view @ 511:9cf5a22e30a1

allow_unencrypted_plain_auth is not required
date Fri, 03 Apr 2015 00:57:11 +0000
parents 7261117fcf19
line wrap: on
line source

#summary S2S authentication using DANE
#labels Stage-Alpha,Type-S2SAuth

= Introduction =

This module implements DANE as described in
[ Using DNS Security Extensions (DNSSEC) and DNS-based Authentication of Named Entities (DANE) as a Prooftype for XMPP Domain Name Associations].

= Dependencies =

This module requires a DNSSEC aware DNS resolver.  Prosodys internal DNS
module does not support DNSSEC.  Therefore, to use this module, a
replacement is needed, such as [ this one].

More installation instructions can be found at [ Prosody with DANE].

= Configuration =

After [ installing the module], just add it to `modules_enabled`;

modules_enabled = {

= DNS Setup =

In order for other services to verify your site using using this plugin,
you need to publish TLSA records (and they need to have this plugin).
Here's an example using "DANE-EE Cert SHA2-256" for a host named serving the domain

; Your standard SRV record IN SRV 0 0 5269
; IPv4 and IPv6 addresses IN A IN AAAA 2001:0db8:0000:0000:4441:4e45:544c:5341

; The DANE TLSA records.  These three are equivalent, you would use only one of them.
; First, using symbolic names: 300 IN TLSA DANE-EE Cert SHA2-256 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
; Using numbers: 300 IN TLSA 3 0 1 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
; Raw binary format, should work even with very old DNS tools: 300 IN TYPE52 \# 35 030001E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855

[ List of DNSSEC and DANE tools]

= Further reading =

* [ DANE TLSA implementation and operational guidance]

= Compatibility =

Requires 0.9 or above.