XMPP Service Operators

erebion 00:39:00.078434
> erebion: here's some other things to think about https://github.com/divestedcg/safeguarding-xmpp-2025 Some good points, thanks ↺
erebion 00:40:03.924026
As those are so many things, I wish each point would link to examples on how to configure them.
erebion 00:40:40.732604
For example: "Channel binding" must be enabled, but what is that even? In what context? Where can I find further info? What do I need to do?
moparisthebest 01:00:02.324899
On modern servers channel binding is automatically enabled, nothing to do there. It can help prevent a specific MITM attack like https://snikket.org/blog/on-the-jabber-ru-mitm/ where the attacker can get a valid cert but not your disk except it doesn't actually protect against MITM with TLS 1.2 because of https://web.archive.org/web/20250329015540/https://www.mitls.org/pages/attacks/3SHAKE
icebound.dev 01:15:55.875541
moparisthebest, it requires client support, which iirc, many clients still do not support.
icebound.dev 01:16:15.940417
however I haven't looked into it since the jabber.ru mitm
erebion 21:50:49.466913
Could anyone please help me out and tell me whether DANE on erebion.eu looks correct?
erebion 21:51:01.957281
I haven't found any way of verifying I'm doing it right...
erebion 21:51:40.225404
I have records for 5223 and 5270, but no idea how to make sure those are right
MattJ 22:39:46.525129
erebion: https://certwatch.xmpp.net
agh 22:44:24.046284
erebion: https://dnsviz.net/d/erebion.eu/dnssec/
erebion 23:49:12.744237
Both do not seem to help me answer the question "Is DANE set up correctly?". The first one just shows the hash of my TLS public key, which is not of interest. The second one just shows general DNSSEC info.
erebion 23:53:27.437887
monocles says "DANE failed", but for what reason? What is the issue?