This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ripe-atlas@ripe.net/
[atlas] Atlas and TLSA RR's?
- Previous message (by thread): [atlas] Atlas and TLSA RR's?
- Next message (by thread): [atlas] M-net Telekommunikations GmbH in Munich has joined RIPE Atlas Anchors
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Iñigo Ortiz de Urbina Cazenave
iortiz at ripe.net
Tue May 26 18:59:10 CEST 2015
Hi Scott, Even though we’ve now discussed this off-list, I would like to repeat my response here on the mailing list, for the sake of transparency. On 13/05/15 19:07, Rose, Scott W. wrote: > Hello, > We have a TLSA test tool called DANELaw (https://www.had-pilot.com/dane/danelaw.html). The tool basically check for a TLSA RR for a given domain name and makes sure it matches the presented TLS certificate. Over the last few days we noticed a large volume of tests for TLSA RR's ending in "anchor.atlas.ripe.net". This isn't a big deal (except for our crude logging system), just wondering if this is a self-check, or some test. First off, thank you for making the check publicly available - it is one of the few services currently available for DANE-related web-checks and it is very useful. As you are now aware, this is a check I configured to ensure the TLSA records generated for every RIPE Atlas anchor are actually validated. As such, the check interval is equal to the TTL of the TLSA RR. We've also been working on a similar check we can deploy internally, so we will soon stop querying your service. > Also, our tool isn't really a production service, so if it goes down - will it effect anything? No, it will not affect anything in production. Quite the opposite: before we discussed this privately, I was concerned we could be negatively affecting your environment. While you test your new code, you can bring the service down for as long as you need to. Cheers, Iñigo Ortiz de Urbina Cazenave RIPE NCC
- Previous message (by thread): [atlas] Atlas and TLSA RR's?
- Next message (by thread): [atlas] M-net Telekommunikations GmbH in Munich has joined RIPE Atlas Anchors
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]