XMPP Service Operators - 2023-12-10


  1. unix.dog

    nuegia.net: here's some good resources I used to find out how to setup TLSA records to work with DANE https://www.huque.com/bin/danecheck - check your setup https://www.huque.com/bin/gen_tlsa - create the TLSA record from a certificate https://www.mailhardener.com/kb/how-to-create-a-dane-tlsa-record-with-openssl - more in depth explanation you probably want to be using a 3 1 1 TLSA record until more stuff supports DANE, and then a 3 0 1 for a bit more security with a self signed certificate later on

  2. nuegia.net

    I think i'll hold off on implementing this until clients actually implement it

  3. unix.dog

    i have it setup with my let's encrypt certificate. in clients like Cheogram, it can provide another layer of user trust on top of DNSSEC

  4. nuegia.net

    The reason I'd want to do this is to be able to stop using certificate authorities. It doesn't sound like this is viable yet.

  5. unix.dog

    and certwatch can use then to watch that your certificates aren't being abused or MITMd like jabber.ru was

  6. unix.dog

    > The reason I'd want to do this is to be able to stop using certificate authorities. It doesn't sound like this is viable yet. yeah, but you can at least start now by publishing a TLSA record for your existing certificate

  7. moparisthebest

    nuegia.net: at least cheogram Android implements it, probably more

  8. nuegia.net

    I don't use Android.

  9. Menel

    > i have it setup with my let's encrypt certificate. in clients like Cheogram, it can provide another layer of user trust on top of DNSSEC unix.dog: chicken / egg You don't implement it because not everyone uses it. So... It will never come because everyone like-minded will never implement it too... Same as ipv6, but worse...

  10. yakov

    Anyone tracking stats of what % support dnssec, dane, etc.?

  11. moparisthebest

    What % of what? We can't even know how many public federated XMPP servers exist total

  12. psychhim

    > What % of what? We can't even know how many public federated XMPP servers exist total We cant?

  13. agh

    https://www.internetsociety.org/deploy360/dnssec/statistics/

  14. agh

    https://www.secspider.net/growth.html

  15. yakov

    moparisthebest: just enumerate them from s.j.n and o.j.n

  16. yakov

    Doesn't need to be every single public server

  17. agh

    I think the hardest part with DNSSEC is the Operating Systems'

  18. yakov

    One liner to enable on systemd-resolved and fedora already has a timer for the anchors

  19. agh

    Many Unixes can not replace gethostby* with a better functioning getdns, which transparentaly supports DNSSEC

  20. yakov

    Public resolvers like quad9 also enforce dnssec

  21. agh

    The DNSSEC browser extentsions just use DNS over HTTP for the DNSSEC, sucks.

  22. agh

    > Public resolvers like quad9 also enforce dnssec It needs to be pushed further down into the OS too tho, instead of pushing the DNSSEC complexity up the stack into applications

  23. Menel

    Heh, it seems the only machine I've restarted with the new kernel actually only uses btrfs everywhere 😊

  24. Menel

    About DANE: 10% of my s2s connections are using DANE, (4 of 37 outgoing/bidi connections 🙂)

  25. unix.dog

    Menel, how do you chec

  26. unix.dog

    *check?

  27. Menel

    prosodyctl shell 's2s:show("*", {"host","dir","remote",{title="DANE",width="1p",key="conn",mapper=function(conn)return conn.extra and conn.extra.dane_hostname end}})'|grep -- "->"

  28. unix.dog

    oops I'm using ejabberd c:

  29. Menel

    Does ejabberd support it?

  30. unix.dog

    dunno, maybe not directly to verify it

  31. unix.dog

    I haven't checked

  32. MattJ

    I haven't heard of ejabberd supporting it