[Operators] debian.org XMPP - using DANE / TLSA?
zash at zash.se
Thu Oct 29 02:29:49 UTC 2015
On 2015-10-28 22:32, Daniel Pocock wrote:
> We are just reviewing the final configuration before announcing
> debian.org XMPP
> Can anybody comment on DANE / TLSA? Should we only talk to servers
> supporting this?
I'm all for encouraging DANE deployment, but it might be a bit early to
only talk to DANE-enabled servers. By which I mean having a cert not
signed by a commonly trusted CA and only relying on DNSSEC for
validation of other servers certificates, not even doing Dialback. I
know of a total of 4 servers (including my own) that you could talk to then.
But there is actually quite a number of DNSSEC-signed domains with TLSA
records published out there, judging by the ones that have been
submitted to xmpp.net for testing (since the disk crash). So only
talking to hosts with valid and matching TLSA records would not be too
Kim "Zash" Alvefur
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: OpenPGP digital signature
More information about the Operators