**Session Date/Time:** 21 Mar 2024 05:30 ```markdown # add ## Summary This session focused on two main topics: updates on the "Handling of Encrypted DNS Server Redirection" draft and a discussion regarding the challenges of deploying encrypted DNS on Customer Premises Equipment (CPE). The redirection draft received positive feedback and will be updated before a re-adoption call. The CPE discussion centered around the difficulties of obtaining and managing certificates for a large number of devices, and potential solutions involving opportunistic DDR and alternative certificate management approaches. The group decided to create a problem statement document to further explore this issue, even though it might be outside the group's charter. ## Key Discussion Points * **Encrypted DNS Server Redirection Draft (Tommy Johnson & John Todd):** * The draft has been simplified to only allow redirection within the same origin for authentication purposes. * Feedback from the mailing list was addressed, including rephrasing service binding record usage, clarifying delegated credentials usage, and addressing TTL issues with redirection. * Concerns about the relationship with DDR were raised, particularly regarding terminology and distinguishing redirection from designation in DDR Section 5. It was decided to lean on existing DDR mechanisms and focus on guidance for resolvers. * The authors will update the draft to clarify its relationship to DDR and then a re-adoption call will be requested on the mailing list. * **Encrypted DNS on CPEs (Jiro):** * The need for encrypted DNS on CPEs, specifically for security filtering of IoT devices, was presented. * Challenges in obtaining and managing a large number of certificates for CPEs were discussed, including rate limiting by Let's Encrypt. * Potential solutions like STAR certificates, delegated credentials, and name constraints were considered but found to have limitations. * Concerns were raised about the architectural implications of compromising end-to-end design principles for convenience. * Opportunistic DDR as a potential solution was discussed, but there were concerns about lack of universal client support and preference for verified discovery. ## Decisions and Action Items * **Encrypted DNS Server Redirection Draft:** * **Decision:** The draft authors will update the document based on the discussion and then a re-adoption call will be requested on the mailing list. * **Encrypted DNS on CPEs:** * **Decision:** The working group will create a problem statement document outlining the challenges of deploying encrypted DNS on CPEs, despite some concerns over whether the topic fits into the group's charter. * **Action Item:** Volunteers will create the problem statement document, including details about the challenges with existing solutions. Contributors will be listed. ## Next Steps * Encrypted DNS Server Redirection Draft authors to update the document and trigger a re-adoption call. * Volunteers to draft the problem statement document regarding encrypted DNS on CPEs before the next IETF meeting in Vancouver. * Check with CAs if they can support STAR certificates and/or name constraints. * The problem statement will include motivations behind a verified discovery approach compared to opportunistic modes.