) and the obvious question is: which one should be entered intoįortunately, this is easy to find out, as it is well-defined in the We have three different names ( yax.im, and The certificate we are about to obtain must be somehow tied to our XMPP This "feature" will allow the CA to decrypt your traffic (unless all your We need a certificate issued by a trustworthy member of the Certificateīoth StartSSL and WoSign offer a convenient function to generate your keypair. While DANE allows rolling out self-signed certificates, our goal is to stayĬompatible with clients and servers that do not deploy DNSSEC yet. However, DNSSEC will be even more of a challenge for them, so lets write them That the A record ( yax.im in our case) points to the XMPP server as well. Up a new XMPP server, you will slightly improve your availability by ensuring In outdated, cheap, plastic junk routers provided by your "broadband" ISP)įail to resolve SRV records, and thus fall back to the A record. Priority and weight are usedįor load-balancing multiple servers, which we are not using.Īttention: some clients (or their respective DNS resolvers, often hidden The record syntax is: priority ( 5), weight ( 1), port ( 5222 for clients,ĥ269 for servers) and host ( ). Participants ( _xmpp-server._tcp on ) to connect to the right ( _xmpp-client._tcp), servers ( _xmpp-server._tcp) and conference Server) and defines which server is responsible for a given service on a givenįor XMPP, we create the following three SRV records to allow clients Generic variant of records like MX (e-mail server) or NS (domain name The service / server separation is made possible with the Registrar/NS hosting our domains, essentially limiting the number of statesĪble to pull this off to one). Service simply by issuing rogue certificates, they would also have toĬompromise the DNSSEC chain of trust (in our case one of the following: Once this is deployed, state-level attackers will not be able to Records that define which certificate a client can expect when connecting. To advertise the server name, obtain a TLS certificate, configure DNSSEC on Hosts the conference service, which needs to be accessible from (for historical reasons, the yax.im host is a web serverįorwarding to, not the actual XMPP server). Our (real-life) scenario is as follows: the yax.im XMPP service is run on a server named It was a good time to finalize the article. This post has been sitting in the drafts folder for a while, but now that Will need to set up the correct entries for yax.im (the XMPP service domain),Ĭ (the conference domain) and (the actual server IM TLD is not DNSSEC-signed yet, we will need to useĭLV (DNSSEC Look-aside Validation), an additionalĭNSSEC trust root operated by the ISC (until the end of 2016). Model from DNS (there is also TACK, which is impossible toĭeploy because it modifies the TLS protocol, and also unmaintained).īecause the. The broken Root CA trust model with a slightly-less-broken hierarchical trust For XMPP, DNSSEC is the only viable way to extend IMĭomain with DNSSEC, using yax.im as a real-life example.īrowsers come with a long list of pre-pinned site certificates for the Okay, seriously: this post is about securing an XMPP server running on an. TLSA ("TLSA" does not stand for anything it is just the name of the RRtype) DNS-based Authentication of Named EntitiesĮxtensible Messaging and Presence Protocol
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |