On 2015-10-28 22:32, Daniel Pocock wrote: > We are just reviewing the final configuration before announcing > debian.org XMPP
Nice! > Can anybody comment on DANE / TLSA? Should we only talk to servers > supporting this? I'm all for encouraging DANE deployment, but it might be a bit early to only talk to DANE-enabled servers. By which I mean having a cert not signed by a commonly trusted CA and only relying on DNSSEC for validation of other servers certificates, not even doing Dialback. I know of a total of 4 servers (including my own) that you could talk to then. But there is actually quite a number of DNSSEC-signed domains with TLSA records published out there, judging by the ones that have been submitted to xmpp.net for testing (since the disk crash). So only talking to hosts with valid and matching TLSA records would not be too crazy. https://xmpp.net/reports.php#dnssecsrv https://xmpp.net/reports.php#dnssecdane -- Kim "Zash" Alvefur
signature.asc
Description: OpenPGP digital signature
