testssl · drwetter · May 30, 2026
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
@@ -12,5 +12,5 @@ jobs:
       - uses: actions/checkout@v6
       - uses: codespell-project/actions-codespell@master
         with:
-          skip: ca_hashes.txt,tls_data.txt,*.pem,OPENSSL-LICENSE.txt,CREDITS.md,openssl.cnf,fedora-dirk-ipv6.diff,testssl.1
-          ignore_words_list: borken,gost,ciph,ba,bloc,isnt,chello,fo,alle,anull
+          skip: ca_hashes.txt,tls_data.txt,*.pem,OPENSSL-LICENSE.txt,CREDITS.md,openssl.cnf,testssl.1
+          ignore_words_list: borken,gost,ciph,ba,bloc,isnt,chello,fo,alle,anull,expt
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@
 * Bump SSLlabs rating guide to 2009r
 * Check for Opossum vulnerability
 * Enable IPv6 automagically, i.e. if target via IPv6 is reachable just (also) scan it
+* Detect and show DNS HTTPS RR (RFC 9460)
 * Provide an FAQ
 
 ### Features implemented / improvements in 3.2

diff --git a/t/baseline_data/default_testssl.csvfile b/t/baseline_data/default_testssl.csvfile
@@ -1,5 +1,6 @@
 "id","fqdn/ip","port","severity","finding","cve","cwe"
 "engine_problem","/","443","WARN","No engine or GOST support via engine with your ./bin/openssl.Linux.x86_64","",""
+"DNS_HTTPS_rrecord","testssl.sh/81.169.166.184","443","OK","1 . alpn='h2'","",""
 "service","testssl.sh/81.169.235.32","443","INFO","HTTP","",""
 "pre_128cipher","testssl.sh/81.169.235.32","443","INFO","No 128 cipher limit bug","",""
 "SSLv2","testssl.sh/81.169.235.32","443","OK","not offered","",""