This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ripe-atlas@ripe.net/
[atlas] atlas anchor DANE records
- Previous message (by thread): [atlas] HTTP Measurements with RIPE Atlas
- Next message (by thread): [atlas] Join our new webinar on "Advanced RIPE Atlas Usage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Bjørn Mork
bjorn at mork.no
Wed Jun 17 13:38:59 CEST 2015
Hello, I just noticed "We also generate a DANE record for each anchor" in the docs and became instantly curious. There aren't that many DANE records out there in the wild :) The records seem to be pointing to a self signed certificate (as documented), but with 'usage' = 1 instead of 3 as expected. At least the two records I looked at had this - I assume they are all created the same way. Is this intentional? It makes 'normal' verification fail: bjorn at canardo:~$ tlsa --debug --verify nl-ams-as3333.anchors.atlas.ripe.net Received the following record for name _443._tcp.nl-ams-as3333.anchors.atlas.ripe.net.: Usage: 1 (End-Entity Constraint + chain to CA) Selector: 0 (Certificate) Matching Type: 1 (SHA-256) Certificate for Association: 88422d55424ca8f6f74e165016851cb195fc0919f82f8762574a4d71868964e9 This record is valid (well-formed). Attempting to verify the record with the TLS service... Got the following IP: 193.0.19.107 FAIL (Usage 1): Certificate offered by the server matches the one mentioned in the TLSA record but the following error was raised during PKIX validation: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT The matched certificate has Subject: /C=nl/ST=ams/L=ams/O=as3333/CN=nl-ams-as3333.anchors.atlas.ripe.net Got the following IP: 2001:67c:2e8:11::c100:136b FAIL (Usage 1): Certificate offered by the server matches the one mentioned in the TLSA record but the following error was raised during PKIX validation: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT The matched certificate has Subject: /C=nl/ST=ams/L=ams/O=as3333/CN=nl-ams-as3333.anchors.atlas.ripe.net bjorn at canardo:~$ tlsa --debug --verify se-sto-as8674.anchors.atlas.ripe.net Received the following record for name _443._tcp.se-sto-as8674.anchors.atlas.ripe.net.: Usage: 1 (End-Entity Constraint + chain to CA) Selector: 0 (Certificate) Matching Type: 1 (SHA-256) Certificate for Association: 2d92e341d2181011c520ad92229155e1350fc4f7b9e628198be1f9589ec7a53f This record is valid (well-formed). Attempting to verify the record with the TLS service... Got the following IP: 185.42.136.158 FAIL (Usage 1): Certificate offered by the server matches the one mentioned in the TLSA record but the following error was raised during PKIX validation: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT The matched certificate has Subject: /O=AS8674/L=STO/C=SE/CN=se-sto-as8674.anchors.atlas.ripe.net Got the following IP: 2a01:3f0:0:60::5 FAIL (Usage 1): Certificate offered by the server matches the one mentioned in the TLSA record but the following error was raised during PKIX validation: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT The matched certificate has Subject: /O=AS8674/L=STO/C=SE/CN=se-sto-as8674.anchors.atlas.ripe.net What is the intended use of these records? And why doesn't https://atlas.ripe.net/ have a DANE record as well? :) Bjørn
- Previous message (by thread): [atlas] HTTP Measurements with RIPE Atlas
- Next message (by thread): [atlas] Join our new webinar on "Advanced RIPE Atlas Usage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]