On Tue, Aug 27, 2024 at 12:57:03AM -0400, Mike via dane-users wrote: > I've tried to follow this thread. > > I have one question... > > Is there a site i can visit to tell me whether or not my TLSA and/or other > cert DNS entries are OK with the new certs?
The DANE survey (https://stats.dnssec-tools.org/explore) shows a detailed breakdown of the DNSSEC/DANE status of directly delegated (from a TLD or similar registry, not internal within an organisation) DNSSEC-signed domains. However, the data is not "real-time", domains are checked once a day, presently some time between 16:00 and 22:00 UTC. So if you make changes, the survey may not show you the current state. For a real-time check you can perform yourself, use the "danesmtp" bash function, described at: https://list.sys4.de/hyperkitty/list/[email protected]/thread/NKDBQABSTAAWLTHSZKC7P3HALF7VE5QY/ All you need is OpenSSL 1.1.1 or later and a bash-compatible shell. Another real-time option is https://dane.sys4.de, but the results are noticeably more basic (simple) than from the survey. The results are cached, but you can request a refresh (every ~5 minutes, IIRC). Checks are also possible via: * https://www.huque.com/bin/danecheck Not a domain check, you have to explicitly check a particular MX host, and specify port 25. Don't forget to choose the "SMTP" radio button under "STARTTLS Application" * https://internet.nl/test-mail/ But some of their criteria are too strict (pedantic). There are others, measurement and analysis quality varies... -- Viktor.
