author | Kim Alvefur <zash@zash.se> |
Wed, 09 Sep 2015 17:00:41 +0200 | |
changeset 1841 | 6a3b48eded35 |
parent 1840 | 5113f8ff6712 |
child 1842 | 1c6d04f012e9 |
permissions | -rw-r--r-- |
1807 | 1 |
--- |
2 |
labels: |
|
3 |
- 'Stage-Alpha' |
|
4 |
- 'Type-S2SAuth' |
|
5 |
summary: S2S authentication using DANE |
|
6 |
... |
|
7 |
||
8 |
Introduction |
|
1840
5113f8ff6712
mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
9 |
============ |
1807 | 10 |
|
11 |
This module implements DANE as described in[Using DNS Security |
|
12 |
Extensions (DNSSEC) and DNS-based Authentication of Named Entities |
|
13 |
(DANE) as a Prooftype for XMPP Domain Name |
|
14 |
Associations](http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype). |
|
15 |
||
16 |
Dependencies |
|
1840
5113f8ff6712
mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
17 |
============ |
1807 | 18 |
|
19 |
This module requires a DNSSEC aware DNS resolver. Prosodys internal |
|
20 |
DNSmodule does not support DNSSEC. Therefore, to use this module, |
|
21 |
areplacement is needed, such as [this |
|
22 |
one](https://www.zash.se/luaunbound.html). |
|
23 |
||
24 |
More installation instructions can be found at [Prosody with |
|
25 |
DANE](https://www.zash.se/prosody-dane.html). |
|
26 |
||
27 |
Configuration |
|
1840
5113f8ff6712
mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
28 |
============= |
1807 | 29 |
|
30 |
After [installing the |
|
31 |
module](https://prosody.im/doc/installing_modules), just add it to |
|
32 |
`modules_enabled`; |
|
33 |
||
34 |
modules_enabled = { |
|
35 |
... |
|
36 |
"s2s_auth_dane"; |
|
37 |
} |
|
38 |
||
1841
6a3b48eded35
mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents:
1840
diff
changeset
|
39 |
DANE Uses |
6a3b48eded35
mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents:
1840
diff
changeset
|
40 |
--------- |
6a3b48eded35
mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents:
1840
diff
changeset
|
41 |
|
6a3b48eded35
mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents:
1840
diff
changeset
|
42 |
By default, only DANE uses are enabled. |
6a3b48eded35
mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents:
1840
diff
changeset
|
43 |
|
6a3b48eded35
mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents:
1840
diff
changeset
|
44 |
dane_uses = { "DANE-EE", "DANE-TA" } |
6a3b48eded35
mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents:
1840
diff
changeset
|
45 |
|
6a3b48eded35
mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents:
1840
diff
changeset
|
46 |
Use flag Description |
6a3b48eded35
mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents:
1840
diff
changeset
|
47 |
----------- ------------------------------------------------------------------------------------------------------- |
6a3b48eded35
mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents:
1840
diff
changeset
|
48 |
`DANE-EE` Most simple use, usually a fingerprint of the full certificate or public key used the service |
6a3b48eded35
mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents:
1840
diff
changeset
|
49 |
`DANE-TA` Fingerprint of a certificate or public key that has been used to issue the service certificate |
6a3b48eded35
mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents:
1840
diff
changeset
|
50 |
`PKIX-EE` Like `DANE-EE` but the certificate must also pass normal PKIX trust checks (ie standard certificates) |
6a3b48eded35
mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents:
1840
diff
changeset
|
51 |
`PKIX-TA` Like `DANE-TA` but must also pass normal PKIX trust checks (ie standard certificates) |
6a3b48eded35
mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents:
1840
diff
changeset
|
52 |
|
1807 | 53 |
DNS Setup |
1840
5113f8ff6712
mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
54 |
========= |
1807 | 55 |
|
56 |
In order for other services to verify your site using using this |
|
57 |
plugin,you need to publish TLSA records (and they need to have this |
|
1840
5113f8ff6712
mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
58 |
plugin). Here's an example using `DANE-EE Cert SHA2-256` for a host |
5113f8ff6712
mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
59 |
named `xmpp.example.com` serving the domain `example.com`. |
1807 | 60 |
|
61 |
$ORIGIN example.com. |
|
62 |
; Your standard SRV record |
|
63 |
_xmpp-server._tcp.example.com IN SRV 0 0 5269 xmpp.example.com. |
|
64 |
; IPv4 and IPv6 addresses |
|
65 |
xmpp.example.com. IN A 192.0.2.68 |
|
66 |
xmpp.example.com. IN AAAA 2001:0db8:0000:0000:4441:4e45:544c:5341 |
|
67 |
||
68 |
; The DANE TLSA records. These three are equivalent, you would use only one of them. |
|
69 |
; First, using symbolic names: |
|
70 |
_5269._tcp.xmpp.example.com. 300 IN TLSA DANE-EE Cert SHA2-256 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 |
|
71 |
; Using numbers: |
|
72 |
_5269._tcp.xmpp.example.com. 300 IN TLSA 3 0 1 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 |
|
73 |
; Raw binary format, should work even with very old DNS tools: |
|
74 |
_5269._tcp.xmpp.example.com. 300 IN TYPE52 \# 35 030001E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 |
|
75 |
||
76 |
[List of DNSSEC and DANE |
|
77 |
tools](http://www.internetsociety.org/deploy360/dnssec/tools/) |
|
78 |
||
79 |
Further reading |
|
1840
5113f8ff6712
mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
80 |
=============== |
1807 | 81 |
|
82 |
- [DANE TLSA implementation and operational |
|
83 |
guidance](http://tools.ietf.org/html/draft-ietf-dane-ops) |
|
84 |
||
85 |
Compatibility |
|
1840
5113f8ff6712
mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces
Kim Alvefur <zash@zash.se>
parents:
1807
diff
changeset
|
86 |
============= |
1807 | 87 |
|
88 |
Requires 0.9 or above. |