prosody-modules
d72010642b31
mod_s2s_auth_dane/README.md

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

Annotate

mod_s2s_auth_dane/README.md @ 6232:d72010642b31

Merge update
author Trần H. Trung <xmpp:trần.h.trung@trung.fun>
date Fri, 11 Apr 2025 23:19:21 +0700
parent 6221:f315edc39f3d
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 ---
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 labels:
6221
f315edc39f3d mod_s2s_auth_dane: Remove because broken, Prosody supports DANE now
Kim Alvefur <zash@zash.se>
parents: 6003
diff changeset
3 - Stage-Obsolete
5120
83afe4078e6e mod_s2s_auth_dane: Update Compatibility chart (doesn't work anymore)
Kim Alvefur <zash@zash.se>
parents: 3991
diff changeset
4 - Type-S2SAuth
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 summary: S2S authentication using DANE
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 ...
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7
6221
f315edc39f3d mod_s2s_auth_dane: Remove because broken, Prosody supports DANE now
Kim Alvefur <zash@zash.se>
parents: 6003
diff changeset
8 ::: {.alert .alert-warning}
f315edc39f3d mod_s2s_auth_dane: Remove because broken, Prosody supports DANE now
Kim Alvefur <zash@zash.se>
parents: 6003
diff changeset
9 This module no longer works with recent versions of Prosody.
f315edc39f3d mod_s2s_auth_dane: Remove because broken, Prosody supports DANE now
Kim Alvefur <zash@zash.se>
parents: 6003
diff changeset
10
f315edc39f3d mod_s2s_auth_dane: Remove because broken, Prosody supports DANE now
Kim Alvefur <zash@zash.se>
parents: 6003
diff changeset
11 However, Prosody as of [13.0.0](//prosody.im/doc/release/13.0.0) ships with native support for [DANE](//prosody.im/doc/dnssec).
f315edc39f3d mod_s2s_auth_dane: Remove because broken, Prosody supports DANE now
Kim Alvefur <zash@zash.se>
parents: 6003
diff changeset
12 :::
f315edc39f3d mod_s2s_auth_dane: Remove because broken, Prosody supports DANE now
Kim Alvefur <zash@zash.se>
parents: 6003
diff changeset
13
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 Introduction
1836
5113f8ff6712 mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces
Kim Alvefur <zash@zash.se>
parents: 1803
diff changeset
15 ============
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16
1950
f118e419a712 mod_s2s_auth_dane/README: Add missing whitespace
Kim Alvefur <zash@zash.se>
parents: 1838
diff changeset
17 This module implements DANE as described in [Using DNS Security
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 Extensions (DNSSEC) and DNS-based Authentication of Named Entities
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 (DANE) as a Prooftype for XMPP Domain Name
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 Associations](http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype).
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 Dependencies
1836
5113f8ff6712 mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces
Kim Alvefur <zash@zash.se>
parents: 1803
diff changeset
23 ============
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24
1838
1c6d04f012e9 mod_s2s_auth_dane/README: Note about LuaSec
Kim Alvefur <zash@zash.se>
parents: 1837
diff changeset
25 This module requires a DNSSEC aware DNS resolver. Prosodys internal DNS
1c6d04f012e9 mod_s2s_auth_dane/README: Note about LuaSec
Kim Alvefur <zash@zash.se>
parents: 1837
diff changeset
26 module does not support DNSSEC. Therefore, to use this module, a
1c6d04f012e9 mod_s2s_auth_dane/README: Note about LuaSec
Kim Alvefur <zash@zash.se>
parents: 1837
diff changeset
27 replacement is needed, such as [this
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 one](https://www.zash.se/luaunbound.html).
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29
1838
1c6d04f012e9 mod_s2s_auth_dane/README: Note about LuaSec
Kim Alvefur <zash@zash.se>
parents: 1837
diff changeset
30 LuaSec 0.5 or later is also required.
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 Configuration
1836
5113f8ff6712 mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces
Kim Alvefur <zash@zash.se>
parents: 1803
diff changeset
33 =============
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34
1960
5f68a8928722 mod_s2s_auth_dane/README: Automagic links!
