On 2019-09-03 11:17, Shane Kerr wrote:
Robert,
On 03/09/2019 09.57, Robert Kisteleki wrote:
Still no one has answered why ripe is using self signed certs for anchor when they can use let's encrypt for free...
TL;DR if the community prefers it we use LE (+TLSA).
This comes with the expense of some one-time and ongoing operational work. Considering that anchors don't host any sensitive information, using self-signed certs (+TLSA) was so far considered good enough.
Sorry for asking this question so late in this thread, but what exactly are the certificates used for?
The anchors provide very basic services intended to help users who want to use the anchors as measurement targets. They answer incoming ping, DNS and HTTP(S) queries (see https://atlas.ripe.net/docs/anchors/). The HTTP(S) service can respond with pages of various sizes which is intended to help PMTUD tests for example. It's possible that someone would want to check the TLS certificate of the measured anchor, in which case a "proper" certificate may come handy. Regards, Robert