FreeRADIUS, radsec and dnssec

Stefan Winter stefan.winter at
Fri Apr 7 08:40:45 CEST 2017

Hello Michael,

> werecently had a discussion about FreeRADIUS and radsec. The DFN which ist the 
> central hub for the German eduroam wants the universities to migrate to 
> radsec.
> But the DFN thinks there are stil some issues with FreeRADIUS 3 so that is why 
> they advertise to use radsecproxy.
> They did not tell me yet what the issues were, but as far as 
> I understood they wanted to have a dynamic home server resolution based on 
> realms in eduroam.
> Basically that seems to be a good idea but the problem is, how to estalish 
> mutual trust with dynamic home servers.
> Here DNSSEC and especially the TLSA RR comes into play.

In general, it's a good idea to consider DNSSEC for trust relationships.
For E-Mail, this is crucial because one does not know which certificate
and CA the other end uses; the trust bootstrap must come from somewhere

In eduroam however, the RADIUS/TLS trust is pre-existing because all
RADIUS servers receive server certificates from the same, one,
pre-determined, CA.

Additional DNSSEC / TLSA / DANE is then not necessary: if DNS was lieing
to you, then you'll end up at a host which can't present a trusted
certificate, and then the conversation ends before any payload is exchanged.


Stefan Winter

> Is it possible to add trust to FreeRADIUS 3 based on a TLSA RR verified by 
> DNSSEC so my RADIUS server can trust the remote RADIUS server based on the 
> comparison of its server certificate and the according TLSA RR in DNS of the 
> home organisation?
> I know establishing this kind of mutiual trust work good for e-mail systems. 
> The system is called DANE. See RFC 7671 for detailed information about DANE.
> Basically this the short version of this mail would be: Can the FreeRADIUS 
> project add DANE authentication and verification of home servers to its 
> features?
> Mit freundlichen Grüßen,
> Michael Schwartzkopff
> -
> List info/subscribe/unsubscribe? See

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Freeradius-Users mailing list