Re: [dane] Two additions to draft-york-dane-deployment-observations-00

Terry Burton <tez@terryburton.co.uk> Mon, 10 November 2014 13:13 UTC

Return-Path: <tez@terryburton.co.uk>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D5BD1A8A72 for <dane@ietfa.amsl.com>; Mon, 10 Nov 2014 05:13:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.606
X-Spam-Level: ***
X-Spam-Status: No, score=3.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, FM_FORGED_GMAIL=0.622, HELO_MISMATCH_UK=1.749, HOST_EQ_STATIC=1.172, HOST_MISMATCH_NET=0.311, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id afAAJJRPbA3L for <dane@ietfa.amsl.com>; Mon, 10 Nov 2014 05:13:19 -0800 (PST)
Received: from server1.terryburton.co.uk (213-229-82-130.static.as29550.net [213.229.82.130]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9F871A8A49 for <dane@ietf.org>; Mon, 10 Nov 2014 05:13:18 -0800 (PST)
Received: from mail-lb0-f181.google.com ([209.85.217.181]) by server1.terryburton.co.uk with esmtpsa (TLS1.0:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <tez@terryburton.co.uk>) id 1XnomS-0002Ih-KR for dane@ietf.org; Mon, 10 Nov 2014 13:13:16 +0000
Received: by mail-lb0-f181.google.com with SMTP id l4so5701578lbv.40 for <dane@ietf.org>; Mon, 10 Nov 2014 05:13:15 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.152.36.165 with SMTP id r5mr2257973laj.91.1415625195881; Mon, 10 Nov 2014 05:13:15 -0800 (PST)
Received: by 10.25.165.75 with HTTP; Mon, 10 Nov 2014 05:13:15 -0800 (PST)
In-Reply-To: <20141109035925.GA20946@laperouse.bortzmeyer.org>
References: <20141107232915.GA31913@laperouse.bortzmeyer.org> <6DB8CC95-E47A-4C0B-BC0B-7D9A4F8F65B5@edvina.net> <20141109035925.GA20946@laperouse.bortzmeyer.org>
Date: Mon, 10 Nov 2014 13:13:15 +0000
Message-ID: <CANsiXEKRtJjJeOP4V3uHRdoSpuKZts=LtFAmOJJ2_byqbCZU4g@mail.gmail.com>
From: Terry Burton <tez@terryburton.co.uk>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/xW4oLsG28ebFuGVTGciJHtlZqpk
Cc: dane@ietf.org
Subject: Re: [dane] Two additions to draft-york-dane-deployment-observations-00
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Nov 2014 13:13:20 -0000

On 9 November 2014 03:59, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
> On Sat, Nov 08, 2014 at 08:17:15AM +0100,
>  Olle E. Johansson <oej@edvina.net> wrote
>  a message of 10 lines which said:
>
>> Nagios scripts to monitor DNSsec zones :-)
>
> I was not talking about DNSsec monitoring (I already use it, otherwise
> I would never have deployed DNSsec in production for serious domains)
> but about DANE monitoring: get the TLSA record, open a TLS connection,
> get the certificate, check that it is consistent with what the TLSA
> record announces.

Also for reference Swede [1] can be invoked from Nagios as follows:

define command {
        command_name check_tlsa
        command_line cd [nagios]/etc/swede && [nagios]/bin/swede
verify -q $HOSTADDRESS$
}

with dlv.isc.org.key and root.key in [nagios]/etc/swede.


[1] https://github.com/pieterlexis/swede