On Mon, Aug 26, 2024 at 05:36:55PM -0400, pgnd wrote:
> after simplifying to just the "3 1 2" certs, i see the one-algo-not-the-other
> 'good' results @ online checks,
>
> https://stats.dnssec-tools.org/explore/
> https://dane.sys4.de
> https://dnsviz.net/
> https://www.huque.com/bin/danecheck
>
> , as you'd warned.
>
> i've switched out my own monitoring for danesmtp.
> once i remembered that running it from my residential lan was hitting
> ISP port 25 blocks (::facepalm::), it's easy enough for once a day
> scans, and notify on fail, for each of my certs+algos checks.
For your own servers, I'd recomment checking once an hour, if not more
often. Some (legitimate) senders have fairly short queue lifetimes, and
some are aggressive (silly) enough to bounce mail as soon as TLS
authentication fails, without waiting for the issue to be resolved.
Of course the domain in question may not carry sufficiently "important"
traffic to warrant prompt detection/notification, but as a default, I'd
recommend checking hourly rather than daily.
Also set your TLSA RR TTLs to at most an hour.
--
Viktor.
