[Members] XMPP and DNSSEC

Kim Alvefur zash at zash.se
Fri Jan 17 13:05:00 UTC 2014


On 2014-01-17 09:47, Simon Tennant wrote:
> Missing Pieces in the DNSSEC puzzle:
>   * highlight the problem for operators: xmpp.net <http://xmpp.net> test
>     for sites that accept invalid certificates
>     (https://bitbucket.org/xnyhps/xmppoke/issue/12/test-for-rejecting-invalid-certificates)
>   * good documentation to solve the problem: I asked Shumon to help and
>     he's written up a great guide for how to add DNSSEC to your
>     domain http://wiki.xmpp.org/web/Securing_DNS Thanks @shumon! 
>   * Server's that check against DNSSEC / implement DANE.

I would like to add that validating incoming connections are somewhat
trickier than outgoing connections.  When you are connecting to someone,
you're doing SRV and other DNS lookups.  For the Secure Delegation using
DNS SRV case, you then already have the response and can keep it around
until you validate the certificate.  For an incoming connection, you
don't do any DNS lookups, and you might not know where you should direct
them.  For DANE, you need to know SRV target and port, but you don't.

> Current server landscape (happy to be corrected):
>   * Prosody has support for  "DANE Lite" Zash describes it as "This
>     isn't using TLSA, just SRV records with DNSSEC.  I'd like to
>     call it DANE Light or somesuch."


I wrote a FFI binding to libunbound[1] together with a drop-in
replacement for prosodys internal DNS library.  It is not shipped with
prosody and requires additional dependencies.

Then there's a plugin, mod_s2s_auth_dnssec_srv[2] that can use the
DNSSEC validation status on the SRV record and check the certificate
against the SRV target name.  This part is what I called "DANE Light",
as "Secure Delegation using DNS SRV" gets a bit long.  DNSSEC-SRV might
work too.

And then there's another, more recent, plugin, that is a partial DANE
implementation³.  Both these plugins currently only work in one direction.

¹ http://code.zash.se/luaunbound/file/tip/README.markdown
² http://code.google.com/p/prosody-modules/wiki/mod_s2s_auth_dnssec_srv
³ http://code.google.com/p/prosody-modules/wiki/mod_s2s_auth_dane

Kim "Zash" Alvefur

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/members/attachments/20140117/17b6c977/attachment.pgp>

More information about the Members mailing list