[exim] Re: Please avoid TLSA records matching retired issuin…

Góra strony
Delete this message
Reply to this message
Autor: Niels Dettenbach
Data:  
Dla: exim-users
CC: Viktor Dukhovni
Temat: [exim] Re: Please avoid TLSA records matching retired issuing CAs.
Am Montag, 17. Juli 2023, 03:49:29 CEST schrieb Viktor Dukhovni via Exim-users:
> [ Also posted to dane-users@??? ]
> DANE TLSA records are not "deploy and forget", they need to be actively
> monitored. Both to make sure that at least one matches, and to not
> forget to age out any that no longer match and might be stale.
>
> Leaving monitoring to the DANE survey (https://stats.dnssec-tools.org)
> is neither timely nor reliable (~24 hours notification delay, if the
> domain is included in the survey and a responsive domain contact can be
> found).


just to add / mention:

helpful for pro-actively watching / monitoring different aspects of a DANE / TLSA setup per Nagios (as "compatible" monitoring systems):
https://github.com/matteocorti/check_ssl_cert

which is very flexible and (til now) well maintained.


hth,


niels.

--
---
Niels Dettenbach
Syndicat IT & Internet
https://www.syndicat.com
PGP: https://syndicat.com/pub_key.asc
---








--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/