For context, this domain is registered with Gandi.net and I manage my DNS records with their web dashboard.

In January 2024 I raised a support ticket asking whether Gandi were planning to support HTTPS Resource Records, which were published as RFC9460 in November 2023. A few weeks ago I noticed that Gandi was letting me add HTTPS records on the dashboard, and this week I got an update saying this feature was now ready to use.

I’ve changed my DNS records to look like this:

@ 172800 IN HTTPS 1 d2kpc20k6y2u7m.cloudfront.net. alpn="h2,h3"
www 172800 IN CNAME d2kpc20k6y2u7m.cloudfront.net.

So, in addition to a CNAME record, the bare extua.pw domain is also pointing to the same Cloudfront distribution domain. The alpn="h2,h3" parameter on the HTTPS record indicates that the connection can be made over HTTP/2 or HTTP/3, which speeds up protocol negotiation.

Browser support for the HTTPS record is not quite there,¹ and it’s not yet supported throughout the network stack. I don’t want my site to disappear from search engines just in case they can’t resolve the domain.

For now, I decided to leave the CNAME record for www.extua.pw as that’s the canonical domain.² I’ve also got a Cloudfront Function to send a permanent redirect response to any requests for just the bare domain.

async function handler(event) {
    var request = event.request;
    var host = request.headers.host.value;
    var uri = request.uri;
    if (host === 'extua.pw') {
        var response = {
            statusCode: 301,
            statusDescription: 'Moved Permanently',
            headers: {
                location: {
                    value: `https://www.` + host + uri
                }
            },
        };
        return response;
    }
    return request;
}

Congratulations to Gandi for rolling this out! 🎉