[Operators] debian.org XMPP - using DANE / TLSA?

Kim Alvefur zash at zash.se
Thu Oct 29 02:29:49 UTC 2015


On 2015-10-28 22:32, Daniel Pocock wrote:
> We are just reviewing the final configuration before announcing
> debian.org XMPP

Nice!

> Can anybody comment on DANE / TLSA?  Should we only talk to servers
> supporting this?

I'm all for encouraging DANE deployment, but it might be a bit early to
only talk to DANE-enabled servers.  By which I mean having a cert not
signed by a commonly trusted CA and only relying on DNSSEC for
validation of other servers certificates, not even doing Dialback.  I
know of a total of 4 servers (including my own) that you could talk to then.

But there is actually quite a number of DNSSEC-signed domains with TLSA
records published out there, judging by the ones that have been
submitted to xmpp.net for testing (since the disk crash).  So only
talking to hosts with valid and matching TLSA records would not be too
crazy.

https://xmpp.net/reports.php#dnssecsrv
https://xmpp.net/reports.php#dnssecdane


-- 
Kim "Zash" Alvefur

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20151029/e98a74b6/attachment.sig>


More information about the Operators mailing list