Forgery Resilience Phase #2
description
Transcript of Forgery Resilience Phase #2
What is coming
How can an avalanche be stopped ?
- Build fences - Run away - Ski faster - Pray - “Let it be!”
- Deploy DNSSEC
Forgery-resilience-07
• Passed WGLC will be sent to IESG next week.
• Expect RFC in about 4 months
• Deploy NOW !!!
Ideas?
• There are lots of them: – http://www.psg.com/lists/namedroppers/name
droppers.2008/msg01131.html– X20– QID– ……
What else to do?
• Questions for people to think about: – What can be done in the short
term ?– What can be done without
updating software?– What can be done in the
medium term ?– What work does DNSEXT or
DNSOP need to do ?
DNS protocol economics 101• All changes have a “cost”
– How high the cost is for • Implementations• Deployment if there are changes in
operation• Authorative DNS data providers• DNS consumer i.e. resolvers• Is there fall-back
– When can this be deployed • Standards action needed: add 8-24
months• Code (add 1-24 months)• Testing (add 1-12 months) • Rollout (add 2-18 months)• Fixes needed (add 1-24 months)
The plan
• The chairs will not propose a plan or officially adopt new work until the full details of the current scare are known.