HSTS preload record in DNS?


#1

Hi, is anyone aware of an RFC for HSTS in DNS (similar to MTA-STS) ??

Yes, you can have HSTS preload in browsers but here is why I do not want to do that:

I did with example.org and it was beautiful. I then wanted to do major update to I made testing.example.org with a self-signed certificate. But with HSTS the browser simply would not allow self-signed.

So I made my own CA, signed it, and and added the root key to my OS. That worked with some browsers but other browsers still refused it because they used their own store of trusted root certificates.

Why not just use let’s encrypt for testing.example.org? Because of certificate transparency, I did not want the presence of the sub-domain to be known, but with certificate transparency it is published in world accessible logs (funny that people complaining about DNSSEC leaking information have been quiet about this…)

Anyway so now I no longer submit any domains to browser preloading. But it would be nice if there was a DNS record that had the same effect that browsers could check for a domain to force https version.

I can’t seem to find any RFC that specifies this. Is there one?

I understand it is only an issue the first time a browser visits a site (or longer than cache time between visits) but it still would be nice for a DNS record that closes that issue.


#2

You can obtain a wildcard certificate for *.example.org and use it to serve testing.example.org to avoid publishing the testing name component in certificate transparency logs. Note that Let’s Encrypt requires using the dns-01 validation method for wildcard certificates.