Kim Alvefur <zash@zash.se>
parents: 1950
diff changeset
35 After [installing the module][doc:installing\_modules], just add it to
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 `modules_enabled`;
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38 modules_enabled = {
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39 ...
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40 "s2s_auth_dane";
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41 }
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
42
1837
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
43 DANE Uses
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
44 ---------
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
45
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
46 By default, only DANE uses are enabled.
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
47
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
48 dane_uses = { "DANE-EE", "DANE-TA" }
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
49
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
50 Use flag Description
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
51 ----------- -------------------------------------------------------------------------------------------------------
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
52 `DANE-EE` Most simple use, usually a fingerprint of the full certificate or public key used the service
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
53 `DANE-TA` Fingerprint of a certificate or public key that has been used to issue the service certificate
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
54 `PKIX-EE` Like `DANE-EE` but the certificate must also pass normal PKIX trust checks (ie standard certificates)
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
55 `PKIX-TA` Like `DANE-TA` but must also pass normal PKIX trust checks (ie standard certificates)
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
56
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
57 DNS Setup
1836
5113f8ff6712 mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces
Kim Alvefur <zash@zash.se>
parents: 1803
diff changeset
58 =========
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
59
1838
1c6d04f012e9 mod_s2s_auth_dane/README: Note about LuaSec
Kim Alvefur <zash@zash.se>
parents: 1837
diff changeset
60 In order for other services to verify your site using using this plugin,
1c6d04f012e9 mod_s2s_auth_dane/README: Note about LuaSec
Kim Alvefur <zash@zash.se>
parents: 1837
diff changeset
61 you need to publish TLSA records (and they need to have this plugin).
1c6d04f012e9 mod_s2s_auth_dane/README: Note about LuaSec
Kim Alvefur <zash@zash.se>
parents: 1837
diff changeset
62 Here's an example using `DANE-EE Cert SHA2-256` for a host named
1c6d04f012e9 mod_s2s_auth_dane/README: Note about LuaSec
Kim Alvefur <zash@zash.se>
parents: 1837
diff changeset
63 `xmpp.example.com` serving the domain `example.com`.
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
64
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
65 $ORIGIN example.com.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
66 ; Your standard SRV record
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
67 _xmpp-server._tcp.example.com IN SRV 0 0 5269 xmpp.example.com.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
68 ; IPv4 and IPv6 addresses
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
69 xmpp.example.com. IN A 192.0.2.68
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
70 xmpp.example.com. IN AAAA 2001:0db8:0000:0000:4441:4e45:544c:5341
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
71
2492
63fb612d6ec5 mod_s2s_auth_dane/README: Simplify zone file examlpe
Kim Alvefur <zash@zash.se>
parents: 1965
diff changeset
72 ; The DANE TLSA records.
