DNSSEC

Starting with Prosody 0.12.0, libunbound can be used to enable DNSSEC support.

Just like certificate validation needs root certificates, DNSSEC validation requires knowledge of the root key. Securely getting a hold of this key is a Hard Problem, so your best bet is to hope your distribution already includes it. You trust your distro, right?

If your distro packages the key, like Debian does, you can install that package and configure the location of the root zone trust anchor like so:

unbound = {
    -- on Debian this file is included in the package 'dns-root-data'
    trustfile = "/usr/share/dns/root.ds";
}

DANE

Once validating DNSSEC support is available, this can be used to secure server-to-server TLS connections using DANE. Partial support for this is available in 0.12.x but only covers outgoing connections, while full support including authenticating incoming connections is available in trunk.

To enable DANE support, add this to the global section:

use_dane = true