[RSSAC Caucus] Security Incident Reporting and c-root incident

[jabley at strandkip.nl]

Hi Robert,

On May 22, 2024, at 17:17, Robert Story <rstory at ant.isi.edu> wrote:

> On Wed 2024-05-22 20:06:14+0900 Wataru wrote:
>> As you may already know, c-root is reported to be experiencing routing 
>> and XFR issue, affecting ongoing DNSSEC algorythm rollover of gov. and int.
>> 
>> In my opinion this issue itself is not a material impact for the entire 
>> RSS, however, if our security incident reporting document were taking 
>> effect at this time, is this eligeble to be reported?
> 
> Without more details, my personal opinion (ie no hats) is that it would not
> be. I spent a few minutes googling to try to find any references to this, but
> couldn't. So it seems there is no material impact to the RSS.

It seems like the problems with c.root-servers.org (note, .org) have no material impact to the root server system.

However, the fact that C-Root has been failing to keep up with new revisions of the root zone as they are published for some period of time seems material. On the DNS-OARC dns-operations mailing list there are reports of two top-level domain DNSSEC algorithm rolls whose timing have been impacted, for example, so it doesn't seem to be much of a stretch to say that there's potential for security-related consequences of whatever this mishap turns out to be, even if they are minor.

I am not familiar with the work that Wataru mentioned and I don't know how "security incident" is defined, but I think Wataru's question is reasonable.

I know you didn't mean to suggest that spending a few minutes searching for impact is sufficient as criteria for judging whether an incident has occured, but we have metrics defined in RSSAC002 that relate directly to serving stale data; those metrics for C are surely well beyond the expected values over this event. Perhaps it's an idea to use those metrics as quantitative measures of impact?


Joe