On Sun, Dec 14, 2025 at 01:10:38PM +0700, Xavier Beaudouin via mailop wrote:
> > Unmonitored security is an oxymoron. > > > > > > https://list.sys4.de/hyperkitty/list/[email protected]/message/6723WDBLPYWSXAORTAJR7EPAIOFAP5N4/ > > > Yes, you are right, the TLSA was borken. I just fixed it right now and now > this is ok. > > The issue was because I was forced to regenerate my certificate from > scratch… and… I didn’t monitored the TLSA record. Thanks to this > mailing list that sent me the right tool to check that. Now I’ll have > to monitor that as well. > > Thanks Victor to point me this thing I forgotten to do :) What you forgot to do was to implement *monitoring*. Everything else is just inevitable consequences. My advice, best not ignored, is to take care of that first, or else remove the TLSA records until you find time to do that. You should also be sure to test that the monitoring notices get through despite your TLSA records being incorrect, a few operators manage to send the notifications via an MTA that implements outbound DANE and relays them via the MTA with the bad TLSA records, ... unsurprisingly, that does not work very well. By "timely" I mean at least every hour, though when monitoring your own systems every 5 minutes may be a better choice. If you can send an SMS notification, rather than email, that may be ever better... -- Viktor. 🇺🇦 Слава Україні! _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
