defanorIf a user sets server host name and port manually, and the address (A/AAAA) record chosen to connect to it passes DNSSEC validation, is it okay to perform DANE TLSA verification against that manually provided host name?
flowdefanor, you don't perform TLSA verification against the provided host name, you perform it against the provided xmpp service name
flowe.g. user configures his jid to be "firstname.lastname@example.org" and host name to be "enterprise.example.org", then you would perform TLSA verification against "example.org"
defanorBut with SRV records it would be "enterprise.example.org", according to <https://tools.ietf.org/html/draft-ietf-dane-srv-14#section-3.3>, so it seemed to me that with a manually provided host name it would be similar, since it more or less replaces SRV.
flowthis only talks about the TLSA DNS query (/lookup)
flowi.e., it says that you want to lookup the TLSA record on the SRV target
defanorIndeed. I thought I've read in one of the related RFCs that it allows to use certificates for different domains on different servers, but probably misunderstood something; re-reading the RFCs. And GnuTLS's dane_verify_session_crt seems to only assume a single domain name, not one for the certificate and one for TLSA. Still, what are the required conditions to use DANE with a manually provided host?
flowdefanor, dunno, but I could imagine that you do the TLSA lookup on the user provided DNS name
defanorhttps://tools.ietf.org/html/rfc7673#section-6 -- if I'm reading it right, with DANE-EE there's no constraints on certificate's identifier, and with DANE-EE it could be either service/source or target server/derived domain. Or am I misinterpreting it?
defanor"and with non-DANE-EE", rather.
flowdefanor, yes, that appears right. but the problem is the "and/or" part in RFC7673 § 6. as most APIs only take one identifier as input (sure you could invoke the verify() method multiple times)
flowpersonally, if in doubt, I would always use the XMPP service name and not the DNS name of the discovered/expliclity configured host for verification
ZashYeah, you start with the identifier you got from the user. Only use something if it can be securely derived from that.
flowZash, but in this case I get two identifiers from the user: the user's JID domainpart and the DNS name of the server hosting the XMPP service