* Viktor Dukhovni <[email protected]> [2015-06-09 21:51]: > On Tue, Jun 09, 2015 at 09:34:34PM +0200, Sebastian Wiesinger wrote: > > > > My inclination is to recommend placing this in the certificate file > > > itself (PEM certificate files can contain ignored text above the > > > "-----BEGIN/END...." blocks) as well a CERT_UPDATE_README file in > > > the directory containing the certificate file and keys. > > > > What would help a lot of people would be a drop-in nagios check which > > compares TLSA to actual cert. Probably easy to do for connections > > which start with TLS, not so trivial for STARTTLS types of > > connections. > > STARTTLS is not difficult to test. > > We were thinking of having folks sign up for monitoring by sys4.de, > with the results published via DNS, and nagios can then just do a > quick DNS lookup. > > The advantage of a remote monitoring service, is that it can may > see DNS issues that are only apparent from outside the site's own > network.
I see that but I would prefer to have my monitoring in-house and not
dependent on external services. What DNS issues with DANE would only
be apparent from the outside? Different views? Even so, I have an
external monitoring point running Nagios for exactly these reasons. :)
So for me a nagios check would be better. But perhaps I'll have some
time and do it myself.
Regards
Sebastian
--
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant
signature.asc
Description: Digital signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
