[Standards] Proposal: Public Key pinning

Mathieu Pasquet mathieui at mathieui.net
Tue Nov 12 14:31:40 UTC 2013

On Tue, Nov 12, 2013 at 01:59:59PM +0100, Simon Tennant wrote:
> On 12 November 2013 00:33, Thijs Alkemade <thijs at xnyhps.nl> wrote:
> > * DANE. DNSSEC deployment is still low and DANE is low compared to that.
> > Few
> > DNS stacks include support for DNSSEC, so widespread DANE deployment is
> > unlikely to happen soon.
> >
> I would love to have a guide on how to setup DANE and DNSSEC for an XMPP
> server. And have a primer added to the
> http://wiki.xmpp.org/web/Securing_XMPP#Prosody_.28secure_delegation_with_DANE.29page.
> Has anyone managed to do this?
> Would anyone have time to walk me through setting this up and I'll write up
> a recipe.
> S.

Setting it up is fairly easy. Once you have the DNSSEC support (which
is not specific to XMPP at all), you only need to provide TLSA records
as described in the (imo quite straightforward) RFC 6698 [1] + errata
3594 [2] for the relevant entries. Of course, the complexity increases
with the complexity of your XMPP setup.

I have a simple guide in the works as to how to setup a NSD + sign with
DNSSEC + DANE, but nothing to show yet.

Assuming you have a working NSD, you need to generate a ZSK and a KSK
(e.g. w/ ldns-keygen), sign the zone file with them (e.g. w/
ldsn-signzone), and then tell NSD to serve the signed file instead of
the plain one. You also need to send your public keys for validation,
probably to your registrar, or to the DLV registry [3] if your registrar
is ignoring DNSSEC.

For DANE, there is the RFC [1] and this informative blog post [4] that
explain things clearly.

This is by no mean a fully technically accurate walkthrough, but I hope
it helps.

Finally, for a list of DANE-enabled servers, I would check the xmpp.net
reports [5] with DNSSEC enabled, there ought to be a few with TLSA
records(although that does not mean that they process them).


[1] http://tools.ietf.org/html/rfc6698
[2] http://www.rfc-editor.org/errata_search.php?rfc=6698
[3] https://dlv.isc.org/
[4] http://blog.huque.com/2012/10/dnssec-and-certificates.html
[5] http://xmpp.net/reports.php

Mathieu Pasquet (mathieui)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/standards/attachments/20131112/2b499e0f/attachment.sig>

More information about the Standards mailing list