[RSSAC Caucus] Incident Reporting WP Potential Scenario

[Russ Mundy]

Folks, 

During the last WP call we discussed the possibility that having a few ‘simple examples’ of potential security incidents might be useful for Work Party discussion. Following is a short write up of a DNSSEC validation failure identified by an open recursive operator such as 8.8.8.8 or 1.1.1.1.

Russ
ps this is certainly not complete but, hopefully, helps move things forward.
---------------

RSS Potential Security Incident for Work Party Discussion

Event Description:
An open DNS Resolver operator observes DNSSEC validation failure. 
- What actions should the resolver operator 'normally' take?
- How should the resolver operator respond? E.g. should the operator be expected to determine how broad the problem is?
- When and how should the resolver operator contact the RSS and/or an RSO?

When an RSO becomes aware of the resolver validation failure, what steps should they take?

How would the determination be made about whether or not such an event would be considered an RSS Security Incident? E.g., does a DNSSEC validation failure qualify as such an event?
- If it is a Security Incident, does this mean it is reported to "the public" or to some more 'restricted' group?
- Are follow-up reports required?