Google Git
Sign in
boringssl/boringssl/60553ee001ee3e52697b3a6aefd48137ad37e202^!/.
commit
60553ee001ee3e52697b3a6aefd48137ad37e202
[log]
author
David Benjamin <davidben@google.com>
Wed Jun 03 21:28:54 2026 -0400
committer
boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Thu Jun 04 07:59:42 2026 -0700
tree
f1b1417c24899f1679900a5b195c13ddccbadefc
parent
04eedeb13221efda841076762191dc256a3d58db [diff]
draft-ietf-dnsop-svcb-https was also published

It got split into two RFCs, so cite the relevant one for each point.

Change-Id: Ia4106664a04c3a9257d0b635d9f2e770697db45c
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/96567
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Presubmit-BoringSSL-Verified: boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 5320c26..77bf24b 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -4685,9 +4685,9 @@
 // rotate keys in a long-lived server process.
 //
 // The configured ECHConfig values should also be advertised out-of-band via DNS
-// (see draft-ietf-dnsop-svcb-https). Before advertising an ECHConfig in DNS,
-// deployments should ensure all instances of the service are configured with
-// the ECHConfig and corresponding private key.
+// (see RFC 9848). Before advertising an ECHConfig in DNS, deployments should
+// ensure all instances of the service are configured with the ECHConfig and
+// corresponding private key.
 //
 // Only the most recent fully-deployed ECHConfigs should be advertised in DNS.
 // `keys` may contain a newer set if those ECHConfigs are mid-deployment. It

diff --git a/util/fetch_ech_config_list.go b/util/fetch_ech_config_list.go
index af723e3..cf5f66e 100644
--- a/util/fetch_ech_config_list.go
+++ b/util/fetch_ech_config_list.go

@@ -33,7 +33,7 @@
 const (
 	httpsType = 65 // RRTYPE for HTTPS records.
 
-	// SvcParamKey codepoints defined in draft-ietf-dnsop-svcb-https-06.
+	// SvcParamKey codepoints defined in RFC 9460 and RFC 9848.
 	httpsKeyMandatory     = 0
 	httpsKeyALPN          = 1
 	httpsKeyNoDefaultALPN = 2
@@ -219,8 +219,8 @@
 	}
 }
 
-// parseHTTPSRecord parses an HTTPS record (draft-ietf-dnsop-svcb-https-06,
-// Section 2.2) from |raw|. If there are syntax errors, it returns an error.
+// parseHTTPSRecord parses an HTTPS record (RFC 9460, Section 2.2) from |raw|.
+// If there are syntax errors, it returns an error.
 func parseHTTPSRecord(raw []byte) (httpsRecord, error) {
 	reader := cryptobyte.String(raw)