ECH not enabled on personal website

I’ve been following the development & rollout of ECH quite closely. Recently, in Birthday week, they announced free zones will have ECH turned on by default.

However, it does not seem to be enabled for my personal website, which I confirmed by:

Checking the HTTPS DNS record:

$ dig +short TYPE65 saxrag.com @1.1.1.1
1 . alpn="h3,h2" ipv4hint=104.21.36.42,172.67.185.47 ipv6hint=2606:4700:3034::6815:242a,2606:4700:3035::ac43:b92f

Visiting the cdn-cgi trace endpoint (https://saxrag.com/cdn-cgi/trace):

fl=582f137
h=saxrag.com
ip=REDACTED
ts=1697014769.672
visit_scheme=https
uag=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
colo=HKG
sliver=none
http=http/3
loc=HK
tls=TLSv1.3
sni=plaintext
warp=off
gateway=off
rbi=off
kex=X25519

In contrast, it works for crypto.cloudflare.com , e.g. the DNS record (note the ech entry)

$ dig +short TYPE65 crypto.cloudflare.com @1.1.1.1
1 . alpn="http/1.1,h2" ipv4hint=162.159.137.85,162.159.138.85 ech=AEX+DQBBsQAgACDu4jW5Vn7huWFQcdEYQ1uwPrN3y3Slp9DBDLN8yaqcfgAEAAEAAQASY2xvdWRmbGFyZS1lY2guY29tAAA= ipv6hint=2606:4700:7::a29f:8955,2606:4700:7::a29f:8a55

And via my browser on the cdn-cgi trace on https://crypto.cloudflare.com/cdn-cgi/trace/

fl=583f34
h=crypto.cloudflare.com
ip=REDACTED
ts=1697014789.493
visit_scheme=https
uag=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
colo=HKG
sliver=none
http=http/2
loc=HK
tls=TLSv1.3
sni=encrypted
warp=off
gateway=off
rbi=off
kex=X25519
3 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.