[Operators] debian.org XMPP - using DANE / TLSA?

Alain Wolf xmaster at urown.net
Thu Oct 29 12:51:33 UTC 2015



On 29.10.2015 at 03:29, Kim Alvefur wrote:
> On 2015-10-28 22:32, Daniel Pocock wrote:
>> We are just reviewing the final configuration before announcing
>> debian.org XMPP
> 
> Nice!
> 
>> Can anybody comment on DANE / TLSA?  Should we only talk to servers
>> supporting this?
> 
> I'm all for encouraging DANE deployment, but it might be a bit early to
> only talk to DANE-enabled servers.  By which I mean having a cert not
> signed by a commonly trusted CA and only relying on DNSSEC for
> validation of other servers certificates, not even doing Dialback.  I
> know of a total of 4 servers (including my own) that you could talk to then.
> 
> But there is actually quite a number of DNSSEC-signed domains with TLSA
> records published out there, judging by the ones that have been
> submitted to xmpp.net for testing (since the disk crash).  So only
> talking to hosts with valid and matching TLSA records would not be too
> crazy.
> 
> https://xmpp.net/reports.php#dnssecsrv
> https://xmpp.net/reports.php#dnssecdane

For the lazy ...

3,033 Total Test Results (100%)
  557 DNSSEC signed SRV records (18%)
  217 DNSSEC signed DANE records (7%)


More information about the Operators mailing list