Amazon Route 53 announces HTTPS, SSHFP, SVCB, and TLSA DNS resource record support

Posted on: Oct 30, 2024

Route 53 now supports HTTPS and Service Binding (SVCB) record types, which provide clients with improved performance and privacy. Instead of only providing the IP addresses of endpoints in response to a DNS query, HTTPS and SVCB records respond with additional information needed to set up connections such as whether your endpoint supports HTTP/3, thereby letting supporting clients connect faster and more securely.

Furthermore, you can now create TLS Authentication (TLSA) records with Route 53. TLSA records may be used to associate TLS server certificates or public keys with your domain name, leveraging DNS Security Extensions (DNSSEC) infrastructure. This provides you with a prerequisite component of DNS-based Authentication of Named Entities (DANE), a protocol frequently used in conjunction with the Simple Mail Transfer Protocol (SMTP) to assure secure and confidential mail transport.

Route 53 now additionally enables you to associate Secure Shell (SSH) key fingerprints with your domain name through SSHFP records. SSHFP provides you with a mechanism to record fingerprints in DNS, signed through DNSSEC, and to distribute them to clients via SSHFP for validation of the fingerprints published in DNS against the fingerprints offered by the server. As a result, when connecting to a server via SSH, clients are able to securely authenticate the server.

Route 53 supports the SSHFP and TLSA record types for public hosted zones, and the HTTPS and SVCB record types for both public and private hosted zones. To learn more, visit the Route 53 documentation or AWS Networking and Content Delivery blog.