On Tue, Nov 12, 2013 at 01:59:59PM +0100, Simon Tennant wrote: > On 12 November 2013 00:33, Thijs Alkemade <[email protected]> wrote: > > > * DANE. DNSSEC deployment is still low and DANE is low compared to that. > > Few > > DNS stacks include support for DNSSEC, so widespread DANE deployment is > > unlikely to happen soon. > > > > I would love to have a guide on how to setup DANE and DNSSEC for an XMPP > server. And have a primer added to the > http://wiki.xmpp.org/web/Securing_XMPP#Prosody_.28secure_delegation_with_DANE.29page. > > Has anyone managed to do this? > > Would anyone have time to walk me through setting this up and I'll write up > a recipe. > > S.
Setting it up is fairly easy. Once you have the DNSSEC support (which is not specific to XMPP at all), you only need to provide TLSA records as described in the (imo quite straightforward) RFC 6698 [1] + errata 3594 [2] for the relevant entries. Of course, the complexity increases with the complexity of your XMPP setup. I have a simple guide in the works as to how to setup a NSD + sign with DNSSEC + DANE, but nothing to show yet. Assuming you have a working NSD, you need to generate a ZSK and a KSK (e.g. w/ ldns-keygen), sign the zone file with them (e.g. w/ ldsn-signzone), and then tell NSD to serve the signed file instead of the plain one. You also need to send your public keys for validation, probably to your registrar, or to the DLV registry [3] if your registrar is ignoring DNSSEC. For DANE, there is the RFC [1] and this informative blog post [4] that explain things clearly. This is by no mean a fully technically accurate walkthrough, but I hope it helps. Finally, for a list of DANE-enabled servers, I would check the xmpp.net reports [5] with DNSSEC enabled, there ought to be a few with TLSA records(although that does not mean that they process them). Regards [1] http://tools.ietf.org/html/rfc6698 [2] http://www.rfc-editor.org/errata_search.php?rfc=6698 [3] https://dlv.isc.org/ [4] http://blog.huque.com/2012/10/dnssec-and-certificates.html [5] http://xmpp.net/reports.php -- Mathieu Pasquet (mathieui)
pgpPAAvdeR1b9.pgp
Description: PGP signature
