I did some preliminary work along this line a couple years back (rlm_unbound, rlm_idn, and in an unmerged and probably stale branch on github is the start of the query side of DDDS support.) That took care of finding verified IP addresses for home servers based on a realm name. Also it could be used for simpler purposes in a degenerate mode, like RRDNS for load balancing. But what I implemented was just the part where you find IP addresses, not make them into home servers. Dynamic home servers was the missing ingredient at that time. I have seen indications from the core team that they are working to address this. The further challenge after that is session-aware load balancing correctly through a DNS change, and of course closing the security loop by validating the realm against server certificates. It's a pretty big project when you do more than just simple proxying. I would not expect it to materialize quickly, but people know the need is out there. ________________________________________ From: Freeradius-Users <freeradius-users-bounces+bjulin=clarku.edu@lists.freeradius.org> on behalf of Michael Schwartzkopff <ms@sys4.de> Sent: Thursday, April 6, 2017 9:07 AM To: FreeRadius users mailing list Subject: FreeRADIUS, radsec and dnssec Hi, werecently had a discussion about FreeRADIUS and radsec. The DFN which ist the central hub for the German eduroam wants the universities to migrate to radsec. But the DFN thinks there are stil some issues with FreeRADIUS 3 so that is why they advertise to use radsecproxy. They did not tell me yet what the issues were, but as far as I understood they wanted to have a dynamic home server resolution based on realms in eduroam. Basically that seems to be a good idea but the problem is, how to estalish mutual trust with dynamic home servers. Here DNSSEC and especially the TLSA RR comes into play. Is it possible to add trust to FreeRADIUS 3 based on a TLSA RR verified by DNSSEC so my RADIUS server can trust the remote RADIUS server based on the comparison of its server certificate and the according TLSA RR in DNS of the home organisation? I know establishing this kind of mutiual trust work good for e-mail systems. The system is called DANE. See RFC 7671 for detailed information about DANE. Basically this the short version of this mail would be: Can the FreeRADIUS project add DANE authentication and verification of home servers to its features? Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein