On 29.10.2015 at 03:29, Kim Alvefur wrote: > On 2015-10-28 22:32, Daniel Pocock wrote: >> We are just reviewing the final configuration before announcing >> debian.org XMPP > > Nice! > >> Can anybody comment on DANE / TLSA? Should we only talk to servers >> supporting this? > > I'm all for encouraging DANE deployment, but it might be a bit early to > only talk to DANE-enabled servers. By which I mean having a cert not > signed by a commonly trusted CA and only relying on DNSSEC for > validation of other servers certificates, not even doing Dialback. I > know of a total of 4 servers (including my own) that you could talk to then. > > But there is actually quite a number of DNSSEC-signed domains with TLSA > records published out there, judging by the ones that have been > submitted to xmpp.net for testing (since the disk crash). So only > talking to hosts with valid and matching TLSA records would not be too > crazy. > > https://xmpp.net/reports.php#dnssecsrv > https://xmpp.net/reports.php#dnssecdane
For the lazy ... 3,033 Total Test Results (100%) 557 DNSSEC signed SRV records (18%) 217 DNSSEC signed DANE records (7%)
