DNSSEC

Starting with Prosody 0.12.0, luaunbound can be used to enable DNSSEC support.

Just like certificate validation needs root certificates, DNSSEC validation requires knowledge of the root key. Securely getting a hold of this key is a Hard Problem, so your best bet is to hope your distribution already includes it. You trust your distro, right?

If your distro packages the key, like Debian does, you can install that package and configure the location of the root zone trust anchor like so:

unbound = {
    -- on Debian this file is included in the package 'dns-root-data'
    trustfile = "/usr/share/dns/root.ds";
}

DANE

Once validating DNSSEC support is available, this can be used to secure server-to-server TLS connections using DANE. Partial support for this is available in 0.12.x but only covers outgoing connections, while full support including authenticating incoming connections is available in Prosody 13.0 and later.

To enable DANE support, add this to the global section:

use_dane = true

The above enables validating remote servers using DANE. In order for remote servers to validate your server, you must ensure your DNS zone is secured using DNSSEC, and then publish TLSA records in your zone.