Measures for Making DNS More Resilient against Forged Answers
Draft of message to be sent after approval:
From: The IESG <firstname.lastname@example.org> To: IETF-Announce <email@example.com> Cc: Internet Architecture Board <firstname.lastname@example.org>, RFC Editor <email@example.com>, dnsext mailing list <firstname.lastname@example.org>, dnsext chair <email@example.com> Subject: Protocol Action: 'Measures for making DNS more resilient against forged answers' to Proposed Standard The IESG has approved the following document: - 'Measures for making DNS more resilient against forged answers ' <draft-ietf-dnsext-forgery-resilience-11.txt> as a Proposed Standard This document is the product of the DNS Extensions Working Group. The IESG contact persons are Mark Townsley and Jari Arkko. A URL of this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-dnsext-forgery-resilience-11.txt
- Technical Summary DNS uses UDP for most of its query resolution process, to protect against forged UDP replies DNS has relied on a Query-ID field that is 16 bits long. The size of this field was adequate when network connections were slower than is common today. The document documents measures to extend the effective Query-ID by using all available UDP ports, different source address (when possible) and using different authorative servers. All of the measures documented in the document, have been in use in certain implementations for a long time, and recently been almost universally deployed in all major implementations. - Working Group Summary There is a broad consensus that this important document be published. - Protocol Quality The techniques described in the document have been implemented and are in use use by number of implementations, with no interoperabilty issues. The only issues observed have been related to inability to allocate large number of open ports on certain operating systems, and firewalls/IDS not expecting the use of random ports by DNS resolvers.