This module implements DANE as described in Using DNS Security Extensions (DNSSEC) and DNS-based Authentication of Named Entities (DANE) as a Prooftype for XMPP Domain Name Associations.


This module requires a DNSSEC aware DNS resolver. Prosodys internal DNS module does not support DNSSEC. Therefore, to use this module, a replacement is needed, such as this one.

LuaSec 0.5 or later is also required.


After installing the module, just add it to modules_enabled;

modules_enabled = {


By default, only DANE uses are enabled.

dane_uses = { "DANE-EE", "DANE-TA" }
Use flag Description
DANE-EE Most simple use, usually a fingerprint of the full certificate or public key used the service
DANE-TA Fingerprint of a certificate or public key that has been used to issue the service certificate
PKIX-EE Like DANE-EE but the certificate must also pass normal PKIX trust checks (ie standard certificates)
PKIX-TA Like DANE-TA but must also pass normal PKIX trust checks (ie standard certificates)

DNS Setup

In order for other services to verify your site using using this plugin, you need to publish TLSA records (and they need to have this plugin). Here's an example using DANE-EE Cert SHA2-256 for a host named serving the domain

; Your standard SRV record IN SRV 0 0 5269
; IPv4 and IPv6 addresses IN A IN AAAA 2001:0db8:0000:0000:4441:4e45:544c:5341

; The DANE TLSA records. 300 IN TLSA 3 0 1 E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855

; If your zone file tooling does not support TLSA records, you can try the raw binary format: 300 IN TYPE52 \# 35 030001E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855

List of DNSSEC and DANE tools

Further reading


Requires 0.9 or above.

Known issues