1786
|
1 |
#summary S2S authentication using DANE |
|
2 |
#labels Stage-Alpha,Type-S2SAuth |
|
3 |
|
|
4 |
= Introduction = |
|
5 |
|
|
6 |
This module implements DANE as described in |
|
7 |
[http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype Using DNS Security Extensions (DNSSEC) and DNS-based Authentication of Named Entities (DANE) as a Prooftype for XMPP Domain Name Associations]. |
|
8 |
|
|
9 |
= Dependencies = |
|
10 |
|
|
11 |
This module requires a DNSSEC aware DNS resolver. Prosodys internal DNS |
|
12 |
module does not support DNSSEC. Therefore, to use this module, a |
|
13 |
replacement is needed, such as [https://www.zash.se/luaunbound.html this one]. |
|
14 |
|
|
15 |
More installation instructions can be found at [https://www.zash.se/prosody-dane.html Prosody with DANE]. |
|
16 |
|
|
17 |
= Configuration = |
|
18 |
|
|
19 |
After [https://prosody.im/doc/installing_modules installing the module], just add it to `modules_enabled`; |
|
20 |
|
|
21 |
{{{ |
|
22 |
modules_enabled = { |
|
23 |
... |
|
24 |
"s2s_auth_dane"; |
|
25 |
} |
|
26 |
}}} |
|
27 |
|
|
28 |
= DNS Setup = |
|
29 |
|
|
30 |
In order for other services to verify your site using using this plugin, |
|
31 |
you need to publish TLSA records (and they need to have this plugin). |
|
32 |
Here's an example using "DANE-EE Cert SHA2-256" for a host named |
|
33 |
xmpp.example.com serving the domain example.com. |
|
34 |
|
|
35 |
{{{ |
|
36 |
$ORIGIN example.com. |
|
37 |
; Your standard SRV record |
|
38 |
_xmpp-server._tcp.example.com IN SRV 0 0 5269 xmpp.example.com. |
|
39 |
; IPv4 and IPv6 addresses |
|
40 |
xmpp.example.com. IN A 192.0.2.68 |
|
41 |
xmpp.example.com. IN AAAA 2001:0db8:0000:0000:4441:4e45:544c:5341 |
|
42 |
|
|
43 |
; The DANE TLSA records. These three are equivalent, you would use only one of them. |
|
44 |
; First, using symbolic names: |
|
45 |
_5269._tcp.xmpp.example.com. 300 IN TLSA DANE-EE Cert SHA2-256 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 |
|
46 |
; Using numbers: |
|
47 |
_5269._tcp.xmpp.example.com. 300 IN TLSA 3 0 1 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 |
|
48 |
; Raw binary format, should work even with very old DNS tools: |
|
49 |
_5269._tcp.xmpp.example.com. 300 IN TYPE52 \# 35 030001E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 |
|
50 |
}}} |
|
51 |
|
|
52 |
[http://www.internetsociety.org/deploy360/dnssec/tools/ List of DNSSEC and DANE tools] |
|
53 |
|
|
54 |
= Further reading = |
|
55 |
|
|
56 |
* [http://tools.ietf.org/html/draft-ietf-dane-ops DANE TLSA implementation and operational guidance] |
|
57 |
|
|
58 |
= Compatibility = |
|
59 |
|
|
60 |
Requires 0.9 or above. |