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
73 _5269._tcp.xmpp.example.com. 300 IN TLSA 3 0 1 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
2492
63fb612d6ec5 mod_s2s_auth_dane/README: Simplify zone file examlpe
Kim Alvefur <zash@zash.se>
parents: 1965
diff changeset
74
63fb612d6ec5 mod_s2s_auth_dane/README: Simplify zone file examlpe
Kim Alvefur <zash@zash.se>
parents: 1965
diff changeset
75 ; If your zone file tooling does not support TLSA records, you can try the raw binary format:
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
76 _5269._tcp.xmpp.example.com. 300 IN TYPE52 \# 35 030001E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
77
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
78 [List of DNSSEC and DANE
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
79 tools](http://www.internetsociety.org/deploy360/dnssec/tools/)
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
80
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
81 Further reading
1836
5113f8ff6712 mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces
Kim Alvefur <zash@zash.se>
parents: 1803
diff changeset
82 ===============
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
83
1965
3d8e2480fae0 mod_s2s_auth_dane/README: DANE Operational Guidance got RFC'd
Kim Alvefur <zash@zash.se>
parents: 1960
diff changeset
84 - [DANE Operational Guidance][rfc7671]
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
85
5120
83afe4078e6e mod_s2s_auth_dane: Update Compatibility chart (doesn't work anymore)
Kim Alvefur <zash@zash.se>
parents: 3991
diff changeset
86 # Compatibility
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
87
5120
83afe4078e6e mod_s2s_auth_dane: Update Compatibility chart (doesn't work anymore)
Kim Alvefur <zash@zash.se>
parents: 3991
diff changeset
88 version status
83afe4078e6e mod_s2s_auth_dane: Update Compatibility chart (doesn't work anymore)
Kim Alvefur <zash@zash.se>
parents: 3991
diff changeset
89 --------- ------------
83afe4078e6e mod_s2s_auth_dane: Update Compatibility chart (doesn't work anymore)
Kim Alvefur <zash@zash.se>
parents: 3991
diff changeset
90 trunk broken[^1]
83afe4078e6e mod_s2s_auth_dane: Update Compatibility chart (doesn't work anymore)
Kim Alvefur <zash@zash.se>
parents: 3991
diff changeset
91 0.12 broken
83afe4078e6e mod_s2s_auth_dane: Update Compatibility chart (doesn't work anymore)
Kim Alvefur <zash@zash.se>
parents: 3991
diff changeset
92 0.11 works
83afe4078e6e mod_s2s_auth_dane: Update Compatibility chart (doesn't work anymore)
Kim Alvefur <zash@zash.se>
parents: 3991
diff changeset
93 0.10 works
83afe4078e6e mod_s2s_auth_dane: Update Compatibility chart (doesn't work anymore)
Kim Alvefur <zash@zash.se>
parents: 3991
diff changeset
94 0.9 works
3990
daabba8fb45b mod_s2s_auth_dane: It broke :(
Kim Alvefur <zash@zash.se>
parents: 2493
diff changeset
95
3991
eb56e743abe8 mod_s2s_auth_dane: Fix markdown link syntax
Kim Alvefur <zash@zash.se>
parents: 3990
diff changeset
96 **Broken** since [trunk revision 756b8821007a](https://hg.prosody.im/trunk/rev/756b8821007a).
2493
a6486881fe42 mod_s2s_auth_dane/README: Mention the race condition in the absence of util.async
Kim Alvefur <zash@zash.se>
parents: 2492
diff changeset
97
5120
83afe4078e6e mod_s2s_auth_dane: Update Compatibility chart (doesn't work anymore)
Kim Alvefur <zash@zash.se>
parents: 3991
diff changeset
98 # Known issues
2493
a6486881fe42 mod_s2s_auth_dane/README: Mention the race condition in the absence of util.async
Kim Alvefur <zash@zash.se>
parents: 2492
diff changeset
99
a6486881fe42 mod_s2s_auth_dane/README: Mention the race condition in the absence of util.async
Kim Alvefur <zash@zash.se>
parents: 2492
diff changeset
100 - A race condition between the DANE lookup and completion of the TLS
a6486881fe42 mod_s2s_auth_dane/README: Mention the race condition in the absence of util.async
Kim Alvefur <zash@zash.se>
parents: 2492
diff changeset
101 handshake may cause a crash. This does not happen in **trunk**
a6486881fe42 mod_s2s_auth_dane/README: Mention the race condition in the absence of util.async
Kim Alvefur <zash@zash.se>
parents: 2492
diff changeset
102 thanks to better async support.
a6486881fe42 mod_s2s_auth_dane/README: Mention the race condition in the absence of util.async
Kim Alvefur <zash@zash.se>
parents: 2492
diff changeset
103
5120
83afe4078e6e mod_s2s_auth_dane: Update Compatibility chart (doesn't work anymore)
Kim Alvefur <zash@zash.se>
parents: 3991
diff changeset
104 [^1]: since [756b8821007a](https://hg.prosody.im/trunk/rev/756b8821007a)