diff --git a/roles/Sharingan/files/monit/checks/domain b/roles/Sharingan/files/monit/checks/domain
new file mode 100644
index 0000000..752e336
--- /dev/null
+++ b/roles/Sharingan/files/monit/checks/domain
@@ -0,0 +1,8 @@
+check program domain-tlsa with path "/etc/monit.d/scripts/check-domain aninix.net tlsa aninix.net-0002"
+    if status != 0 for 5 times within 5 cycles then exec "/etc/monit.d/scripts/critical TLSA records do not match -- regenerate and update"
+
+check program domain-sshfp with path "/etc/monit.d/scripts/check-domain aninix.net sshfp"
+    if status != 0 for 5 times within 5 cycles then exec "/etc/monit.d/scripts/critical SSHFP records do not match -- regenerate and update"
+
+check program domain-caa with path "/etc/monit.d/scripts/check-domain aninix.net caa"
+    if status != 0 for 5 times within 5 cycles then exec "/etc/monit.d/scripts/critical CAA record does not match -- regenerate and update"
diff --git a/roles/Sharingan/files/monit/hostdefs/Yggdrasil b/roles/Sharingan/files/monit/hostdefs/Yggdrasil
index 14f12ab..3c3b034 100644
--- a/roles/Sharingan/files/monit/hostdefs/Yggdrasil
+++ b/roles/Sharingan/files/monit/hostdefs/Yggdrasil
@@ -3,3 +3,4 @@ include "/etc/monit.d/checks/watcher-of-watchers"
 include "/etc/monit.d/checks/warrant-canary"
 include "/etc/monit.d/checks/grimoire"
 include "/etc/monit.d/checks/automated_response"
+include "/etc/monit.d/checks/domain"
diff --git a/roles/Sharingan/files/monit/scripts/check-domain b/roles/Sharingan/files/monit/scripts/check-domain
new file mode 100755
index 0000000..365fe29
--- /dev/null
+++ b/roles/Sharingan/files/monit/scripts/check-domain
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+source /opt/aninix/Uniglot/Bash/dns.bash
+
+domain="$1"
+
+function checkTLSA() {
+    ### Usage: $0 "${domain}" tlsa _443._tcp
+    identity="$1"
+    git diff --no-index <(GenerateTLSA "${identity}" | sed 's/\s\+//g' | tr '[[:upper:]]' '[[:lower:]]' | sort) <(dig _443._tcp."${domain}" TLSA +short | sed 's/\s\+//g' | tr '[[:upper:]]' '[[:lower:]]' | sort)
+
+}
+
+function checkSSHFP() {
+    git diff --no-index <(GenerateSSHFP | sed 's/\s\+//g' | tr '[[:upper:]]' '[[:lower:]]' | sort) <(dig "${domain}" SSHFP +short | sed 's/\s\+//g' | tr '[[:upper:]]' '[[:lower:]]' | sort)
+}
+
+function checkCAA() {
+    ### Usage: $0 "${domain}" caa
+    caa="$(dig "${domain}" CAA +short)"
+    if [ "$caa" != '128 issue "letsencrypt.org"' ]; then
+        exit 1
+    else
+        exit 0
+    fi
+}
+
+case "$2" in
+  "tlsa") checkTLSA "$3" ;;
+  "sshfp") checkSSHFP ;;
+  "caa") checkCAA ;;
+esac
diff --git a/roles/Sharingan/tasks/eval.yml b/roles/Sharingan/tasks/eval.yml
index 72d2199..9b9e644 100644
--- a/roles/Sharingan/tasks/eval.yml
+++ b/roles/Sharingan/tasks/eval.yml
@@ -3,7 +3,7 @@
  - name: Generate monitoring from inventory
    delegate_to: localhost
    run_once: true
-   command: "python3 ../bin/generate-monitoring.py {{ inventory_file }}"
+   command: "../bin/generate-monitoring.py {{ inventory_file }}"
 
  - name: Sharingan-Eval service copy
    become: yes