-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 2013-03-21 at 07:45 -0700, Peter Saint-Andre wrote: > That's why Matt Miller and I have been working on a suite of specs > about "domain name associations"... > > https://datatracker.ietf.org/doc/draft-saintandre-xmpp-dna/ > > https://datatracker.ietf.org/doc/draft-miller-xmpp-dnssec-prooftype/ - > likely will be merged with > https://datatracker.ietf.org/doc/draft-ietf-dane-srv/ > > https://datatracker.ietf.org/doc/draft-miller-xmpp-posh-prooftype/ > > Jesse (and other operators), your feedback on those specs would be > *very* much appreciated.
Unsurprisingly, I'm in favour of draft-ietf-dane-srv. :) This just nudged me to publish TLSA records which I believe should be relevant for my server. They're usage=2 TLSA records, which means that the CA certificate is in DNS and the PKIX is not to be used. I can be reached via XMPP as phil.penn...@spodhuis.org and if there are operators wanting to test interop for DANE stuff, then as long as you have IPv6 connectivity, contact me off-list to request an account (definitely no IBR!). Note that while dnssec-tools has some helpful bits in it, dt-danechk assumes that it's speaking to a TLS-on-connect port, such as HTTPS, rather than a STARTTLS-protocol service. One more reason to have 5223 listening, to ease debugging ... - -Phil -----BEGIN PGP SIGNATURE----- iEYEAREDAAYFAlFLe4EACgkQQDBDFTkDY38ifwCfR3xmJs4eAi0/R8iHptXGy2gs 0msAnjXiIXMUHCz+RQH47fhQTMhlHWgE =bKsO -----END PGP SIGNATURE-----