On Thu, Jun 11, 2015 at 8:41 AM, Sebastian Wiesinger <[email protected]> wrote: > * Viktor Dukhovni <[email protected]> [2015-06-09 21:51]: >> On Tue, Jun 09, 2015 at 09:34:34PM +0200, Sebastian Wiesinger wrote: >> >> > > My inclination is to recommend placing this in the certificate file >> > > itself (PEM certificate files can contain ignored text above the >> > > "-----BEGIN/END...." blocks) as well a CERT_UPDATE_README file in >> > > the directory containing the certificate file and keys. >> > >> > What would help a lot of people would be a drop-in nagios check which >> > compares TLSA to actual cert. Probably easy to do for connections >> > which start with TLS, not so trivial for STARTTLS types of >> > connections. >> >> STARTTLS is not difficult to test. >> >> We were thinking of having folks sign up for monitoring by sys4.de, >> with the results published via DNS, and nagios can then just do a >> quick DNS lookup. >> >> The advantage of a remote monitoring service, is that it can may >> see DNS issues that are only apparent from outside the site's own >> network. > > I see that but I would prefer to have my monitoring in-house and not > dependent on external services. What DNS issues with DANE would only > be apparent from the outside? Different views? Even so, I have an > external monitoring point running Nagios for exactly these reasons. :) > So for me a nagios check would be better. But perhaps I'll have some > time and do it myself.
If you do, please share it with the list / community. Good / multiple ways of monitoring is really useful for deployment - one of the things that has hurt DNSSEC deployment is the public outages - it would be great to not have DANE suffer from this too. W > > Regards > > Sebastian > > -- > GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) > 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE > SCYTHE. > -- Terry Pratchett, The Fifth Elephant > > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
