I've tried to follow this thread.
I have one question...
Is there a site i can visit to tell me whether or not my TLSA and/or other cert DNS entries are OK with the new certs?
On 8/26/2024 10:46 PM, Viktor Dukhovni wrote:
On Mon, Aug 26, 2024 at 05:36:55PM -0400, pgnd wrote:
after simplifying to just the "3 1 2" certs, i see the one-algo-not-the-other 'good' results @ online checks,
https://stats.dnssec-tools.org/explore/ https://dane.sys4.de https://dnsviz.net/ https://www.huque.com/bin/danecheck
, as you'd warned.
i've switched out my own monitoring for danesmtp. once i remembered that running it from my residential lan was hitting ISP port 25 blocks (::facepalm::), it's easy enough for once a day scans, and notify on fail, for each of my certs+algos checks.
For your own servers, I'd recomment checking once an hour, if not more often. Some (legitimate) senders have fairly short queue lifetimes, and some are aggressive (silly) enough to bounce mail as soon as TLS authentication fails, without waiting for the issue to be resolved.
Of course the domain in question may not carry sufficiently "important" traffic to warrant prompt detection/notification, but as a default, I'd recommend checking hourly rather than daily.
Also set your TLSA RR TTLs to at most an hour.