[Operators] debian.org XMPP - using DANE / TLSA?
xmaster at urown.net
Thu Oct 29 12:51:33 UTC 2015
On 29.10.2015 at 03:29, Kim Alvefur wrote:
> On 2015-10-28 22:32, Daniel Pocock wrote:
>> We are just reviewing the final configuration before announcing
>> debian.org XMPP
>> Can anybody comment on DANE / TLSA? Should we only talk to servers
>> supporting this?
> I'm all for encouraging DANE deployment, but it might be a bit early to
> only talk to DANE-enabled servers. By which I mean having a cert not
> signed by a commonly trusted CA and only relying on DNSSEC for
> validation of other servers certificates, not even doing Dialback. I
> know of a total of 4 servers (including my own) that you could talk to then.
> But there is actually quite a number of DNSSEC-signed domains with TLSA
> records published out there, judging by the ones that have been
> submitted to xmpp.net for testing (since the disk crash). So only
> talking to hosts with valid and matching TLSA records would not be too
For the lazy ...
3,033 Total Test Results (100%)
557 DNSSEC signed SRV records (18%)
217 DNSSEC signed DANE records (7%)
More information about the Operators