Hello, I just noticed "We also generate a DANE record for each anchor" in the docs and became instantly curious. There aren't that many DANE records out there in the wild :) The records seem to be pointing to a self signed certificate (as documented), but with 'usage' = 1 instead of 3 as expected. At least the two records I looked at had this - I assume they are all created the same way. Is this intentional? It makes 'normal' verification fail: bjorn@canardo:~$ tlsa --debug --verify nl-ams-as3333.anchors.atlas.ripe.net Received the following record for name _443._tcp.nl-ams-as3333.anchors.atlas.ripe.net.: Usage: 1 (End-Entity Constraint + chain to CA) Selector: 0 (Certificate) Matching Type: 1 (SHA-256) Certificate for Association: 88422d55424ca8f6f74e165016851cb195fc0919f82f8762574a4d71868964e9 This record is valid (well-formed). Attempting to verify the record with the TLS service... Got the following IP: 193.0.19.107 FAIL (Usage 1): Certificate offered by the server matches the one mentioned in the TLSA record but the following error was raised during PKIX validation: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT The matched certificate has Subject: /C=nl/ST=ams/L=ams/O=as3333/CN=nl-ams-as3333.anchors.atlas.ripe.net Got the following IP: 2001:67c:2e8:11::c100:136b FAIL (Usage 1): Certificate offered by the server matches the one mentioned in the TLSA record but the following error was raised during PKIX validation: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT The matched certificate has Subject: /C=nl/ST=ams/L=ams/O=as3333/CN=nl-ams-as3333.anchors.atlas.ripe.net bjorn@canardo:~$ tlsa --debug --verify se-sto-as8674.anchors.atlas.ripe.net Received the following record for name _443._tcp.se-sto-as8674.anchors.atlas.ripe.net.: Usage: 1 (End-Entity Constraint + chain to CA) Selector: 0 (Certificate) Matching Type: 1 (SHA-256) Certificate for Association: 2d92e341d2181011c520ad92229155e1350fc4f7b9e628198be1f9589ec7a53f This record is valid (well-formed). Attempting to verify the record with the TLS service... Got the following IP: 185.42.136.158 FAIL (Usage 1): Certificate offered by the server matches the one mentioned in the TLSA record but the following error was raised during PKIX validation: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT The matched certificate has Subject: /O=AS8674/L=STO/C=SE/CN=se-sto-as8674.anchors.atlas.ripe.net Got the following IP: 2a01:3f0:0:60::5 FAIL (Usage 1): Certificate offered by the server matches the one mentioned in the TLSA record but the following error was raised during PKIX validation: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT The matched certificate has Subject: /O=AS8674/L=STO/C=SE/CN=se-sto-as8674.anchors.atlas.ripe.net What is the intended use of these records? And why doesn't https://atlas.ripe.net/ have a DANE record as well? :) Bjørn