Network ports required to open for one way trust to work to a resource domain

We will be deploying a new resource domain and need to setup a one way Active Directory trust.

I think I will have to setup DNS resolution which I plan to do by implementing conditional forwarding in our user domain. So that will require DNS port to be opened. So should that be port 53 both tcp and udp?

I also will need to open ports for the trust to work. MS article lists all the below ports:-

I think I don't need the port 123 as all clients will be syncing time with user domain servers.

Do I need all other ports to be opened as users won't be logging onto the resource domain?

From my understanding when the user tries to access a resource (lets say network file share) then the resource domain server will try to authenticate the user against its domain controller(DC) and then the resource domain DC will send a referral to the server and ask it to check against the user domain DC. So basically the resource server acts as the client for the user domain DC. And thus would these rpc dynamic ports will need to be opened from the resource domain subnet to the user domain DCs?

From user domain DCs -> resource domain DCs will I only need to open following ports only:-

53   TCP/UDP  DNS
135  TCP      Portmapper 
88   TCP/UDP  Kerberos
389  TCP/UDP  LDAP
445  TCP      SMB
636  TCP      LDAP (SSL)
Net Logon fixed port     TCP    For object picker to work

What are other things to consider?