[Operators] debian.org XMPP - using DANE / TLSA?

Kim Alvefur zash at zash.se
Thu Oct 29 13:13:30 UTC 2015


On 2015-10-29 13:51, Alain Wolf wrote:
> 
> 
> On 29.10.2015 at 03:29, Kim Alvefur wrote:
>> On 2015-10-28 22:32, Daniel Pocock wrote:
>>> We are just reviewing the final configuration before announcing
>>> debian.org XMPP
>>
>> Nice!
>>
>>> Can anybody comment on DANE / TLSA?  Should we only talk to servers
>>> supporting this?
>>
>> I'm all for encouraging DANE deployment, but it might be a bit early to
>> only talk to DANE-enabled servers.  By which I mean having a cert not
>> signed by a commonly trusted CA and only relying on DNSSEC for
>> validation of other servers certificates, not even doing Dialback.  I
>> know of a total of 4 servers (including my own) that you could talk to then.
>>
>> But there is actually quite a number of DNSSEC-signed domains with TLSA
>> records published out there, judging by the ones that have been
>> submitted to xmpp.net for testing (since the disk crash).  So only
>> talking to hosts with valid and matching TLSA records would not be too
>> crazy.
>>
>> https://xmpp.net/reports.php#dnssecsrv
>> https://xmpp.net/reports.php#dnssecdane
> 
> For the lazy ...
> 
> 3,033 Total Test Results (100%)
>   557 DNSSEC signed SRV records (18%)
>   217 DNSSEC signed DANE records (7%)

Worth comparing with PKIX based trust:

              Trusted             Untrusted
  --------- --------- --------- ----------- ---------
  Valid          1738   (55.1%)         603   (19.1%)
  Invalid         212    (6.7%)         600     (19%)

https://xmpp.net/reports.php#trust

(Total increased to 3041)

-- 
Kim "Zash" Alvefur

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20151029/7b77bebb/attachment.sig>


More information about the Operators mailing list