[Members] XMPP and DNSSEC
Simon Tennant
simon at buddycloud.com
Fri Jan 17 08:47:03 UTC 2014
DNSSEC has the potential to help solve a lot of problems for the XMPP
network.
Unfortunately it's not very well supported by servers.
Problem:
- s2s connections blindly trust DNS for a peer's authenticity (via
dialback)
- multi-tenant XMPP hosting + security isn't possible
DNSSEC + Dane explained:
- DNSSEC is for secure delegation plus DANE for identity verification
solves the problem neatly and is the preferred long-term solution
- https://www.youtube.com/watch?v=emDxUQl1NvA
Missing Pieces in the DNSSEC puzzle:
- highlight the problem for operators: xmpp.net test for sites that
accept invalid certificates (
https://bitbucket.org/xnyhps/xmppoke/issue/12/test-for-rejecting-invalid-certificates
)
- good documentation to solve the problem: I asked Shumon to help and
he's written up a great guide for how to add DNSSEC to your domain
http://wiki.xmpp.org/web/Securing_DNS Thanks @shumon!
- Server's that check against DNSSEC / implement DANE.
Current server landscape (happy to be corrected):
- Prosody has support for "DANE Lite" Zash describes it as "This isn't
using TLSA, just SRV records with DNSSEC. I'd like to call it DANE Light
or somesuch."
- Tigase looks like they are thinking about DNSSEC:
https://projects.tigase.org/issues/1626
- Ejabberd: can anyone comment?
- Openfire: can anyone comment?
- Other implementations?
Question:
- How do we help developers to build DNSSEC support into XMPP servers?
- How do we help operators deploy with DNSSEC?
S.
--
Simon Tennant | buddycloud.com | +49 17 8545 0880 | office hours:
goo.gl/tQgxP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/members/attachments/20140117/1da23eae/attachment-0001.html>
More information about the Members
mailing list