---------- Forwarded message ---------- Date: Mon, 17 Sep 2001 15:43:01 +0200 To: Technical Security Deployment WG <techsec-wg@ripe.net> From: Daniel Karrenberg <Daniel.Karrenberg@ripe.net> Subject: RIPE 40 TechSec-WG Agenda / DISI Progress Report Dear Colleagues, below you can find an informal progress report form the DISI project in preparation for the meeting in Praha. I am not sure whether this and the charter warrants a full meeting slot or whether we need a meeting at all. This is for the chair to decide. Certainly a full slot looks like way too much time at present. Please propose any additional agenda points quickly in case we are asked to give up meeting time for other WGs. Daniel ------------------------------ RIPE NCC DISI Progress Report - DNSSEC developments The biggest hurdle in DNSSEC deployment is the delegation of signing authority over zone boundaries. Currently things work technically. However the interactions between zone administrators at delegation points are too numerous and complex to be deployable by the RIPE community, or anyone for that matter, in a large scale. We are actively contributing to work in this area. We are confident that the proposed delegation signer (DS) resource record [1] will solve these deployability concerns. Deployment of DNSSEC at the RIPE NCC has been stalled until this problem is shown to be solved. - Tools To enable development of tools to maintain DNSSEC we have extended the Perl Net::DNS library with DNSSEC functionality. - Workshops and tutorials We have been raising awareness about DNSSEC by giving tutorials. Course material is being developed and made available through the DISI web pages. The tutorials help us to understand where the operational difficulties lie and which tools are needed for operational deployment. One such operational problem and a possible solution are presented in the IETF dnsop workingroup [2]. The next tutorial will be October 8 in Prague. - Plans We will continue to actively contribute to the IETF activities around operations of DNSSEC by participate in early adoption and early implementation. We will continue to organize workshops and develop tools which will be needed for operational implementation. On the longer term we plan operational deployment of DNSSEC on the reverse tree as soon as a solution to the delegation of signing authority over zone boundaries has made his way into the standards track. - References [1] ftp://ftp.ripe.net/internet-drafts/draft-ietf-dnsext-delegation-signer-0.2.txt [2] ftp://ftp.ripe.net/internet-drafts/draft-ietf-dnsop-resolver-rollover-00.txt