Most implementations missing deletion behavior for SetRecords

[marcellmars]

According to the RecordSetter.SetRecords documentation, implementations are required to ensure that for any (name, type) pair in the input, those are the only records (of that kind) present in the resulting zone.

For any (name, type) pair in the input, SetRecords ensures that the only records in the output zone with that (name, type) pair are those that were provided in the input.
In RFC 9499 terms, SetRecords appends, modifies, or deletes records in the zone so that for each RRset in the input, the records provided in the input are the only members of their RRset in the output zone.

If I'm not mistaken, Caddy (via certmagic) is the main consumer of this library. In its typical flow, when provisioning ECH, it usually calls SetRecords with a single record, and doesn't check beforehand (via GetRecords) for any existing records of the same name and type.

In the case of HTTPS with ECH, if someone tries to cover common scenarios for different versions of HTTP (2, 1.1, 3) with records addressing that, the implementation which follows the documentation (above cited) would make a mess.

For example, the ovh implementation takes care of deletion. Most other implementations don't.

This seems to work fine, so far, with most current provider implementations. I wonder if this discrepancy could lead to bugs or interoperability issues in less typical scenarios. Regarding this, what would be the guideline for future implementations?

[marcellmars]

If my interpretation is correct, certmagic could use AppendRecords instead of SetRecords and it wouldn't break the implementations with deletion for SetRecords, but then we still have the discrepancy.

[gucci-on-fleek]

@marcellmars

According to the RecordSetter.SetRecords documentation, implementations are required to ensure that for any (name, type) pair in the input, those are the only records (of that kind) present in the resulting zone.

For any (name, type) pair in the input, SetRecords ensures that the only records in the output zone with that (name, type) pair are those that were provided in the input.
In RFC 9499 terms, SetRecords appends, modifies, or deletes records in the zone so that for each RRset in the input, the records provided in the input are the only members of their RRset in the output zone.

Yes, that is correct.

If I'm not mistaken, Caddy (via certmagic) is the main consumer of this library. In its typical flow, when provisioning ECH, it usually calls SetRecords with a single record, and doesn't check beforehand (via GetRecords) for any existing records of the same name and type.

In the case of HTTPS with ECH, [...], the implementation which follows the documentation (above cited) would make a mess.

I think that this is working as intended: having some HTTPS records contain ech= values and other HTTPS without ech= values will usually lead to ECH working sporadically, depending on whichever RR your browser randomly chooses to use.

More generally, I can't think of any common scenarios where you would want more than 1 HTTPS record per domain—I'm sure that valid use cases exist, but Caddy's initial ECH implementation only supports “typical” usage. I don't think that @mholt is against supporting multiple HTTPS records, just that there hasn't been any demand.

[...] if someone tries to cover common scenarios for different versions of HTTP (2, 1.1, 3) with records addressing that [...]

Hmm, I suspect that you might be misusing HTTPS records here. HTTP1.1 support is implicit with HTTPS records (but you can use no-default-alpn="http/1.1" to disable that), and you can use multiple protocols in a single HTTPS record (put commas between them). So the following record indicates support for HTTPS versions 1.1, 2, and 3:

www.maxchernoff.ca. 	86400	IN	HTTPS	1 . alpn="h3,h2" ipv4hint=152.53.36.213 ech=AE3+DQBJugAgACDQ81F1toitjaXtLIbmVzoCej2VR5EV6Rbu9XM7R1VKSQAMAAEAAQABAAIAAQADIhJlY2gubWF4Y2hlcm5vZmYuY2EAAA== ipv6hint=2a0a:4cc0:2000:172::1

Similarly, user agents (browsers) are required to ignore any keys that they don't understand, so it's completely safe to include an ech= key since older browsers will ignore it. But as far as I'm aware, all browsers that use HTTPS records also support ECH.

The only case where I think that it makes sense to use separate v1.1, v2, and v3 HTTPS records is if you want to send each protocol to a different server:

www.example.com. 	86400	IN	HTTPS	1 h1.example.com. 
www.example.com. 	86400	IN	HTTPS	1 h2.example.com. alpn="h2" no-default-alpn="http/1.1"
www.example.com. 	86400	IN	HTTPS	1 h3.example.com. alpn="h3" no-default-alpn="http/1.1"
www.example.com. 	86400	IN	CNAME h123.example.com.

But most clients still only look up A/AAAA/CNAME records, so you'd still need to keep around a server that supports versions 1.1, 2, and 3.

For example, the ovh implementation takes care of deletion. Most other implementations don't.

