[Members] XMPP and DNSSEC
simon at buddycloud.com
Fri Jan 17 08:47:03 UTC 2014
DNSSEC has the potential to help solve a lot of problems for the XMPP
Unfortunately it's not very well supported by servers.
- s2s connections blindly trust DNS for a peer's authenticity (via
- multi-tenant XMPP hosting + security isn't possible
DNSSEC + Dane explained:
- DNSSEC is for secure delegation plus DANE for identity verification
solves the problem neatly and is the preferred long-term solution
Missing Pieces in the DNSSEC puzzle:
- highlight the problem for operators: xmpp.net test for sites that
accept invalid certificates (
- good documentation to solve the problem: I asked Shumon to help and
he's written up a great guide for how to add DNSSEC to your domain
http://wiki.xmpp.org/web/Securing_DNS Thanks @shumon!
- Server's that check against DNSSEC / implement DANE.
Current server landscape (happy to be corrected):
- Prosody has support for "DANE Lite" Zash describes it as "This isn't
using TLSA, just SRV records with DNSSEC. I'd like to call it DANE Light
- Tigase looks like they are thinking about DNSSEC:
- Ejabberd: can anyone comment?
- Openfire: can anyone comment?
- Other implementations?
- How do we help developers to build DNSSEC support into XMPP servers?
- How do we help operators deploy with DNSSEC?
Simon Tennant | buddycloud.com | +49 17 8545 0880 | office hours:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Members