For a service several TLSA records can be publised (3 1 1, 3 0 1, 3 0 2) at the same time. During rollover the amount of TLSA records doubles, only half of them are valid. For a TLS connection the server can posses more than one certificates (RSA and EC).
Please extend check_dane, so that it can, depending on how it is invoked,
verify that there is a valid “TLSA 3 1 1” record for a service, when the EC certificate is requested,
verify that there is a valid “TLSA 3 1 1” record for a service, when the RSA certificate is requested,
verify that there is a valid “TLSA 3 0 1” record for a service, that uses the EC certificate
verify that there is a valid “TLSA 3 0 1” record for a service, that uses the RSA certificate
verify that there is a valid “TLSA 3 0 2” record for a service, that uses the EC certificate
verify that there is a valid “TLSA 3 0 2” record for a service, that uses the RSA certificate
verify the expiration of the RSA certificate
verify the expiration of the EC certificate
The idea is to be able to verify, that both 3 0 1 and 3 0 2 records are valid, which is currently not possilbe.
For 3 1 1 there is somewhere a special requirement that it is offered for SMTP:25, but for the same port 3 0 1 and 3 0 2 are not prohibited.
In addition it would be very nice, if the same TLS connection is used to verify, if the certificate has Must Staple extension and that OCSP verifies, so that no further plugins are needed for this and no further TLS connections must be made.
For a service several TLSA records can be publised (3 1 1, 3 0 1, 3 0 2) at the same time. During rollover the amount of TLSA records doubles, only half of them are valid. For a TLS connection the server can posses more than one certificates (RSA and EC).
Please extend check_dane, so that it can, depending on how it is invoked,
The idea is to be able to verify, that both 3 0 1 and 3 0 2 records are valid, which is currently not possilbe.
For 3 1 1 there is somewhere a special requirement that it is offered for SMTP:25, but for the same port 3 0 1 and 3 0 2 are not prohibited.
In addition it would be very nice, if the same TLS connection is used to verify, if the certificate has Must Staple extension and that OCSP verifies, so that no further plugins are needed for this and no further TLS connections must be made.