Detect relays that don't update their onion keys every 7 days.
This is related to #20055 (moved) which would be an important thing to monitor for the health and security of the network.
There are multiple things here that can be or should be checked.
The onion-key
field is an RSA key so DocTor will need to keep a persistent database of those over time (only used for TAP handshake).
The ntor-onion-key
field also can be monitored the same as the RSA key.
If the ntor-onion-key-crosscert
field is present, you'll get a timestamp for free in the certificate which should have the exp_field
set to the last published time + 7 days.
In any case, a router SHOULD NOT have either a TAP or ntor onion key more than 7 days as this is hardcoded in Tor. If they do, it could be another implementation but finding them would be good so we can warn/ask them to fix. Or better, detect bugs as well on tor implementation that could keep those for a longer time.