This seems to work fine, so far, with most current provider implementations. I wonder if this discrepancy could lead to bugs or interoperability issues in less typical scenarios.

If everyone does things one way and the spec says to do things a different way, then I'm generally inclined to say that the spec is wrong and we should change it to reflect current practice. We did this before in #175, but part of the motivation there was that the previous semantics were effectively impossible to implement with some providers; but here, all providers should be capable of implementing the current semantics (although please correct me if I'm wrong here!).

The other problem is that we already have a function that never deletes records (AppendRecords), and it doesn't make much sense to have 2 functions that do the exact same thing. See also #152 (comment).

Regarding this, what would be the guideline for future implementations?

Follow the implementation guidelines? :) But if very few people have implemented it correctly, that suggests that the documentation could be improved, so please let me know if you have any suggestions or specific complaints.

If my interpretation is correct, certmagic could use AppendRecords instead of SetRecords and it wouldn't break the implementations with deletion for SetRecords, but then we still have the discrepancy.

AppendRecords just adds more records, which means that certmagic would need to manually delete the previous HTTPS records; otherwise, the old records with expired/rotated keys would never go away, which would essentially break ECH. But there's no point calling DeleteRecords + AppendRecords since SetRecords should do the exact same thing (assuming it's implemented properly).

[marcellmars]

The example with multiple HTTPS records was more of an attempt to point the problem in the right direction than a reflection of my experience with HTTPS records. My question was really about whether, if there's a valid case for multiple HTTPS records, Certmagic should avoid sending only one record in SetRecords.

After brief research on how others implemented SetRecords, I noticed that this might cause problems, even if only with Certmagic, which I suspect is by far the most popular consumer of the library. More usage of libdns would lead to more potential issues due to different implementations of SetRecords by many providers.

I suspect many implementations behave this way because the most prominent example, the Cloudflare's one featured on libdns’ front page, doesn’t clean up records after SetRecords runs.

[mholt]

I suspect many implementations behave this way because the most prominent example, the Cloudflare's one featured on libdns’ front page, doesn’t clean up records after SetRecords runs.

My bad >_<

I was in a bit of a rush to get it working, and didn't have time to make a proper example to follow. I guess I didn't realize people were reading its code more than the godocs (or even just copying the code, in some cases).

I will try to do better 😇 But it might be a while until I can get to it.

---

Regarding multiple HTTPS records, haven't really encountered that. There is a priority field to help clients/servers choose a record, but I need to refresh my memory on how a priority fields correspond to what is unique in a record set.

[gucci-on-fleek]

@marcellmars

The example with multiple HTTPS records was more of an attempt to point the problem in the right direction than a reflection of my experience with HTTPS records.

Ohhhh, ok that makes more sense now.

My question was really about whether, if there's a valid case for multiple HTTPS records, Certmagic should avoid sending only one record in SetRecords.

There definitely are valid use cases for multiple HTTPS records—two that immediately come to mind would be having a lower priority fallback server in case your main server is down, or for round-robin load balancing to servers without static IP addresses. But the problem here is that (1) for ECH to be useful, you need a large “anonymity set”, so you'd ideally want to share the ECH key across all servers, but CertMagic doesn't yet provide a way to do so, and (2) you'd need some way to tell CertMagicCaddy which HTTPS records to update and which to ignore. Neither of these are impossible to implement, but they're both somewhat tricky, so I'm guessing that they won't be implemented until/unless someone asks for it.

Also, for multiple HTTPS records to be useful, you first need clients to actually use them. Here's the number of requests by RR type to my DNS server over the past 30 days:

Type	Count
A	70408
AAAA	47560
DNSKEY	36513
TXT	7748
MX	5547
SOA	4777
NS	4738
CNAME	1993
HTTPS	1611
ANY	250
CAA	237
SSHFP	196
CDS	94
SRV	76
SVCB	56
PTR	36
DS	31
CDNSKEY	24
TLSA	20
AFSDB	11
NAPTR	7
DNAME	6
SPF	6
TYPE38	3
HINFO	2

Now, this is only for 1 of the 5 nameservers for my domain, I also send email from this domain, and DNS is cached pretty heavily, so these numbers aren't terribly accurate. But only 0.9% of all requests were for HTTPS records, which suggests that not very much uses them quite yet. In this same time period, my Caddy server processed 357173 requests, but most users will make multiple HTTP requests but only a single DNS request in a session, so this is also fairly hard to compare.

For another datapoint, Cloudflare shows that 8.5% of all DNS requests were for HTTPS records; I have no idea why this is so different from my results.

