Mercurial > prosody-wiki
comparison mod_s2s_auth_dane.wiki @ 441:80ce8d7f7f56
mod_s2s_auth_dane.wiki: more text, examples and links
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 22 Mar 2014 13:30:47 +0100 |
| parents | 6e91b7ab36c1 |
| children | 7308cd1cd354 |
comparison
equal
deleted
inserted
replaced
| 440:6e91b7ab36c1 | 441:80ce8d7f7f56 |
|---|---|
| 1 #summary S2S authentication using DANE | 1 #summary S2S authentication using DANE |
| 2 #labels Stage-Alpha, Type-S2SAuth | 2 #labels Stage-Alpha, Type-S2SAuth |
| 3 | 3 |
| 4 = Introduction = | 4 = Introduction = |
| 5 | 5 |
| 6 This module implements DANE as described in | 6 This module implements DANE as described in |
| 7 [http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype Using DNS Security Extensions (DNSSEC) and DNS-based Authentication of Named Entities (DANE) as a Prooftype for XMPP Domain Name Associations]. | 7 [http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype Using DNS Security Extensions (DNSSEC) and DNS-based Authentication of Named Entities (DANE) as a Prooftype for XMPP Domain Name Associations]. |
| 8 | 8 |
| 9 = Dependecies = | 9 = Dependecies = |
| 10 | 10 |
| 11 This module requires a DNSSEC aware DNS resolver. Prosodys internal DNS | 11 This module requires a DNSSEC aware DNS resolver. Prosodys internal DNS |
| 12 module does not support DNSSEC. Therefore, to use this module, a | 12 module does not support DNSSEC. Therefore, to use this module, a |
| 13 replacement is needed, such as | 13 replacement is needed, such as |
| 14 [http://code.zash.se/luaunbound this libunbound and LuaJIT FFI based one]. | 14 [https://www.zash.se/luaunbound.html this libunbound and LuaJIT FFI based one]. |
| 15 | 15 |
| 16 = Configuration = | 16 = Configuration = |
| 17 | 17 |
| 18 This module has no options. Just add it to `modules_enabled`; | 18 After [https://prosody.im/doc/installing_modules installing the module], just add it to `modules_enabled`; |
| 19 | 19 |
| 20 {{{ | 20 {{{ |
| 21 modules_enabled = { | 21 modules_enabled = { |
| 22 ... | 22 ... |
| 23 "s2s_auth_dane"; | 23 "s2s_auth_dane"; |
| 24 } | 24 } |
| 25 }}} | 25 }}} |
| 26 | 26 |
| 27 = DNS Setup = | 27 = DNS Setup = |
| 28 | 28 |
| 29 In order for other services to verify your site using using this plugin, | |
| 30 you need to publish TLSA records (and they need to have this plugin). | |
| 31 Here's an example using "DANE-EE Cert SHA2-256" for a host named | |
| 32 xmpp.example.com serving the domain example.com. | |
| 33 | |
| 29 {{{ | 34 {{{ |
| 35 $ORIGIN example.com | |
| 30 _xmpp-server._tcp IN SRV 0 0 5269 xmpp | 36 _xmpp-server._tcp IN SRV 0 0 5269 xmpp |
| 37 xmpp IN A 192.0.2.68 | |
| 38 xmpp IN AAAA 2001:0db8:0000:0000:4441:4e45:544c:5341 | |
| 31 _5269._tcp.xmpp IN TLSA 3 0 1 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 | 39 _5269._tcp.xmpp IN TLSA 3 0 1 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 |
| 32 }}} | 40 }}} |
| 41 | |
| 42 [http://www.internetsociety.org/deploy360/dnssec/tools/ List of DNSSEC and DANE tools] | |
| 43 | |
| 44 = Further reading = | |
| 45 | |
| 46 * [http://tools.ietf.org/html/draft-ietf-dane-ops TLSA implementation and operational guidance] | |
| 33 | 47 |
| 34 = Compatibility = | 48 = Compatibility = |
| 35 | 49 |
| 36 Requires 0.9 or above. | 50 Requires 0.9 or above. |