Dima/prosody-docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add option to turn on DANE

Browse Source 
Nice to have, especially with the recent Let's Encrypt debacle
This commit is contained in:
Kim Alvefur
2026-03-03 20:21:59 +01:00
parent fddb859136
commit 370bca28c0
4 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Dockerfile
+1
View File
@@ -15,6 +15,7 @@ RUN apt-get update \
${PROSODY_PACKAGE} \
${LUA_PACKAGE} \
ca-certificates \
dns-root-data \
lua-unbound \
lua-sec \
lua-readline \
README.md
+1
View File
@@ -60,6 +60,7 @@ Volumes can be mounted at the following locations for adding in files:
* `PROSODY_TURN_SECRET` - Shared secret for TURN
* `PROSODY_TURN_TLS_PORT` - Port number for STUN over TLS
* `PROSODY_RETENTION_DAYS` - How many days worth of message archives and shared file to keep.
* `PROSODY_USE_DANE` - Whether to enable [DANE](https://prosody.im/doc/dane) (requires [DNSSEC](https://prosody.im/doc/dnssec) aware resolvers).
* `PROSODY_S2S_SECURE_AUTH` - Whether to require that remote servers present valid certificates. Enabled by default.
* `PROSODY_C2S_RATE_LIMIT` - Rate limit for client-to-server connections. Defaults to `10kb/s`.
* `PROSODY_S2S_RATE_LIMIT` - Rate limit for server-to-server connections. Defaults to `30kb/s`.
configs/prosody-13.0.cfg.lua
+6
View File
@@ -124,6 +124,12 @@ modules_disabled = _split(ENV_PROSODY_DISABLE_MODULES)
s2s_secure_auth = ENV_PROSODY_S2S_SECURE_AUTH ~= "0"
use_dane = ENV_PROSODY_USE_DANE
unbound = {
-- on Debian this file is included in the package 'dns-root-data'
trustfile = ENV_PROSODY_USE_DANE and "/usr/share/dns/root.ds";
}
-- Some servers have invalid or self-signed certificates. You can list
-- remote domains here that will not be required to authenticate using
-- certificates. They will be authenticated using other methods instead,
configs/prosody-trunk.cfg.lua
+6
View File
@@ -124,6 +124,12 @@ modules_disabled = _split(ENV_PROSODY_DISABLE_MODULES)
s2s_secure_auth = ENV_PROSODY_S2S_SECURE_AUTH ~= "0"
use_dane = ENV_PROSODY_USE_DANE
unbound = {
-- on Debian this file is included in the package 'dns-root-data'
trustfile = ENV_PROSODY_USE_DANE and "/usr/share/dns/root.ds";
}
-- Some servers have invalid or self-signed certificates. You can list
-- remote domains here that will not be required to authenticate using
-- certificates. They will be authenticated using other methods instead,