ghudson at MIT.EDU
Thu Mar 29 17:18:43 UTC 2007
The attractive thing about DNSSEC-based authentication for s2s is that
you could tell via a secure channel that the other server is supposed to
be using strong authentication. An attacker wouldn't be able to get
away with saying "sorry, I only support dialback" if there existed DNS
records for public keys for both communicating servers.
For c2s authentication, DNSSEC-based authentication would similarly
allow the client to authenticate the server before presenting
credentials. It's not really a viably option for authenticating the
>From a practical perspective, though, there are two big hurdles:
1. There is no root deployment of DNSSEC and not much deployment
anywhere. This is the real killer.
2. To my knowledge, there is no standard for using DNSSEC keying
information to secure an application protocol. It might not have to be
a very big standard--you could store self-signed X.509 certs in DNS and
then use TLS for the heavy lifting--but it's still standards work
outside the scope of XMPP.
More information about the Standards