Mercurial > prosody-modules

diff mod_s2s_auth_dane/README.wiki @ 1782:29f3d6b7ad16

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Import wiki pages
author Kim Alvefur <zash@zash.se>
date Mon, 24 Aug 2015 16:43:56 +0200
parents
children
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_s2s_auth_dane/README.wiki	Mon Aug 24 16:43:56 2015 +0200
@@ -0,0 +1,60 @@
+#summary S2S authentication using DANE
+#labels Stage-Alpha,Type-S2SAuth
+
+= Introduction =
+
+This module implements DANE as described in
+[http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype Using DNS Security Extensions (DNSSEC) and DNS-based Authentication of Named Entities (DANE) as a Prooftype for XMPP Domain Name Associations].
+
+= Dependencies =
+
+This module requires a DNSSEC aware DNS resolver.  Prosodys internal DNS
+module does not support DNSSEC.  Therefore, to use this module, a
+replacement is needed, such as [https://www.zash.se/luaunbound.html this one].
+
+More installation instructions can be found at [https://www.zash.se/prosody-dane.html Prosody with DANE].
+
+= Configuration =
+
+After [https://prosody.im/doc/installing_modules installing the module], just add it to `modules_enabled`;
+
+{{{
+modules_enabled = {
+	...
+	"s2s_auth_dane";
+}
+}}}
+
+= DNS Setup =
+
+In order for other services to verify your site using using this plugin,
+you need to publish TLSA records (and they need to have this plugin).
+Here's an example using "DANE-EE Cert SHA2-256" for a host named
+xmpp.example.com serving the domain example.com.
+
+{{{
+$ORIGIN example.com.
+; Your standard SRV record
+_xmpp-server._tcp.example.com IN SRV 0 0 5269 xmpp.example.com.
+; IPv4 and IPv6 addresses
+xmpp.example.com. IN A 192.0.2.68
+xmpp.example.com. IN AAAA 2001:0db8:0000:0000:4441:4e45:544c:5341
+
+; The DANE TLSA records.  These three are equivalent, you would use only one of them.
+; First, using symbolic names:
+_5269._tcp.xmpp.example.com. 300 IN TLSA DANE-EE Cert SHA2-256 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
+; Using numbers:
+_5269._tcp.xmpp.example.com. 300 IN TLSA 3 0 1 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
+; Raw binary format, should work even with very old DNS tools:
+_5269._tcp.xmpp.example.com. 300 IN TYPE52 \# 35 030001E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
+}}}
+
+[http://www.internetsociety.org/deploy360/dnssec/tools/ List of DNSSEC and DANE tools]
+
+= Further reading =
+
+* [http://tools.ietf.org/html/draft-ietf-dane-ops DANE TLSA implementation and operational guidance]
+
+= Compatibility =
+
+Requires 0.9 or above.
\ No newline at end of file