On Tue, Aug 27, 2024 at 12:57:03AM -0400, Mike via dane-users wrote:
I've tried to follow this thread.
I have one question...
Is there a site i can visit to tell me whether or not my TLSA and/or other cert DNS entries are OK with the new certs?
The DANE survey (https://stats.dnssec-tools.org/explore) shows a detailed breakdown of the DNSSEC/DANE status of directly delegated (from a TLD or similar registry, not internal within an organisation) DNSSEC-signed domains. However, the data is not "real-time", domains are checked once a day, presently some time between 16:00 and 22:00 UTC. So if you make changes, the survey may not show you the current state.
For a real-time check you can perform yourself, use the "danesmtp" bash function, described at:
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/thread/NKDBQABS...
All you need is OpenSSL 1.1.1 or later and a bash-compatible shell.
Another real-time option is https://dane.sys4.de, but the results are noticeably more basic (simple) than from the survey. The results are cached, but you can request a refresh (every ~5 minutes, IIRC).
Checks are also possible via:
* https://www.huque.com/bin/danecheck
Not a domain check, you have to explicitly check a particular MX host, and specify port 25.
Don't forget to choose the "SMTP" radio button under "STARTTLS Application"
* https://internet.nl/test-mail/
But some of their criteria are too strict (pedantic).
There are others, measurement and analysis quality varies...