view mod_s2s_auth_dane/README.markdown @ 1880:a7c1f1b6ef05

mod_checkcerts: Improve error handling when loading certificate
author Kim Alvefur <>
date Tue, 29 Sep 2015 14:56:46 +0200
parents 1c6d04f012e9
children f118e419a712
line wrap: on
line source

- 'Stage-Alpha'
- 'Type-S2SAuth'
summary: S2S authentication using DANE


This module implements DANE as described in[Using DNS Security
Extensions (DNSSEC) and DNS-based Authentication of Named Entities
(DANE) as a Prooftype for XMPP Domain Name


This module requires a DNSSEC aware DNS resolver. Prosodys internal DNS
module does not support DNSSEC. Therefore, to use this module, a
replacement is needed, such as [this

LuaSec 0.5 or later is also required.


After [installing the
module](, just add it to

    modules_enabled = {


By default, only DANE uses are enabled.

    dane_uses = { "DANE-EE", "DANE-TA" }

  Use flag    Description
  ----------- -------------------------------------------------------------------------------------------------------
  `DANE-EE`   Most simple use, usually a fingerprint of the full certificate or public key used the service
  `DANE-TA`   Fingerprint of a certificate or public key that has been used to issue the service certificate
  `PKIX-EE`   Like `DANE-EE` but the certificate must also pass normal PKIX trust checks (ie standard certificates)
  `PKIX-TA`   Like `DANE-TA` but must also pass normal PKIX trust checks (ie standard certificates)

DNS Setup

In order for other services to verify your site using using this plugin,
you need to publish TLSA records (and they need to have this plugin).
Here's an example using `DANE-EE Cert SHA2-256` for a host named
`` serving the domain ``.

    ; Your standard SRV record IN SRV 0 0 5269
    ; IPv4 and IPv6 addresses IN A IN AAAA 2001:0db8:0000:0000:4441:4e45:544c:5341

    ; The DANE TLSA records.  These three are equivalent, you would use only one of them.
    ; First, using symbolic names: 300 IN TLSA DANE-EE Cert SHA2-256 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
    ; Using numbers: 300 IN TLSA 3 0 1 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
    ; Raw binary format, should work even with very old DNS tools: 300 IN TYPE52 \# 35 030001E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855

[List of DNSSEC and DANE

Further reading

-   [DANE TLSA implementation and operational


Requires 0.9 or above.