Measures for Making DNS More Resilient against Forged Answers
RFC 5452

Note: This ballot was opened for revision 10 and is now closed.

(Jari Arkko) Yes

Comment (2008-12-04 for -** No value found for 'p.get_dochistory.rev' **)
No email
send info
I agree though with Cullen's, Pasi's, and Lars's discusses.

(Mark Townsley) (was No Objection, Discuss, Yes) Yes

(Ron Bonica) No Objection

(Ross Callon) No Objection

(Lars Eggert) (was Discuss) No Objection

(Pasi Eronen) (was Discuss) No Objection

(Russ Housley) (was Discuss) No Objection

(Cullen Jennings) (was Discuss) No Objection

Comment (2008-12-01 for -** No value found for 'p.get_dochistory.rev' **)
No email
send info
I'm wondering about the case where the resolver is behind a NAT, and the attacker can cause the NAT to do many thousands of DNS queries in a a few minutes, the randomization of ports can cause complete depletion of all ports on the NAT resulting in failure of all applications behind the NAT. 

I'd like authors to let me know if this has been considered and it is not a problem for some reason I'm not thinking of. If it is a problem, it might be worth adding a little text discussing the issue to the draft.

(Chris Newman) No Objection

(Tim Polk) No Objection

(Dan Romascanu) No Objection

(David Ward) No Objection

Magnus Westerlund No Objection