Measures for Making DNS More Resilient against Forged Answers
RFC 5452
Yes
No Objection
Note: This ballot was opened for revision 10 and is now closed.
Lars Eggert (was Discuss) No Objection
(Jari Arkko; former steering group member) Yes
I agree though with Cullen's, Pasi's, and Lars's discusses.
(Mark Townsley; former steering group member) (was No Objection, Discuss, Yes) Yes
(Chris Newman; former steering group member) No Objection
(Cullen Jennings; former steering group member) (was Discuss) No Objection
I'm wondering about the case where the resolver is behind a NAT, and the attacker can cause the NAT to do many thousands of DNS queries in a a few minutes, the randomization of ports can cause complete depletion of all ports on the NAT resulting in failure of all applications behind the NAT. I'd like authors to let me know if this has been considered and it is not a problem for some reason I'm not thinking of. If it is a problem, it might be worth adding a little text discussing the issue to the draft.
(Dan Romascanu; former steering group member) No Objection
(David Ward; former steering group member) No Objection
(Magnus Westerlund; former steering group member) No Objection
(Pasi Eronen; former steering group member) (was Discuss) No Objection
(Ron Bonica; former steering group member) No Objection
(Ross Callon; former steering group member) No Objection
(Russ Housley; former steering group member) (was Discuss) No Objection
(Tim Polk; former steering group member) No Objection