[atlas] Atlas and TLSA RR's?

Hi Scott,

Even though we’ve now discussed this off-list, I would like to repeat my
response here on the mailing list, for the sake of transparency.

On 13/05/15 19:07, Rose, Scott W. wrote:
> Hello,
> We have a TLSA test tool called DANELaw (https://www.had-pilot.com/dane/danelaw.html).  The tool basically check for a TLSA RR for a given domain name and makes sure it matches the presented TLS certificate. Over the last few days we noticed a large volume of tests for TLSA RR's ending in "anchor.atlas.ripe.net".  This isn't a big deal (except for our crude logging system), just wondering if this is a self-check, or some test.  

First off, thank you for making the check publicly available - it is one
of the few services currently available for DANE-related web-checks and
it is very useful.

As you are now aware, this is a check I configured to ensure the TLSA
records generated for every RIPE Atlas anchor are actually validated. As
such, the check interval is equal to the TTL of the TLSA RR.

We've also been working on a similar check we can deploy internally, so
we will soon stop querying your service.

> Also, our tool isn't really a production service, so if it goes down - will it effect anything? 

No, it will not affect anything in production. Quite the opposite:
before we discussed this privately, I was concerned we could be
negatively affecting your environment.

While you test your new code, you can bring the service down for as long
as you need to.

Cheers,

Iñigo Ortiz de Urbina Cazenave
RIPE NCC