme inside the client. Using different values in the priority field will create a fallback configuration for the service that favours lower values first.
    • Host—enter the domain name of either the target (AliasMode) or alternative endpoint (ServiceMode).
      Note: The value entered in the Host field must be an existing host record or external host record.
    • Override TTL—to change the time-to-live value for the record, select this checkbox and enter a value in the TTL field that is displayed. Select a unit of time from the drop-down menu.

    The following service parameters are displayed for ServiceMode and describe the alternative endpoint provided in the Host value. These parameters are optional and only used for ServiceMode.

    • (For ServiceMode only)Default ALPN identifier—select this checkbox to include the default ALPN identifier. If you do not select this checkbox, it indicates that no default ALPN protocol version should be used if the client cannot connect using the protocols listed in the ALPN identifiers field. If you do not select this checkbox, specifying the ALPN identifiers is mandatory.
    • (For ServiceMode only)ALPN identifiers—a comma-separated list containing the application protocol and associated suite of protocols supported by the endpoint. Order determines importance with first listed taking priority. For more information on the alpn protocol ID format, refer to TLS Application-Layer Protocol Negotiation (ALPN) Protocol IDs . For example: h3,h3-29,h2
    • (For ServiceMode only)IPv4 address hints—A comma-separated list of IPv4 addresses that the client can use to reach the service if no records are cached. If the client already has the info in its cache, the cache will be used before the hint. For example: 192.0.2.80,198.51.100.0
    • (For ServiceMode only)IPv6 address hints—a comma-separated list of IPv6 addresses that the client can use to reach the service if no records are cached. If the client already has the info in its cache, the cache will be used before the hint. For example: 2001:db8::1000:fe90,2001:db8::2000:85e5
    • (For ServiceMode only)Mandatory keys—a comma-separated list of service parameter keys that are mandatory for the client. For example: ipv4hint,port
    • (For ServiceMode only)Encrypted client hello—reserved for use with the experimental TLS Encrypted Client Hello, a base64 encoded ECH config list which includes the public key of the service endpoint. For example: ZXhhbXBsZSBiYXNlNjQgc3RyaW5n
    • (For ServiceMode only)Port—the TCP or UDP port that should be used to reach the alternative endpoint. For example: 9443
    • (For ServiceMode only)Private use valueskey65280 - key65534, reserved for private use. For example: key65333=ex1
      Note: key65535 is Reserved ("Invalid key").
  6. Under Additional info, enter notes describing the resource record in the Comment field, if required.
  7. In the Change control section, add comments if required.
  8. Select Create to create the HTTPS record and return to the Resource records table, or select Create and add another to create the HTTPS record and re-open the Hypertext transfer protocol secure record window.