mod_s2s_auth_dane

Introduction

This module implements DANE as described in Using DNS Security Extensions (DNSSEC) and DNS-based Authentication of Named Entities (DANE) as a Prooftype for XMPP Domain Name Associations.

Dependencies

This module requires a DNSSEC aware DNS resolver. Prosodys internal DNS module does not support DNSSEC. Therefore, to use this module, a replacement is needed, such as this one.

LuaSec 0.5 or later is also required.

Configuration

After installing the module, just add it to modules_enabled;

modules_enabled = {
 ...
 "s2s_auth_dane";
}

DANE Uses

By default, only DANE uses are enabled.

dane_uses = { "DANE-EE", "DANE-TA" }

DNS Setup

In order for other services to verify your site using using this plugin, you need to publish TLSA records (and they need to have this plugin). Here’s an example using DANE-EE Cert SHA2-256 for a host named xmpp.example.com serving the domain example.com.

$ORIGIN example.com.
; Your standard SRV record
_xmpp-server._tcp.example.com IN SRV 0 0 5269 xmpp.example.com.
; IPv4 and IPv6 addresses
xmpp.example.com. IN A 192.0.2.68
xmpp.example.com. IN AAAA 2001:0db8:0000:0000:4441:4e45:544c:5341

; The DANE TLSA records.
_5269._tcp.xmpp.example.com. 300 IN TLSA 3 0 1 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855

; If your zone file tooling does not support TLSA records, you can try the raw binary format:
_5269._tcp.xmpp.example.com. 300 IN TYPE52 \# 35 030001E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855

List of DNSSEC and DANE tools

Further reading

• DANE Operational Guidance

Compatibility

Broken since trunk revision 756b8821007a.

Known issues

• A race condition between the DANE lookup and completion of the TLS handshake may cause a crash. This does not happen in trunk thanks to better async support.

sudo prosodyctl install --server=https://modules.prosody.im/rocks/ mod_s2s_auth_dane