mod_s2s_auth_dane_in

The Prosody network stack natively supports and handles DANE for outgoing s2s connections when DNSSEC is enabled.

This module complements this by implementing DANCE (DANE for Clients) in order to authenticate incoming s2s connections.

How it works

When authentication incoming S2S connection, a DNS lookup for _xmpp-server.example.com IN TLSA is performed. If no records are found, the module will instead try SRV lookups as if performing an outgoing connection and from there look for _PORT._tcp.TARGET IN SRV, same as for an outgoing connection. These TLSA records, if any, are matched to the client certificate presented by the remote server and the connection is marked as secure or not depending on the result.

Configuration

To enable DANE in both directions, set use_dane = true in the global section of the Prosody config file:

-- global section
use_dane = true

This enables both the DANE support in outgoing connections (built into net.connect) as well as this module.