diff --git a/documentation/provider/vercel.md b/documentation/provider/vercel.md index 05ff207cb..54f8cec17 100644 --- a/documentation/provider/vercel.md +++ b/documentation/provider/vercel.md @@ -144,3 +144,13 @@ Vercel does not allow the record type to be changed after creation. If you try t ### Minimum TTL Vercel enforces a minimum TTL of 60 seconds (1 minute) for all records. We will always silently override the TTL to 60 seconds if you try to set a lower TTL. + +### HTTPS Record ECH Base64 Validation + +Currently, Vercel does implements IETF's "Bootstrapping TLS Encrypted ClientHello with DNS Service Bindings" draft. However, Vercel also implements a validation process for the `ech` parameter in the `HTTPS` records, and will reject the request with the following error message if Vercel considers the `ech` value is invalid: + +``` +Invalid base64 string: [input] (key: ech) +``` + +The detail of Vercel's validation process is unknown, thus we can not support static validation for `dnscontrol check` or `dnscontrol preview`. You should use `ech=` with caution. diff --git a/integrationTest/integration_test.go b/integrationTest/integration_test.go index 6492aa357..3eca97b54 100644 --- a/integrationTest/integration_test.go +++ b/integrationTest/integration_test.go @@ -292,6 +292,18 @@ func makeTests() []*TestGroup { testgroup("Ech", requires(providers.CanUseHTTPS), + not( + // Last tested in 2025-12-04. Turns out that Vercel implements an unknown validation + // on the `ech` parameter, and our dummy base64 string are being rejected with: + // + // Invalid base64 string: [our base64] (key: ech) + // + // Since Vercel's validation process is unknown and not documented, we can't implement + // a rejectif within auditrecord to reject them statically. + // + // Let's just ignore ECH test for Vercel for now. + "VERCEL", + ), tc("Create a HTTPS record", https("@", 1, "example.com.", "alpn=h2,h3")), tc("Add an ECH key", https("@", 1, "example.com.", "alpn=h2,h3 ech=some+base64+encoded+value///")), tc("Ignore the ECH key while changing other values", https("@", 1, "example.net.", "port=80 ech=IGNORE")),