Markdown Version | Session Recording

Session Date/Time: 25 Jul 2024 22:00

ADD Session

Summary

The ADD session at IETF 120 covered document status updates, presentations on EDSR adoption, client authentication recommendations for encrypted DNS, updates to RFC 70-50, and a discussion on delegated credentials for ADD encrypted DNS forwarders and the broader problem of certificate management for devices in home networks.

Key Discussion Points

• EDSR Adoption: Discussion on the adoption of EDSR (Enhanced DNS SRV Records) as a working group document and the call for feedback and potential hackathon opportunities.
• Client Authentication for Encrypted DNS: Introduction of a new draft outlining recommendations for client authentication in managed cases of encrypted DNS, focusing on amortization, open standards, and ease of use.
• RFC 70-50 Update: Presentation on a draft updating RFC 70-50 to define a secure channel in the context of DNS64 using ADD working group approaches and removing a DNSSEC fallback mechanism. This led to a wider discussion about deprecating DNS64 altogether.
• Delegated Credentials and Certificate Management: Discussion about the problem of certificates on CPE devices and the possibility of using TLSA. Also, the scope of addressing certificate management for devices beyond DNS servers within the ADD working group, with arguments for moving the discussion to another forum like ACME or a new working group.
• Alternatives to CA signed certificates: Discussed other techniques such as short-lived certificates, name constraints, or alternative identity mechanisms for home networks.

Decisions and Action Items

• Scribe: Ben volunteered to be the scribe, with Tim assisting.
• EDSR Feedback: Attendees are encouraged to provide feedback on the EDSR draft, especially considering existing implementations.
• Problem Statement for Certificate Management: Dan will solicit co-authors to write or help write a problem statement for managing TLS certificates for devices in home networks.
• Further Discussion of Certificate Management Scope: The discussion on certificate management for devices in home networks will likely move to a different working group or forum (potentially ACME).

Next Steps

• Provide feedback on the EDSR draft.
• Attend the DNS op session to discuss client authentication recommendations and RFC 70-50 updates.
• Consider participating in a potential hackathon for EDSR.
• Explore alternative forums for discussing certificate management for devices in home networks.