Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Proposal: ESNI record Implies TLS support #131
This is almost trivial (why would you publish an ESNI record if you don't have TLS support?), but it would be tremendously useful for browsers, as a way to learn that the specified domain supports HTTPS before attempting a connection. If DNS records are fetched over a secure channel, this would enable HSTS-like behavior without an insecure bootstrap or a preload list.
That depends on how we define the ESNI record. For example, we could insert a port in the name (like SRV), or include a list of the applicable ports in the record contents. (Or we could just declare that ESNI implicitly blacklists port 80, which I believe is what you are arguing against.)
It's up to us.