Hello dnsop,

Not to distract from the "should we deprecate DNS64" discussion I started after 
proposing updates to 7050, but this is the second draft (last one, I promise) 
I'll be proposing to this group as interesting work ahead of IETF 120. Joining 
me are co-authors Jessica from Microsoft and Jeff and Matt from Amazon.

In light of enterprises increasingly using encrypted DNS for their own 
"Protective DNS" resolvers, we are proposing best practices for when and how to 
use client authentication with encrypted DNS. Since this is a Good Thing for 
enterprises who control both peers (stronger security for client policy 
application and security auditing post-attack) and a Bad Thing otherwise 
(privacy violations for the non-enterprises cases common to consumers), we feel 
there is a need to specify when implementors should or should not use it.

Spoiler alert: we prefer mTLS as the ideal authentication mechanism. I'll let 
the draft speak for itself as to why. Feedback and discussion is welcome.

Thanks,
Tommy

________________________________
From: internet-dra...@ietf.org <internet-dra...@ietf.org>
Sent: Thursday, June 27, 2024 11:32 AM
To: Jeffrey Damick <jdam...@amazon.com>; Jessica Krynitsky 
<jess.krynit...@microsoft.com>; Matt Engskow <mengs...@amazon.com>; Tommy 
Jensen <jensen.tho...@microsoft.com>
Subject: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt

A new version of Internet-Draft draft-tjjk-cared-00.txt has been successfully
submitted by Tommy Jensen and posted to the
IETF repository.

Name:     draft-tjjk-cared
Revision: 00
Title:    Client Authentication Recommendations for Encrypted DNS
Date:     2024-06-27
Group:    Individual Submission
Pages:    11
URL:      https://www.ietf.org/archive/id/draft-tjjk-cared-00.txt
Status:   https://datatracker.ietf.org/doc/draft-tjjk-cared/
HTML:     https://www.ietf.org/archive/id/draft-tjjk-cared-00.html
HTMLized: https://datatracker.ietf.org/doc/html/draft-tjjk-cared


Abstract:

   For privacy reasons, encrypted DNS clients need to be anonymous to
   their encrypted DNS servers to prevent third parties from correlating
   client DNS queries with other data for surveillance or data mining
   purposes.  However, there are cases where the client and server have
   a pre-existing relationship and each peer wants to prove its identity
   to the other.  For example, an encrypted DNS server may only wish to
   accept resolutions from encrypted DNS clients that are managed by the
   same enterprise.  This requires mutual authentication.

   This document defines when using client authentication with encrypted
   DNS is appropriate, the benefits and limitations of doing so, and the
   recommended authentication mechanism(s) when communicating with TLS-
   based encrypted DNS protocols.



The IETF Secretariat


_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org

Reply via email to