prosody-modules: mod_s2s_auth_dane/README.markdown@6a3b48eded35 (annotated)

1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	1	---
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	2	labels:
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	3	- 'Stage-Alpha'
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	4	- 'Type-S2SAuth'
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	5	summary: S2S authentication using DANE
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	6	...
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	7
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	8	Introduction
1840 5113f8ff6712 mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces Kim Alvefur <zash@zash.se> parents: 1807 diff changeset	9	============
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	10
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	11	This module implements DANE as described in[Using DNS Security
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	12	Extensions (DNSSEC) and DNS-based Authentication of Named Entities
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	13	(DANE) as a Prooftype for XMPP Domain Name
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	14	Associations](http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype).
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	15
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	16	Dependencies
1840 5113f8ff6712 mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces Kim Alvefur <zash@zash.se> parents: 1807 diff changeset	17	============
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	18
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	19	This module requires a DNSSEC aware DNS resolver. Prosodys internal
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	20	DNSmodule does not support DNSSEC. Therefore, to use this module,
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	21	areplacement is needed, such as [this
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	22	one](https://www.zash.se/luaunbound.html).
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	23
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	24	More installation instructions can be found at [Prosody with
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	25	DANE](https://www.zash.se/prosody-dane.html).
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	26
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	27	Configuration
1840 5113f8ff6712 mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces Kim Alvefur <zash@zash.se> parents: 1807 diff changeset	28	=============
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	29
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	30	After [installing the
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	31	module](https://prosody.im/doc/installing_modules), just add it to
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	32	`modules_enabled`;
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	33
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	34	modules_enabled = {
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	35	...
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	36	"s2s_auth_dane";
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	37	}
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	38
1841 6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses Kim Alvefur <zash@zash.se> parents: 1840 diff changeset	39	DANE Uses
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses Kim Alvefur <zash@zash.se> parents: 1840 diff changeset	40	---------
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses Kim Alvefur <zash@zash.se> parents: 1840 diff changeset	41
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses Kim Alvefur <zash@zash.se> parents: 1840 diff changeset	42	By default, only DANE uses are enabled.
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses Kim Alvefur <zash@zash.se> parents: 1840 diff changeset	43
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses Kim Alvefur <zash@zash.se> parents: 1840 diff changeset	44	dane_uses = { "DANE-EE", "DANE-TA" }
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses Kim Alvefur <zash@zash.se> parents: 1840 diff changeset	45
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses Kim Alvefur <zash@zash.se> parents: 1840 diff changeset	46	Use flag Description
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses Kim Alvefur <zash@zash.se> parents: 1840 diff changeset	47	----------- -------------------------------------------------------------------------------------------------------
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses Kim Alvefur <zash@zash.se> parents: 1840 diff changeset	48	`DANE-EE` Most simple use, usually a fingerprint of the full certificate or public key used the service
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses Kim Alvefur <zash@zash.se> parents: 1840 diff changeset	49	`DANE-TA` Fingerprint of a certificate or public key that has been used to issue the service certificate
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses Kim Alvefur <zash@zash.se> parents: 1840 diff changeset	50	`PKIX-EE` Like `DANE-EE` but the certificate must also pass normal PKIX trust checks (ie standard certificates)
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses Kim Alvefur <zash@zash.se> parents: 1840 diff changeset	51	`PKIX-TA` Like `DANE-TA` but must also pass normal PKIX trust checks (ie standard certificates)
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses Kim Alvefur <zash@zash.se> parents: 1840 diff changeset	52
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	53	DNS Setup
1840 5113f8ff6712 mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces Kim Alvefur <zash@zash.se> parents: 1807 diff changeset	54	=========
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	55
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	56	In order for other services to verify your site using using this
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	57	plugin,you need to publish TLSA records (and they need to have this
1840 5113f8ff6712 mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces Kim Alvefur <zash@zash.se> parents: 1807 diff changeset	58	plugin). Here's an example using `DANE-EE Cert SHA2-256` for a host
5113f8ff6712 mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces Kim Alvefur <zash@zash.se> parents: 1807 diff changeset	59	named `xmpp.example.com` serving the domain `example.com`.
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	60
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	61	$ORIGIN example.com.
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	62	; Your standard SRV record
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	63	_xmpp-server._tcp.example.com IN SRV 0 0 5269 xmpp.example.com.
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	64	; IPv4 and IPv6 addresses
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	65	xmpp.example.com. IN A 192.0.2.68
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	66	xmpp.example.com. IN AAAA 2001:0db8:0000:0000:4441:4e45:544c:5341
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	67
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	68	; The DANE TLSA records. These three are equivalent, you would use only one of them.
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	69	; First, using symbolic names:
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	70	_5269._tcp.xmpp.example.com. 300 IN TLSA DANE-EE Cert SHA2-256 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	71	; Using numbers:
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	72	_5269._tcp.xmpp.example.com. 300 IN TLSA 3 0 1 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	73	; Raw binary format, should work even with very old DNS tools:
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	74	_5269._tcp.xmpp.example.com. 300 IN TYPE52 \# 35 030001E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	75
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	76	[List of DNSSEC and DANE
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	77	tools](http://www.internetsociety.org/deploy360/dnssec/tools/)
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	78
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	79	Further reading
1840 5113f8ff6712 mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces Kim Alvefur <zash@zash.se> parents: 1807 diff changeset	80	===============
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	81
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	82	- [DANE TLSA implementation and operational
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	83	guidance](http://tools.ietf.org/html/draft-ietf-dane-ops)
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	84
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	85	Compatibility
1840 5113f8ff6712 mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces Kim Alvefur <zash@zash.se> parents: 1807 diff changeset	86	=============
1807 4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	87
4d73a1a6ba68 Convert all wiki pages to Markdown Kim Alvefur <zash@zash.se> parents: diff changeset	88	Requires 0.9 or above.

author	Kim Alvefur <zash@zash.se>
	Wed, 09 Sep 2015 17:00:41 +0200
changeset 1841	6a3b48eded35
parent 1840	5113f8ff6712
child 1842	1c6d04f012e9
permissions	-rw-r--r--