Mercurial > prosody-modules

annotate mod_s2s_auth_dane/README.markdown @ 1880:a7c1f1b6ef05

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_checkcerts: Improve error handling when loading certificate
author Kim Alvefur <zash@zash.se>
date Tue, 29 Sep 2015 14:56:46 +0200
parents 1c6d04f012e9
children f118e419a712
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 ---
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 labels:
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 - 'Stage-Alpha'
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 - 'Type-S2SAuth'
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 summary: S2S authentication using DANE
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 ...
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 Introduction
1836
5113f8ff6712 mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces
Kim Alvefur <zash@zash.se>
parents: 1803
diff changeset
9 ============
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11 This module implements DANE as described in[Using DNS Security
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 Extensions (DNSSEC) and DNS-based Authentication of Named Entities
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 (DANE) as a Prooftype for XMPP Domain Name
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 Associations](http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype).
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 Dependencies
1836
5113f8ff6712 mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces
Kim Alvefur <zash@zash.se>
parents: 1803
diff changeset
17 ============
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18
1838
1c6d04f012e9 mod_s2s_auth_dane/README: Note about LuaSec
Kim Alvefur <zash@zash.se>
parents: 1837
diff changeset
19 This module requires a DNSSEC aware DNS resolver. Prosodys internal DNS
1c6d04f012e9 mod_s2s_auth_dane/README: Note about LuaSec
Kim Alvefur <zash@zash.se>
parents: 1837
diff changeset
20 module does not support DNSSEC. Therefore, to use this module, a
1c6d04f012e9 mod_s2s_auth_dane/README: Note about LuaSec
Kim Alvefur <zash@zash.se>
parents: 1837
diff changeset
21 replacement is needed, such as [this
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 one](https://www.zash.se/luaunbound.html).
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23
1838
1c6d04f012e9 mod_s2s_auth_dane/README: Note about LuaSec
Kim Alvefur <zash@zash.se>
parents: 1837
diff changeset
24 LuaSec 0.5 or later is also required.
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 Configuration
1836
5113f8ff6712 mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces
Kim Alvefur <zash@zash.se>
parents: 1803
diff changeset
27 =============
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29 After [installing the
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 module](https://prosody.im/doc/installing_modules), just add it to
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 `modules_enabled`;
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 modules_enabled = {
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34 ...
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 "s2s_auth_dane";
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 }
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37
1837
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
38 DANE Uses
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
39 ---------
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
40
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
41 By default, only DANE uses are enabled.
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
42
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
43 dane_uses = { "DANE-EE", "DANE-TA" }
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
44
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
45 Use flag Description
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
46 ----------- -------------------------------------------------------------------------------------------------------
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
47 `DANE-EE` Most simple use, usually a fingerprint of the full certificate or public key used the service
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
48 `DANE-TA` Fingerprint of a certificate or public key that has been used to issue the service certificate
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
49 `PKIX-EE` Like `DANE-EE` but the certificate must also pass normal PKIX trust checks (ie standard certificates)
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
50 `PKIX-TA` Like `DANE-TA` but must also pass normal PKIX trust checks (ie standard certificates)
6a3b48eded35 mod_s2s_auth_dane/README: Describe DANE uses
Kim Alvefur <zash@zash.se>
parents: 1836
diff changeset
51
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
52 DNS Setup
1836
5113f8ff6712 mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces
Kim Alvefur <zash@zash.se>
parents: 1803
diff changeset
53 =========
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
54
1838
1c6d04f012e9 mod_s2s_auth_dane/README: Note about LuaSec
Kim Alvefur <zash@zash.se>
parents: 1837
diff changeset
55 In order for other services to verify your site using using this plugin,
1c6d04f012e9 mod_s2s_auth_dane/README: Note about LuaSec
Kim Alvefur <zash@zash.se>
parents: 1837
diff changeset
56 you need to publish TLSA records (and they need to have this plugin).
1c6d04f012e9 mod_s2s_auth_dane/README: Note about LuaSec
Kim Alvefur <zash@zash.se>
parents: 1837
diff changeset
57 Here's an example using `DANE-EE Cert SHA2-256` for a host named
1c6d04f012e9 mod_s2s_auth_dane/README: Note about LuaSec
Kim Alvefur <zash@zash.se>
parents: 1837
diff changeset
58 `xmpp.example.com` serving the domain `example.com`.
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
59
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
60 $ORIGIN example.com.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
61 ; Your standard SRV record
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
62 _xmpp-server._tcp.example.com IN SRV 0 0 5269 xmpp.example.com.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
63 ; IPv4 and IPv6 addresses
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
64 xmpp.example.com. IN A 192.0.2.68
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
65 xmpp.example.com. IN AAAA 2001:0db8:0000:0000:4441:4e45:544c:5341
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
66
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
67 ; The DANE TLSA records. These three are equivalent, you would use only one of them.
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
68 ; First, using symbolic names:
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
69 _5269._tcp.xmpp.example.com. 300 IN TLSA DANE-EE Cert SHA2-256 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
70 ; Using numbers:
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
71 _5269._tcp.xmpp.example.com. 300 IN TLSA 3 0 1 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
72 ; Raw binary format, should work even with very old DNS tools:
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
73 _5269._tcp.xmpp.example.com. 300 IN TYPE52 \# 35 030001E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
74
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
75 [List of DNSSEC and DANE
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
76 tools](http://www.internetsociety.org/deploy360/dnssec/tools/)
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
77
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
78 Further reading
1836
5113f8ff6712 mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces
Kim Alvefur <zash@zash.se>
parents: 1803
diff changeset
79 ===============
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
80
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
81 - [DANE TLSA implementation and operational
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
82 guidance](http://tools.ietf.org/html/draft-ietf-dane-ops)
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
83
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
84 Compatibility
1836
5113f8ff6712 mod_s2s_auth_dane/README: Bump heading levels (modules.prosody.im decreases them one step) and fix some missing spaces
Kim Alvefur <zash@zash.se>
parents: 1803
diff changeset
85 =============
1803
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
86
4d73a1a6ba68 Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
diff changeset
87 Requires 0.9 or above.