Am Montag, 17. Juli 2023, 03:49:29 CEST schrieb Viktor Dukhovni via Exim-users: > [ Also posted to [email protected] ] > DANE TLSA records are not "deploy and forget", they need to be actively > monitored. Both to make sure that at least one matches, and to not > forget to age out any that no longer match and might be stale. > > Leaving monitoring to the DANE survey (https://stats.dnssec-tools.org) > is neither timely nor reliable (~24 hours notification delay, if the > domain is included in the survey and a responsive domain contact can be > found).
just to add / mention: helpful for pro-actively watching / monitoring different aspects of a DANE / TLSA setup per Nagios (as "compatible" monitoring systems): https://github.com/matteocorti/check_ssl_cert which is very flexible and (til now) well maintained. hth, niels. -- --- Niels Dettenbach Syndicat IT & Internet https://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## [email protected] ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
