# RIPE Atlas anchor services

RIPE Atlas anchors (opens new window) run a number of daemons which are used as targets for various measurements. RIPE Atlas itself will run scheduled measurements against these, but they are also available for measurements from other hosts and systems. Below you can find a list of services the anchors provide.

Currently the anchors support the following measurements over IPv4 and IPv6:

  • ping
  • traceroute
  • DNS
  • HTTP and HTTPS

# DNS

The anchors have been configured with BIND to act as an authoritative DNS server.

# Configuration

Config Value Example
zone dns.FQDN dns.nl-ams-as3333-3.anchors.atlas.ripe.net
nsid FQDN nl-ams-as3333-3.anchors.atlas.ripe.net
id.server FQDN nl-ams-as3333-3.anchors.atlas.ripe.net
version.bind Atlas Anchor 0.1

# Zones

The anchors have been created with a special zone with records specifically crafted to result in an ethernet frame matching a specific size on the wire (assuming regular ethernet without vlans etc). The idea of this is that you can detect IP fragmentation issues, specifically with IPv6. The following records are served in this zone:

IPv4 Records (example $ORIGIN set to the RIPE NCC anchor):

$ORIGIN dns.nl-ams-as3333-3.anchors.atlas.ripe.net
484.4 IN TXT Payload
512.4 IN TXT Payload
540.4 IN TXT Payload
1252.4 IN TXT Payload
1280.4 IN TXT Payload
1308.4 IN TXT Payload
1280.4 IN TXT Payload
1472.4 IN TXT Payload
1500.4 IN TXT Payload
1528.4 IN TXT Payload

IPv6 Records (example $ORIGIN set to the RIPE NCC anchor):

$ORIGIN dns.nl-ams-as3333-3.anchors.atlas.ripe.net
464.6 IN TXT Payload
512.6 IN TXT Payload
560.6 IN TXT Payload
1232.6 IN TXT Payload
1280.6 IN TXT Payload
1324.6 IN TXT Payload
1452.6 IN TXT Payload
1500.6 IN TXT Payload
1548.6 IN TXT Payload

The first leaf represents the resulting frame size. The second represents the IP version. Therefore if you request 1500.6 IN TXT, the UDP packet response will be created so that it is 1500 bytes if the answer is delivered over IPv6.

# HTTP(S)

The anchor runs a web server with a custom response handler. This response handler has just one option: size. Example URL:

http://nl-ams-as3333-3.anchors.atlas.ripe.net/536

This asks for a response with a payload of 536 bytes (excluding the JSON wrapping). The parameter can be any integer up to 4096. The response is a JSON structure which looks like the following:

{
  anchor:  "The FQDN of the anchor",
  client:  "The IP address of the client",
  payload: "payload of X bytes"
}

We also generate a DANE record for each anchor.

# TLS (SSL)

The anchors have been configured with self-signed TLS certificates using 2048 bit keys with an expiration time of 100 years. The expiry is set high in order to avoid having to update the expected certificates in user scripts too often. We don't expect to actually keep the systems running with the same key and certificate until 2112 -- our descendants will let you know about upcoming changes.

We are also considering using Let's Encrypt (opens new window) certificates. We'll inform the community if and when these are actually used.

# DNS answer sink

The anchors have been configured to listen on UDP port 15353 for DNS answers. This is part of an experiment to observe reachability of anycasted services.

Periodically, all instances of k.root-servers.net (193.0.14.129) and pri.authdns.ripe.net (193.0.9.5) receive queries with query type SOA and query name "." or "ripe.net", respectively. The NSID OPT bit is set. These queries are being sent with the source IP of the anchor.RIPE Atlas Anchor

Last Updated: Invalid Date