Hi, werecently had a discussion about FreeRADIUS and radsec. The DFN which ist the central hub for the German eduroam wants the universities to migrate to radsec. But the DFN thinks there are stil some issues with FreeRADIUS 3 so that is why they advertise to use radsecproxy. They did not tell me yet what the issues were, but as far as I understood they wanted to have a dynamic home server resolution based on realms in eduroam. Basically that seems to be a good idea but the problem is, how to estalish mutual trust with dynamic home servers. Here DNSSEC and especially the TLSA RR comes into play. Is it possible to add trust to FreeRADIUS 3 based on a TLSA RR verified by DNSSEC so my RADIUS server can trust the remote RADIUS server based on the comparison of its server certificate and the according TLSA RR in DNS of the home organisation? I know establishing this kind of mutiual trust work good for e-mail systems. The system is called DANE. See RFC 7671 for detailed information about DANE. Basically this the short version of this mail would be: Can the FreeRADIUS project add DANE authentication and verification of home servers to its features? Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein