Technical Security Working Group

you are here: RIPE -> RIPE Working Groups -> Technical Security

	RIPE Meeting Minutes
	RIPE Meeting Presentations

Minutes from RIPE 43

RIPE Meeting:	43
Working Group:	TechSec
Status:	Final
Revision Number:	1

content to the Chair of the working group.
format to webmaster@ripe.net.

R I P E  4 3			R H O D E S

Technical-Security Working Group Session
12-September-2002			Minutes	


Chair:		    Daniel Karrenberg
Scribe:		    Henk Uijterwaal (Matthew Williams)


1. Administrativa

   Daniel welcomed us all to the meeting and then handed out the 
   participants' list. Henk Uijterwaal from the RIPE-NCC volunteered 
   to take the minutes.

   The agenda for this session and minutes from the previous meeting 
   at RIPE42 were approved without further ado.


2. Olaf M. Kolkman: DISI Update

   Presentation available at URL:
 
http://www.ripe.net/ripe/meetings/archive/ripe-43/presentations/ripe43-techsec-disi

   Comments on slide #4: 
   Bind 9.3s20020722 should not be used in production due to the 
   protocol bug that Olaf mentioned. In fact, Bind snapshots should 
   only be used for tests. (Ed Lewis)

   Be careful using tools that ship with earlier versions of Bind. They 
   may seem to work, but are incompatible with new developments, 
   i.e. tools from earlier Bind versions do not tell you that they are 
   incompatible with 2535. (Bill Manning)

   Question regarding slide #12: 
   Q: Can Bind run as secondary name server to NSD? (Ed Lewis)

   A: Yes. (Daniel Karrenberg)

   After the presentation, Bill Manning noted that when using
key-manipulating 
   tools one should pay special attention to internal procedures. 

   Q: Once keys have been received and stored locally, how does one
guarantee 
      integrity and authenticity? (Bill Manning)

   A: No handles in the database yet. We are assuming that one can trust

      one's own machines and staff. It is important to simplify the 
      deployment of DNSSEC by not setting the barriers too high. The
system 
      should be easy to operate and not require special on-site security

      staff. More features can be added later. Tools alone do not solve 
      these problems. In the courses we want to make people aware 
      of security policies and procedures that need to be addressed
while 
      deploying DNSSEC. (Olaf M. Kolkman)

   Q: Ripe has a high profile here and should incorporate stronger
security 
      into the system. (Bill Manning)

   A: We are trying do that. There are additional tools, e.g. the
signing appliance,
      that can be downloaded by sites that need them. (Olaf M. Kolkman)

   There were no further comments.

   Olaf mentioned that the slides would be available on the meeting
site.


3. AOB

   Q: Is this WG the place where other groups should report on their
efforts in 
      this area? (Francis Dupont)

   A: Sharing experience and ideas will lead to better operational
procedures
      and better understanding. Results may become best current
practices.
      (Olaf M. Kolkman)

   Bill Manning has written a document on key management for the root
name 
   servers. His draft will be distributed on the DNSSEC mailing list 
   (dnssec@cafax.se). He also mentioned that there will be a workshop 
   prior to the ATLANTA IETF meeting. The details will be posted on 
   dnssec@cafax.se.

   Olaf clarified to the audience that all important info/links
regarding 
   this topic, including the mailing list above, are mentioned in the
DNSSEC 
   how-to.

   Finally, the chair closed the meeting at 12:30 pm.


Daniel Karrenberg, Henk Uijterwaal, Matthew Williams, September 2002


	About RIPE \| Site Map \| LIR Portal \| About the RIPE NCC \| Contact \| © RIPE Community. All rights reserved.