All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.jivesoftware.smack.util.dns.package-info Maven / Gradle / Ivy

Go to download

DNS SRV with dnsjava Use dnsjava for DNS SRV lookups. For platforms that don't provide the javax.naming API (e.g. Android).

The newest version!
/**
 *
 * Copyright 2015-2022 Florian Schmaus
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

/**
 * Smack's API for DNS related tasks.
 * 

DNSSEC and DANE

*

About

*

* DNSSEC (RFC 4033, and others) authenticates DNS answers, positive * and negative ones. This means that if a DNS response secured by DNSSEC turns out to be authentic, then you can be * sure that the domain either exists, and that the returned resource records (RRs) are the ones the domain owner * authorized, or that the domain does not exists and that nobody tried to fake its non existence. *

*

* The tricky part is that an application using DNSSEC can not determine whether a domain uses DNSSEC, does not use * DNSSEC or if someone downgraded your DNS query using DNSSEC to a response without DNSSEC. *

*

* DANE (RFC 6698) allows the verification of a TLS certificate with * information stored in the DNS system and secured by DNSSEC. Thus DANE requires DNSSEC. *

*

Prerequisites

*

* From the three DNS resolver providers (MiniDNS, javax, dnsjava) supported by Smack we currently only support DNSSEc * with MiniDNS. MiniDNS is the default resolver when smack-android is * used. For other configurations, make sure to add smack-resolver-minidns to your dependencies and call * `MiniDnsResolver.setup()` prior using Smack (e.g. in a `static {}` code block). *

*

DNSSEC API

*

* Smack's DNSSEC API is very simple. Just use * {@link org.jivesoftware.smack.ConnectionConfiguration.Builder#setDnssecMode(org.jivesoftware.smack.ConnectionConfiguration.DnssecMode)} * to enable DNSSEC. The argument, {@link org.jivesoftware.smack.ConnectionConfiguration.DnssecMode}, can be one of *

    *
  • {@link org.jivesoftware.smack.ConnectionConfiguration.DnssecMode#disabled}
  • *
  • {@link org.jivesoftware.smack.ConnectionConfiguration.DnssecMode#needsDnssec}
  • *
  • {@link org.jivesoftware.smack.ConnectionConfiguration.DnssecMode#needsDnssecAndDane}
  • *
* The default is disabled. *

* If {@link org.jivesoftware.smack.ConnectionConfiguration.DnssecMode#needsDnssec} is used, then then Smack will only * connect if the DNS results required to determine a host for the XMPP domain could be verified using DNSSEC. *

*

* If set to {@link org.jivesoftware.smack.ConnectionConfiguration.DnssecMode#needsDnssecAndDane}, then then DANE will * be used to verify the XMPP service's TLS certificate if STARTTLS is used. *

*

Best Practices

*

* We recommend that applications using Smack's DNSSEC API do not ask the user if DNSSEC is available. Instead they * should check for DNSSEC support on every connection attempt. Once DNSSEC support has been discovered, the application * should use the `needsDnssec` mode for all future connection attempts. The same scheme can be applied when using DANE. * This approach is similar to the scheme established by to HTTP Strict * Transport Security" (HSTS, RFC 6797. *

*/ package org.jivesoftware.smack.util.dns;




© 2015 - 2024 Weber Informatics LLC | Privacy Policy