Measures for Making DNS More Resilient against Forged Answers
Note: This ballot was opened for revision 10 and is now closed.
(Jari Arkko) Yes
Comment (2008-12-04 for -)
I agree though with Cullen's, Pasi's, and Lars's discusses.
(Mark Townsley) (was No Objection, Discuss, Yes) Yes
(Ron Bonica) No Objection
(Ross Callon) No Objection
(Lars Eggert) (was Discuss) No Objection
(Pasi Eronen) (was Discuss) No Objection
(Russ Housley) (was Discuss) No Objection
(Cullen Jennings) (was Discuss) No Objection
Comment (2008-12-01 for -)
I'm wondering about the case where the resolver is behind a NAT, and the attacker can cause the NAT to do many thousands of DNS queries in a a few minutes, the randomization of ports can cause complete depletion of all ports on the NAT resulting in failure of all applications behind the NAT. I'd like authors to let me know if this has been considered and it is not a problem for some reason I'm not thinking of. If it is a problem, it might be worth adding a little text discussing the issue to the draft.