Hi.  Speaking for Quad9 (and by extension other recursive resolver operators) 
yes, there is huge demand for client authentication.  Also, it will be needed 
to fulfill some of the requirements of DIEM.  My very strong preference is that 
we not invent anything new here, and simply use DANE and TLS client certs.

> On Jul 10, 2026, at 13:06, Aitor Santos 
> <[email protected]> wrote:
> 
> Hi all,
> 
> I'm working on a draft addressing a gap in the current encrypted DNS 
> ecosystem: while DoH [RFC8484], DoT [RFC7858], and DoQ [RFC9250] protect DNS 
> queries from on-path observers, none of them define a standard mechanism for 
> a resolver to authenticate its clients.
> 
> This matters in practice for private and restricted resolvers — self-hosted 
> instances, enterprise deployments, ISP subscription services, and parental 
> control resolvers — where the operator has a legitimate need to limit access 
> to authorized clients only. Today each deployment invents its own approach 
> (token in the URL, IP allowlist, custom headers), with no interoperability.
> 
> The draft (draft-santos-dnsop-encrypted-dns-client-auth) describes the 
> problem space, the requirements any solution must satisfy, and the 
> constraints each transport imposes on an authentication mechanism.
> 
> Before I submit the -00, I wanted to check:
> 
> • Is there existing or ongoing work in this area I should be aware of?
> • Is there appetite in the WG for a problem statement document, or would a 
> solutions-oriented draft be more appropriate?
> 
> Happy to share a pre-submission version off-list if anyone wants to take a 
> look.
> 
> Thanks,
> 
> 
> Aitor Santos
> Técnico SOCUribitarte Kalea, 6, 48001 Bilbo, Bizkaia
> + 34 944 048 182— [email protected] — www.irontec.com
> LinkedIn— GitHub
> Encontrará información detallada sobre el tratamiento de sus datos personales 
> en www.irontec.com
> 
> _______________________________________________
> DNSOP mailing list -- [email protected]
> To unsubscribe send an email to [email protected]



                                -Bill


Please consider the environment before using AI to process this email.

Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to