FreeRADIUS, radsec and dnssec

Brian Julin BJulin at
Thu Apr 6 16:53:17 CEST 2017

I did some preliminary work along this line a couple years back 
(rlm_unbound, rlm_idn, and in an unmerged and probably stale
branch on github is the start of the query side of DDDS support.)

That took care of finding verified IP addresses for home servers
based on a realm name.  Also it could be used for simpler purposes
in a degenerate mode, like RRDNS for load balancing.  But what I
implemented was just the part where you find IP addresses, not make
them into home servers.

Dynamic home servers was the missing ingredient at that time.
I have seen indications from the core team that they are working
to address this.  The further challenge after that is session-aware
load balancing correctly through a DNS change, and of course closing
the security loop by validating the realm against server certificates.

It's a pretty big project when you do more than just simple proxying.
I would not expect it to materialize quickly, but people know the need
is out there.

From: Freeradius-Users < at> on behalf of Michael Schwartzkopff <ms at>
Sent: Thursday, April 6, 2017 9:07 AM
To: FreeRadius users mailing list
Subject: FreeRADIUS, radsec and dnssec


werecently had a discussion about FreeRADIUS and radsec. The DFN which ist the
central hub for the German eduroam wants the universities to migrate to

But the DFN thinks there are stil some issues with FreeRADIUS 3 so that is why
they advertise to use radsecproxy.

They did not tell me yet what the issues were, but as far as
I understood they wanted to have a dynamic home server resolution based on
realms in eduroam.

Basically that seems to be a good idea but the problem is, how to estalish
mutual trust with dynamic home servers.

Here DNSSEC and especially the TLSA RR comes into play.

Is it possible to add trust to FreeRADIUS 3 based on a TLSA RR verified by
DNSSEC so my RADIUS server can trust the remote RADIUS server based on the
comparison of its server certificate and the according TLSA RR in DNS of the
home organisation?

I know establishing this kind of mutiual trust work good for e-mail systems.
The system is called DANE. See RFC 7671 for detailed information about DANE.

Basically this the short version of this mail would be: Can the FreeRADIUS
project add DANE authentication and verification of home servers to its

Mit freundlichen Grüßen,

Michael Schwartzkopff


[*] sys4 AG, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

More information about the Freeradius-Users mailing list