Skip to main content

You're viewing an archived page. It is no longer being updated.


IPE Meeting:


Working Group:




Revision Number:


R I P E 4 3 R H O D E S

Technical-Security Working Group Session
12-September-2002 Minutes

Chair: Daniel Karrenberg
Scribe: Henk Uijterwaal (Matthew Williams)

1. Administrativa

Daniel welcomed us all to the meeting and then handed out the
participants' list. Henk Uijterwaal from the RIPE-NCC volunteered
to take the minutes.

The agenda for this session and minutes from the previous meeting
at RIPE42 were approved without further ado.

2. Olaf M. Kolkman: DISI Update

Presentation available at URL:

Comments on slide #4:
Bind 9.3s20020722 should not be used in production due to the
protocol bug that Olaf mentioned. In fact, Bind snapshots should
only be used for tests. (Ed Lewis)

Be careful using tools that ship with earlier versions of Bind. They
may seem to work, but are incompatible with new developments,
i.e. tools from earlier Bind versions do not tell you that they are
incompatible with 2535. (Bill Manning)

Question regarding slide #12:
Q: Can Bind run as secondary name server to NSD? (Ed Lewis)

A: Yes. (Daniel Karrenberg)

After the presentation, Bill Manning noted that when using
tools one should pay special attention to internal procedures.

Q: Once keys have been received and stored locally, how does one
integrity and authenticity? (Bill Manning)

A: No handles in the database yet. We are assuming that one can trust

one's own machines and staff. It is important to simplify the
deployment of DNSSEC by not setting the barriers too high. The
should be easy to operate and not require special on-site security

staff. More features can be added later. Tools alone do not solve
these problems. In the courses we want to make people aware
of security policies and procedures that need to be addressed
deploying DNSSEC. (Olaf M. Kolkman)

Q: Ripe has a high profile here and should incorporate stronger
into the system. (Bill Manning)

A: We are trying do that. There are additional tools, e.g. the
signing appliance,
that can be downloaded by sites that need them. (Olaf M. Kolkman)

There were no further comments.

Olaf mentioned that the slides would be available on the meeting

3. AOB

Q: Is this WG the place where other groups should report on their
efforts in
this area? (Francis Dupont)

A: Sharing experience and ideas will lead to better operational
and better understanding. Results may become best current
(Olaf M. Kolkman)

Bill Manning has written a document on key management for the root
servers. His draft will be distributed on the DNSSEC mailing list
([email protected]). He also mentioned that there will be a workshop
prior to the ATLANTA IETF meeting. The details will be posted on
[email protected].

Olaf clarified to the audience that all important info/links
this topic, including the mailing list above, are mentioned in the

Finally, the chair closed the meeting at 12:30 pm.

Daniel Karrenberg, Henk Uijterwaal, Matthew Williams, September 2002