[Operators] debian.org XMPP - using DANE / TLSA?
Kim Alvefur
zash at zash.se
Thu Oct 29 13:13:30 UTC 2015
On 2015-10-29 13:51, Alain Wolf wrote:
>
>
> On 29.10.2015 at 03:29, Kim Alvefur wrote:
>> On 2015-10-28 22:32, Daniel Pocock wrote:
>>> We are just reviewing the final configuration before announcing
>>> debian.org XMPP
>>
>> Nice!
>>
>>> Can anybody comment on DANE / TLSA? Should we only talk to servers
>>> supporting this?
>>
>> I'm all for encouraging DANE deployment, but it might be a bit early to
>> only talk to DANE-enabled servers. By which I mean having a cert not
>> signed by a commonly trusted CA and only relying on DNSSEC for
>> validation of other servers certificates, not even doing Dialback. I
>> know of a total of 4 servers (including my own) that you could talk to then.
>>
>> But there is actually quite a number of DNSSEC-signed domains with TLSA
>> records published out there, judging by the ones that have been
>> submitted to xmpp.net for testing (since the disk crash). So only
>> talking to hosts with valid and matching TLSA records would not be too
>> crazy.
>>
>> https://xmpp.net/reports.php#dnssecsrv
>> https://xmpp.net/reports.php#dnssecdane
>
> For the lazy ...
>
> 3,033 Total Test Results (100%)
> 557 DNSSEC signed SRV records (18%)
> 217 DNSSEC signed DANE records (7%)
Worth comparing with PKIX based trust:
Trusted Untrusted
--------- --------- --------- ----------- ---------
Valid 1738 (55.1%) 603 (19.1%)
Invalid 212 (6.7%) 600 (19%)
https://xmpp.net/reports.php#trust
(Total increased to 3041)
--
Kim "Zash" Alvefur
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20151029/7b77bebb/attachment.sig>
More information about the Operators
mailing list