Package org.jivesoftware.smack.util.dns

Smack's API for DNS related tasks.

DNSSEC and DANE

About

DNSSEC (RFC 4033, and others) authenticates DNS answers, positive and negative ones. This means that if a DNS response secured by DNSSEC turns out to be authentic, then you can be sure that the domain either exists, and that the returned resource records (RRs) are the ones the domain owner authorized, or that the domain does not exists and that nobody tried to fake its non existence.

The tricky part is that an application using DNSSEC can not determine whether a domain uses DNSSEC, does not use DNSSEC or if someone downgraded your DNS query using DNSSEC to a response without DNSSEC.

DANE (RFC 6698) allows the verification of a TLS certificate with information stored in the DNS system and secured by DNSSEC. Thus DANE requires DNSSEC.

Prerequisites

From the three DNS resolver providers (MiniDNS, javax, dnsjava) supported by Smack we currently only support DNSSEc with MiniDNS. MiniDNS is the default resolver when smack-android is used. For other configurations, make sure to add smack-resolver-minidns to your dependencies and call `MiniDnsResolver.setup()` prior using Smack (e.g. in a `static {}` code block).

DNSSEC API

Smack's DNSSEC API is very simple. Just use ConnectionConfiguration.Builder.setDnssecMode(org.jivesoftware.smack.ConnectionConfiguration.DnssecMode) to enable DNSSEC. The argument, ConnectionConfiguration.DnssecMode, can be one of

• ConnectionConfiguration.DnssecMode.disabled
• ConnectionConfiguration.DnssecMode.needsDnssec
• ConnectionConfiguration.DnssecMode.needsDnssecAndDane

The default is disabled.

If ConnectionConfiguration.DnssecMode.needsDnssec is used, then then Smack will only connect if the DNS results required to determine a host for the XMPP domain could be verified using DNSSEC.

If set to ConnectionConfiguration.DnssecMode.needsDnssecAndDane, then then DANE will be used to verify the XMPP service's TLS certificate if STARTTLS is used.

Best Practices

We recommend that applications using Smack's DNSSEC API do not ask the user if DNSSEC is avaialble. Instead they should check for DNSSEC suport on every connection attempt. Once DNSSEC support has been discovered, the application should use the `needsDnssec` mode for all future connection attempts. The same scheme can be applied when using DANE. This approach is similar to the scheme established by to HTTP Strict Transport Security" (HSTS, RFC 6797.

Interface Summary

Interface	Description
SmackDaneProvider	Implementations of this interface define a class that is capable of enabling DANE on a connection.
SmackDaneVerifier	Implementations of this interface define a class that is capable of enabling DANE on a connection.

Class Summary

Class	Description
DNSResolver	Implementations of this interface define a class that is capable of resolving DNS addresses.