Supporting HTTPS in parallel with CNAME
As HTTPS take-up happens there will likely be zones that emit both CNAME and HTTP at the same name (especially at the zone apex). We want to encourage HTTPS use and the presence of the CNAME record in a cache will prevent the HTTPS record being looked up and returned. Tag CNAME records learnt via HTTPS lookups (HTTPSCNAME) and only return CNAMEs so tagged when looking for HTTPS records. This will interact with the tagging of CNAME learnt via DS lookups. Existing DSCNAME attributes (!6140) will need to copied to the new header when adding a HTTPSCNAME and vice versa.
This should be a sort term change with a lifetime of a few years.