This module implements DANE as described in Using DNS Security Extensions (DNSSEC) and DNS-based Authentication of Named Entities (DANE) as a Prooftype for XMPP Domain Name Associations.
This module requires a DNSSEC aware DNS resolver. Prosodys internal DNS module does not support DNSSEC. Therefore, to use this module, a replacement is needed, such as this one.
LuaSec 0.5 or later is also required.
After installing
the module, just add it to modules_enabled
;
modules_enabled = {
...
"s2s_auth_dane";
}
By default, only DANE uses are enabled.
dane_uses = { "DANE-EE", "DANE-TA" }
Use flag | Description |
---|---|
DANE-EE |
Most simple use, usually a fingerprint of the full certificate or public key used the service |
DANE-TA |
Fingerprint of a certificate or public key that has been used to issue the service certificate |
PKIX-EE |
Like DANE-EE but the
certificate must also pass normal PKIX trust checks (ie standard
certificates) |
PKIX-TA |
Like DANE-TA but must also
pass normal PKIX trust checks (ie standard certificates) |
In order for other services to verify your site using using this
plugin, you need to publish TLSA records (and they need to have this
plugin). Here’s an example using DANE-EE Cert SHA2-256
for
a host named xmpp.example.com
serving the domain
example.com
.
$ORIGIN example.com.
; Your standard SRV record
_xmpp-server._tcp.example.com IN SRV 0 0 5269 xmpp.example.com.
; IPv4 and IPv6 addresses
xmpp.example.com. IN A 192.0.2.68
xmpp.example.com. IN AAAA 2001:0db8:0000:0000:4441:4e45:544c:5341
; The DANE TLSA records.
_5269._tcp.xmpp.example.com. 300 IN TLSA 3 0 1 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
; If your zone file tooling does not support TLSA records, you can try the raw binary format:
_5269._tcp.xmpp.example.com. 300 IN TYPE52 \# 35 030001E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
version | status |
---|---|
trunk | broken1 |
0.12 | broken |
0.11 | works |
0.10 | works |
0.9 | works |
Broken since trunk revision 756b8821007a.
since 756b8821007a↩︎
With the plugin installer in Prosody 0.12 you can use:
sudo prosodyctl install --server=https://modules.prosody.im/rocks/ mod_s2s_auth_dane
For earlier versions see the documentation for installing 3rd party modules