view mod_s2s_auth_dane.wiki @ 441:80ce8d7f7f56

mod_s2s_auth_dane.wiki: more text, examples and links
author Kim Alvefur <zash@zash.se>
date Sat, 22 Mar 2014 13:30:47 +0100
parents 6e91b7ab36c1
children 7308cd1cd354
line wrap: on
line source

#summary S2S authentication using DANE
#labels Stage-Alpha, Type-S2SAuth

= Introduction =

This module implements DANE as described in
[http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype Using DNS Security Extensions (DNSSEC) and DNS-based Authentication of Named Entities (DANE) as a Prooftype for XMPP Domain Name Associations].

= Dependecies =

This module requires a DNSSEC aware DNS resolver.  Prosodys internal DNS
module does not support DNSSEC.  Therefore, to use this module, a
replacement is needed, such as
[https://www.zash.se/luaunbound.html this libunbound and LuaJIT FFI based one].

= Configuration =

After [https://prosody.im/doc/installing_modules installing the module], just add it to `modules_enabled`;

{{{
modules_enabled = {
	...
	"s2s_auth_dane";
}
}}}

= DNS Setup =

In order for other services to verify your site using using this plugin,
you need to publish TLSA records (and they need to have this plugin).
Here's an example using "DANE-EE Cert SHA2-256" for a host named
xmpp.example.com serving the domain example.com.

{{{
$ORIGIN example.com
_xmpp-server._tcp IN SRV 0 0 5269 xmpp
xmpp IN A 192.0.2.68
xmpp IN AAAA 2001:0db8:0000:0000:4441:4e45:544c:5341
_5269._tcp.xmpp IN TLSA 3 0 1 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
}}}

[http://www.internetsociety.org/deploy360/dnssec/tools/ List of DNSSEC and DANE tools]

= Further reading =

* [http://tools.ietf.org/html/draft-ietf-dane-ops TLSA implementation and operational guidance]

= Compatibility =

Requires 0.9 or above.