prosody-modules
tip
mod_s2s_auth_dane/README.md

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

Comparison

mod_s2s_auth_dane/README.md @ 6211:750d64c47ec6 draft default tip

Merge
author Trần H. Trung <xmpp:trần.h.trung@trung.fun>
date Tue, 18 Mar 2025 00:31:36 +0700
parent 6003:fe081789f7b5
comparison
equal deleted inserted replaced
6210:24316a399978 6211:750d64c47ec6
1 ---
2 labels:
3 - Stage-Broken
4 - Type-S2SAuth
5 summary: S2S authentication using DANE
6 ...
7
8 Introduction
9 ============
10
11 This module implements DANE as described in [Using DNS Security
12 Extensions (DNSSEC) and DNS-based Authentication of Named Entities
13 (DANE) as a Prooftype for XMPP Domain Name
14 Associations](http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype).
15
16 Dependencies
17 ============
18
19 This module requires a DNSSEC aware DNS resolver. Prosodys internal DNS
20 module does not support DNSSEC. Therefore, to use this module, a
21 replacement is needed, such as [this
22 one](https://www.zash.se/luaunbound.html).
23
24 LuaSec 0.5 or later is also required.
25
26 Configuration
27 =============
28
29 After [installing the module][doc:installing\_modules], just add it to
30 `modules_enabled`;
31
32 modules_enabled = {
33 ...
34 "s2s_auth_dane";
35 }
36
37 DANE Uses
38 ---------
39
40 By default, only DANE uses are enabled.
41
42 dane_uses = { "DANE-EE", "DANE-TA" }
43
44 Use flag Description
45 ----------- -------------------------------------------------------------------------------------------------------
46 `DANE-EE` Most simple use, usually a fingerprint of the full certificate or public key used the service
47 `DANE-TA` Fingerprint of a certificate or public key that has been used to issue the service certificate
48 `PKIX-EE` Like `DANE-EE` but the certificate must also pass normal PKIX trust checks (ie standard certificates)
49 `PKIX-TA` Like `DANE-TA` but must also pass normal PKIX trust checks (ie standard certificates)
50
51 DNS Setup
52 =========
53
54 In order for other services to verify your site using using this plugin,
55 you need to publish TLSA records (and they need to have this plugin).
56 Here's an example using `DANE-EE Cert SHA2-256` for a host named
57 `xmpp.example.com` serving the domain `example.com`.
58
59 $ORIGIN example.com.
60 ; Your standard SRV record
61 _xmpp-server._tcp.example.com IN SRV 0 0 5269 xmpp.example.com.
62 ; IPv4 and IPv6 addresses
63 xmpp.example.com. IN A 192.0.2.68
64 xmpp.example.com. IN AAAA 2001:0db8:0000:0000:4441:4e45:544c:5341
65
66 ; The DANE TLSA records.
67 _5269._tcp.xmpp.example.com. 300 IN TLSA 3 0 1 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
68
69 ; If your zone file tooling does not support TLSA records, you can try the raw binary format:
70 _5269._tcp.xmpp.example.com. 300 IN TYPE52 \# 35 030001E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
71
72 [List of DNSSEC and DANE
73 tools](http://www.internetsociety.org/deploy360/dnssec/tools/)
74
75 Further reading
76 ===============
77
78 - [DANE Operational Guidance][rfc7671]
79
80 # Compatibility
81
82 version status
83 --------- ------------
84 trunk broken[^1]
85 0.12 broken
86 0.11 works
87 0.10 works
88 0.9 works
89
90 **Broken** since [trunk revision 756b8821007a](https://hg.prosody.im/trunk/rev/756b8821007a).
91
92 # Known issues
93
94 - A race condition between the DANE lookup and completion of the TLS
95 handshake may cause a crash. This does not happen in **trunk**
96 thanks to better async support.
97
98 [^1]: since [756b8821007a](https://hg.prosody.im/trunk/rev/756b8821007a)