Am Montag, 17. Juli 2023, 03:49:29 CEST schrieb Viktor Dukhovni via Exim-users:
> [ Also posted to dane-users@??? ]
> DANE TLSA records are not "deploy and forget", they need to be actively
> monitored. Both to make sure that at least one matches, and to not
> forget to age out any that no longer match and might be stale.
>
> Leaving monitoring to the DANE survey (https://stats.dnssec-tools.org)
> is neither timely nor reliable (~24 hours notification delay, if the
> domain is included in the survey and a responsive domain contact can be
> found).
just to add / mention:
helpful for pro-actively watching / monitoring different aspects of a DANE / TLSA setup per Nagios (as "compatible" monitoring systems):
https://github.com/matteocorti/check_ssl_cert
which is very flexible and (til now) well maintained.
hth,
niels.
--
---
Niels Dettenbach
Syndicat IT & Internet
https://www.syndicat.com
PGP:
https://syndicat.com/pub_key.asc
---
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/