After brief research on how others implemented SetRecords, I noticed that this might cause problems, even if only with Certmagic, which I suspect is by far the most popular consumer of the library. More usage of libdns would lead to more potential issues due to different implementations of SetRecords by many providers.

Yeah, if providers are implementing SetRecords using AppendRecords, everything will appear to work correctly at first, but as soon as CertMagic rolls over the ECH key, problems will start to show up. Depending on how widespread this is, I suppose CertMagic could try and detect and warn about this, although the entire reason that libdns exists is to hide differences between providers, so it's not ideal to have to work around buggy providers.

---

@mholt

Regarding multiple HTTPS records, haven't really encountered that.

I think that multiple HTTPS records will be semi-common in 5 years, but hardly anyone uses them right now. I tested using the top 500 domains, and Facebook is the only one who uses multiple HTTPS records (across 7 different domains: facebook.com, instagram.com, fbcdn.net, etc.):

$ curl 'https://radar.cloudflare.com/charts/TopDomainsTable/attachment?id=2084&value=500&dateStart=2025-07-28&dateEnd=2025-08-04' | xargs -I@ dig +noall +answer +nottl +noclass HTTPS www.@ @ | grep -v CNAME > out.txt

$ cat out.txt | awk '{print $1}' | sort | uniq -c | sort -rn | grep -vP '^\s*1'
      4 star-mini.c10r.facebook.com.
      2 z-p42-instagram.c10r.instagram.com.
      2 www.google.com.
      2 star.c10r.facebook.com.
      2 instagram.com.
      2 fbsbx.com.
      2 fbcdn.net.
      2 facebook.com.

(the Google output is spurious due to CNAMEs)

Of these 500 domains, only 64 have HTTPS records at all, and only 1 has an ech= key:

$ cat out.txt | awk '{print $1}' | sort | uniq | wc -l
64

$ grep ech= out.txt
www.discordapp.com.	HTTPS	1 . alpn="h3,h2" ipv4hint=162.159.129.233,162.159.130.233,162.159.133.233,162.159.134.233,162.159.135.233 ech=AEX+DQBBaQAgACB5+pB3K7KeEKPmct7v/0rc1kNzb4PkmEWVdT2MSWxvCgAEAAEAAQASY2xvdWRmbGFyZS1lY2guY29tAAA=
discordapp.com.		HTTPS	1 . alpn="h3,h2" ipv4hint=162.159.129.233,162.159.130.233,162.159.133.233,162.159.134.233,162.159.135.233 ech=AEX+DQBBaQAgACB5+pB3K7KeEKPmct7v/0rc1kNzb4PkmEWVdT2MSWxvCgAEAAEAAQASY2xvdWRmbGFyZS1lY2guY29tAAA=

So I don't think that you need to rush to add support for multiple HTTPS records.

There is a priority field to help clients/servers choose a record, but I need to refresh my memory on how a priority fields correspond to what is unique in a record set.

We decided in #152 (comment) to only consider (name, rrtype) for SetRecords, because otherwise we'd have to parse every rrtype and decide which fields to use as keys and which to ignore.

[mholt]

@gucci-on-fleek Brilliant research / info, thank you for that!

Of these 500 domains, only 64 have HTTPS records at all, and only 1 has an ech= key:

Indeed, and those are for different domains too. Since we use (name, rrtype) as constituting a recordset, I think those count as "one" HTTPS record only, for different names.

so you'd ideally want to share the ECH key across all servers, but CertMagic doesn't yet provide a way to do so

To clarify, Caddy implements the ECH functionality, and just uses CertMagic to manage the cert for the public name. CertMagic doesn't know anything about ECH. And, because of that, ECH records are automatically shared across all Caddy instances you deploy to a cluster (they just have to share the same storage configuration). Similar to TLS certificates/keys.

[gucci-on-fleek]

@mholt

so you'd ideally want to share the ECH key across all servers, but CertMagic doesn't yet provide a way to do so

To clarify, Caddy implements the ECH functionality, and just uses CertMagic to manage the cert for the public name. CertMagic doesn't know anything about ECH. And, because of that, ECH records are automatically shared across all Caddy instances you deploy to a cluster (they just have to share the same storage configuration). Similar to TLS certificates/keys.

Ah, my bad; thanks for letting me know. I've edited the incorrect parts out of my post.

---

@marcellmars

I don't think that there's anything here that we can fix in libdns/libdns, so I'm going to close the issue. But feel free to continue discussion here, or open a new issue in caddyserver/caddy or libdns/cloudflare with the issues that you've found. Or if you do think that we need to fix something in libdns/libdns, absolutely feel free to reopen the issue.