I've tried to follow this thread.
I have one question...
Is there a site i can visit to tell me whether or not my TLSA and/or
other cert DNS entries are OK with the new certs?
On 8/26/2024 10:46 PM, Viktor Dukhovni wrote:
On Mon, Aug 26, 2024 at 05:36:55PM -0400, pgnd wrote:
after simplifying to just the "3 1 2" certs, i see the one-algo-not-the-other
'good' results @ online checks,
https://stats.dnssec-tools.org/explore/
https://dane.sys4.de
https://dnsviz.net/
https://www.huque.com/bin/danecheck
, as you'd warned.
i've switched out my own monitoring for danesmtp.
once i remembered that running it from my residential lan was hitting
ISP port 25 blocks (::facepalm::), it's easy enough for once a day
scans, and notify on fail, for each of my certs+algos checks.
For your own servers, I'd recomment checking once an hour, if not more
often. Some (legitimate) senders have fairly short queue lifetimes, and
some are aggressive (silly) enough to bounce mail as soon as TLS
authentication fails, without waiting for the issue to be resolved.
Of course the domain in question may not carry sufficiently "important"
traffic to warrant prompt detection/notification, but as a default, I'd
recommend checking hourly rather than daily.
Also set your TLSA RR TTLs to at most an hour.
