Measures for Making DNS More Resilient against Forged Answers
RFC 5452

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: Internet Architecture Board <iab@iab.org>,
    RFC Editor <rfc-editor@rfc-editor.org>, 
    dnsext mailing list <namedroppers@ops.ietf.org>, 
    dnsext chair <dnsext-chairs@tools.ietf.org>
Subject: Protocol Action: 'Measures for making DNS more 
         resilient against forged answers' to Proposed Standard 

The IESG has approved the following document:

- 'Measures for making DNS more resilient against forged answers '
   <draft-ietf-dnsext-forgery-resilience-11.txt> as a Proposed Standard

This document is the product of the DNS Extensions Working Group. 

The IESG contact persons are Mark Townsley and Jari Arkko.

A URL of this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-dnsext-forgery-resilience-11.txt

- Technical Summary

DNS uses UDP for most of its query resolution process, to protect against
forged UDP replies DNS has relied on a Query-ID field that is 16
bits long.
The size of this field was adequate when network connections
were slower than
is common today. The document documents measures to extend the effective
Query-ID by using all available UDP ports, different source address (when
possible) and using different authorative servers.


All of the measures documented in the document, have been in use
in certain
implementations for a long time, and recently been almost universally
deployed in all major implementations.

- Working Group Summary

There is a broad consensus that this important document be published.

- Protocol Quality

The techniques described in the document have been implemented
and are in use
use by number of implementations, with no interoperabilty
issues. The only issues
observed have been related to inability to allocate large number
of open ports on
certain operating systems, and firewalls/IDS not expecting the use of
random ports by DNS resolvers.