[Members] XMPP and DNSSEC

Simon Tennant simon at buddycloud.com
Fri Jan 17 08:47:03 UTC 2014


DNSSEC has the potential to help solve a lot of problems for the XMPP
network.

Unfortunately it's not very well supported by servers.

Problem:

   - s2s connections blindly trust DNS for a peer's authenticity (via
   dialback)
   - multi-tenant XMPP hosting + security isn't possible

DNSSEC + Dane explained:

   - DNSSEC is for secure delegation plus DANE for identity verification
   solves the problem neatly and is the preferred long-term solution
   - https://www.youtube.com/watch?v=emDxUQl1NvA

Missing Pieces in the DNSSEC puzzle:

   - highlight the problem for operators: xmpp.net test for sites that
   accept invalid certificates (
   https://bitbucket.org/xnyhps/xmppoke/issue/12/test-for-rejecting-invalid-certificates
   )
   - good documentation to solve the problem: I asked Shumon to help and
   he's written up a great guide for how to add DNSSEC to your domain
   http://wiki.xmpp.org/web/Securing_DNS Thanks @shumon!
   - Server's that check against DNSSEC / implement DANE.

Current server landscape (happy to be corrected):

   - Prosody has support for  "DANE Lite" Zash describes it as "This isn't
   using TLSA, just SRV records with DNSSEC.  I'd like to call it DANE Light
   or somesuch."
   - Tigase looks like they are thinking about DNSSEC:
   https://projects.tigase.org/issues/1626
   - Ejabberd: can anyone comment?
   - Openfire: can anyone comment?
   - Other implementations?

Question:

   - How do we help developers to build DNSSEC support into XMPP servers?
   - How do we help operators deploy with DNSSEC?


S.
-- 
Simon Tennant | buddycloud.com | +49 17 8545 0880 | office hours:
goo.gl/tQgxP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/members/attachments/20140117/1da23eae/attachment-0001.html>


More information about the Members mailing list