RIPE 43

IPE Meeting: 43
Working Group: TechSec
Status: Final
Revision Number: 1

R I P E 4 3 R H O D E S

Technical-Security Working Group Session
12-September-2002 Minutes


Chair: Daniel Karrenberg
Scribe: Henk Uijterwaal (Matthew Williams)


1. Administrativa

Daniel welcomed us all to the meeting and then handed out the
participants' list. Henk Uijterwaal from the RIPE-NCC volunteered
to take the minutes.

The agenda for this session and minutes from the previous meeting
at RIPE42 were approved without further ado.


2. Olaf M. Kolkman: DISI Update

Presentation available at URL:

http://www.ripe.net/ripe/meetings/archive/ripe-43/presentations/ripe43-techsec-disi

Comments on slide #4:
Bind 9.3s20020722 should not be used in production due to the
protocol bug that Olaf mentioned. In fact, Bind snapshots should
only be used for tests. (Ed Lewis)

Be careful using tools that ship with earlier versions of Bind. They
may seem to work, but are incompatible with new developments,
i.e. tools from earlier Bind versions do not tell you that they are
incompatible with 2535. (Bill Manning)

Question regarding slide #12:
Q: Can Bind run as secondary name server to NSD? (Ed Lewis)

A: Yes. (Daniel Karrenberg)

After the presentation, Bill Manning noted that when using
key-manipulating
tools one should pay special attention to internal procedures.

Q: Once keys have been received and stored locally, how does one
guarantee
integrity and authenticity? (Bill Manning)

A: No handles in the database yet. We are assuming that one can trust

one's own machines and staff. It is important to simplify the
deployment of DNSSEC by not setting the barriers too high. The
system
should be easy to operate and not require special on-site security

staff. More features can be added later. Tools alone do not solve
these problems. In the courses we want to make people aware
of security policies and procedures that need to be addressed
while
deploying DNSSEC. (Olaf M. Kolkman)

Q: Ripe has a high profile here and should incorporate stronger
security
into the system. (Bill Manning)

A: We are trying do that. There are additional tools, e.g. the
signing appliance,
that can be downloaded by sites that need them. (Olaf M. Kolkman)

There were no further comments.

Olaf mentioned that the slides would be available on the meeting
site.


3. AOB

Q: Is this WG the place where other groups should report on their
efforts in
this area? (Francis Dupont)

A: Sharing experience and ideas will lead to better operational
procedures
and better understanding. Results may become best current
practices.
(Olaf M. Kolkman)

Bill Manning has written a document on key management for the root
name
servers. His draft will be distributed on the DNSSEC mailing list
(dnssec _at_ cafax _dot_ se). He also mentioned that there will be a workshop
prior to the ATLANTA IETF meeting. The details will be posted on
dnssec _at_ cafax _dot_ se.

Olaf clarified to the audience that all important info/links
regarding
this topic, including the mailing list above, are mentioned in the
DNSSEC
how-to.

Finally, the chair closed the meeting at 12:30 pm.


Daniel Karrenberg, Henk Uijterwaal, Matthew Williams, September 2002