curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

ECH support (when curl is not using DoH)

From: Stephen Farrell <>
Date: Wed, 13 Sep 2023 02:20:25 +0100

Hi again,

Following up on my other mail, we'd like to understand if
there's a good plan for how to handle ECH when curl is not
using DoH. We're basically not at all sure if there's a good
answer available here, but here's how we see the situation
as of now. Be great to get feedback on this or corrections
if we're making bad assumptions.

There should be a use-case for ECH when DoH is not used by
curl - if a system stub resolver supports DoT or DoH, then,
considering only ECH and the network threat model, it would
make sense for curl to support ECH without curl itself using
DoH. My laptop for example uses a combination of
stubby+unbound as the system resolver listening on
localhost:53, so would fit this use-case. That said, it's
very unclear if this is a niche that's worth trying to
address. (I'm just as happy to let curl use DoH to talk to
the same public recursives that stubby might use:-)

But assuming this is a use-case we'd like to support...

If DoH is not being used by curl, it's not clear at this time
how to provide support for ECH. One option would seem to be
to extend the c-ares library to support HTTPS RRs, but in
that case it's not now clear whether such changes would be
attractive to the c-ares maintainers, nor whether the
"tag=value" extensibility inherent in the HTTPS/SVCB
specification is a good match for the c-ares approach of
defining structures specific to decoded answers for each
supported RRtype. We're also not sure how many downstream
curl deployments actually make use of the c-ares library,
which would affect the utility of such changes.

Another option might be to consider using some other generic
DNS library (such as the getdnsapi) that does support HTTPS
RRs, but it's unclear if such a library could or would be
used by all or almost all curl builds and downstream releases
of curl.

So - does anyone have guidance as to what might be a good
plan for adding ECH support to curl, when DoH is not used.
Or, would you argue that's not really useful enough to
warrant the work involved?

Thanks again,

Received on 2023-09-13