**Session Date/Time:** 08 Nov 2023 08:30 # add ## Summary The ADD working group meeting covered two documents in working group last call, two draft presentations, and hackathon results. Key discussions revolved around DNS Resolver Information, Encrypted DNS Server Redirection, and Delegated Credentials for DNS Server Authentication. Several action items were identified for document updates and further discussions. ## Key Discussion Points * **DNS Resolver Information (Resinfo):** * Tommy Jensen raised a concern about reference mismatches in the documents working group last call. * Discussion centered on a potential attack vector related to DDR (DNS Discovery). * Ben suggested Resinfo is misdesigned, using zone contents for resolver meta-information. * Ben suggested that Resinfo must appear in the authority section to avoid influence by upstream authoritative servers. * Ray Bellis noted inconsistencies in the IANA registration template. * Molli raised questions about the difference between address-based and name-based discovery in DNS Discovery. * Proposal for a follow-up breakout session during the IETF week to address the Resinfo security concerns. * **Establishing Local DNSIS:** * Discussion on DHCPv4 limitations and the need for long options mechanism support. * Clarification on the use of asterisk symbol for claiming subdomains. * Discussion on hash algorithm interoperability, relying on the existing registry for major DNS zones. * Recommendation to keep internal domains in a child zone of the local domain hint to reduce changes to the verification record. * Ben to update the DNX certification section. * Request for early review from DNS Directorate, security and operations directorates. * **Encrypted DNS Server Redirection (EDSR):** * Presentation on two modes of operation: strict origin redirection and overlapping origin redirection. * Debate on the security properties and necessity of the overlapping origin redirection mode. Ben argued it doesn't provide any easily described security properties. * Ben suggested EDSR in strict mode is more focused for the working group and could be adopted. * Mike pointed out the similarity between EDSR and the HTTP trust model. * Discussion on whether the scenario that overlapping origin is intended to solve is actually a worthwhile use case for the working group. * The working group is expected to put out an adoption call for EDSR. * **Delegated Credentials for DNS Server Authentication:** * Presentation of a draft proposing the use of delegated credentials with SVCB records. * Addition of mandatory and optional modes for the parameter key. * Ben recommended that the new service parameter needs to be very specific and is about TLS delegated credentials and needs to go through the TLS Working Group for review. * Tim raised concerns about the service binding registering for delegation. * Eric suggested a capability flag field instead of individual service parameters. * **Hackathon Results:** * Successful testing of DNR using DHCPv4 to direct clients to a DoH service. * Discussion on certificate issuance for private namespaces. ## Decisions and Action Items * **Resinfo:** A breakout session will be scheduled during the IETF week to address the security concerns. * **Establishing Local DNSIS:** Update the draft to address the DHCP comment, incorporate the asterisk symbol for subdomains, and update the DNX certification section by Ben. Send the draft for early review to the DNS Directorate, security and operations directorates. * **EDSR:** The working group will put out an adoption call for EDSR. * **Delegated Credentials for DNS Server Authentication:** Authors will work on the comments and determine if it's ready for an adoption call. Check with TLS WG on the parameter. * **All:** Follow up on action items. ## Next Steps * Schedule the breakout session for Resinfo. * Complete document updates for Establishing Local DNSIS. * Initiate adoption call for EDSR. * Continue discussions on the mailing list regarding security concerns and design choices.