Hi Thomas, On Wed, Jun 18, 2014 at 12:20:11AM +0200, Thomas Heil wrote: > Hi, > > I think dnssec and DANE could be an alternate path for checking > certificates even for HAPRoxy. > Of course dnssec is a burden but after that it can be very useful. > > How do you think about it?
Not checked yet. However, we just merged the joint work of Dirkjan and Emeric who completed a really nice thing together. We can now load OCSP responses from files, send them to clients and update them from the CLI. Next step will probably be to have an HTTP client to automatically perform the refreshes, though it will only be usable for people where the load balancer has access to remote sites. Cheers, Willy