Skip to main content

Delegated Credentials to Host Encrypted DNS Forwarders on CPEs

Document Type Expired Internet-Draft (candidate for add WG)
Expired & archived
Authors Tirumaleswar Reddy.K , Mohamed Boucadair , Dan Wing , Shashank Jain
Last updated 2024-06-03 (Latest revision 2023-12-01)
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Additional resources Mailing list discussion
Stream WG state Call For Adoption By WG Issued
Document shepherd (None)
IESG IESG state Expired
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


An encrypted DNS server is authenticated by a certificate signed by a Certificate Authority (CA). However, for typical encrypted DNS server deployments on Customer Premise Equipment (CPEs), the signature cannot be obtained or requires excessive interactions with a Certificate Authority. This document explores the use of TLS delegated credentials for a DNS server deployed on a CPE. This approach is meant to ease operating DNS forwarders in CPEs while allowing to make use of encrypted DNS capabilities.


Tirumaleswar Reddy.K
Mohamed Boucadair
Dan Wing
Shashank Jain

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)