On Tue, Jun 09, 2015 at 09:34:34PM +0200, Sebastian Wiesinger wrote:
> > My inclination is to recommend placing this in the certificate file
> > itself (PEM certificate files can contain ignored text above the
> > "-----BEGIN/END...." blocks) as well a CERT_UPDATE_README file in
> > the directory containing the certificate file and keys.
>
> What would help a lot of people would be a drop-in nagios check which
> compares TLSA to actual cert. Probably easy to do for connections
> which start with TLS, not so trivial for STARTTLS types of
> connections.
STARTTLS is not difficult to test.
We were thinking of having folks sign up for monitoring by sys4.de,
with the results published via DNS, and nagios can then just do a
quick DNS lookup.
The advantage of a remote monitoring service, is that it can may
see DNS issues that are only apparent from outside the site's own
network.
The remote service can also make it easier for sites connecting
to a domain that has problems to check whether others are also
having the same issue.
This has not moved past the discussion stage yet.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
