**Session Date/Time:** 26 Jul 2023 00:00 # add ## Summary This ADD working group meeting at IETF 117 focused primarily on a presentation and discussion regarding the "delegated credentials to host encrypted DNS forwarders on CPEs" draft. The presentation highlighted challenges with existing solutions like DDR and DNR, and proposed using subcerts for delegated credentials. The discussion covered implementation concerns, potential incompatibilities with existing DNR clients, and the broader problem of managing trust within home networks. The meeting also briefly touched on extending the last call deadlines for two working group documents. ## Key Discussion Points * **Challenges with DDR:** Rotating IP addresses of ISPs require frequent certificate updates, disrupting encrypted DNS service. * **Challenges with DNR:** Let's Encrypt has rate limits when signing numerous FQDNs for CPEs. * **Subcerts vs. Name Constraints:** Subcerts were chosen due to the lack of CA support for name constraints. * **Incompatibility with existing DNR clients:** Clients might experience TLS handshake failures and drop connections if they support DNR but not delegated credentials, leading to a potential security risk. Several approaches were suggested to mitigate the problem. * **Potential General Solution for Trust in Home Networks:** There was a call for a more general solution for managing TLS trust within home network environments, instead of one-off solutions for specific devices. This might involve defining a general-purpose parameter for service bindings indicating delegated credentials are required. The security implications of such a system, where the client and attacker might be the same entity, were also discussed. * **DNR Implementation and Testing:** Discussion around the lack of deployed DNR clients and routers for interoperability testing. Proposal for a hackathon to bootstrap implementation and testing. ## Decisions and Action Items * **Extend Working Group Last Calls:** The last calls for two working group documents will be extended by two weeks and announced on the mailing list. * **Address DNR Compatibility:** The draft needs to specify that it only works for DNR. * **Consider DNR interaction:** Incorporate Ben Schwartz's point of checking for DNR compatibility, as existing DNR clients may presume an attack if TLS handshake fails because of a missing delegated credential, and it needs to be addressed. * **DNR Hackathon:** The mailing list should have more discussions. * **Discuss potential new solution:** Discussions on the mailing list to coordinate testing. ## Next Steps * Dan Wing to revise the draft to address the issues of DNR implementation including considering solutions to the identified concerns. * Working group participants to discuss and coordinate DNR implementation and testing on the mailing lists (ADD and EDDI).