[dns-operations] rfc compliance of a radsec approach?

Gilles Massen gilles.massen at restena.lu
Fri Oct 17 09:58:22 UTC 2008


The (slightly unusual) behaviour of a radsec implementation produced some
RFC-conformance questions, and I would like to ask for comments.

The scenario:
A radius software implementing radsec (radius over TLS) receives an
authentication request for "user at example.com". Having no authority over the
realm "example.com", it makes first a DNS query to find if there is an
(appropriate) NAPTR record for "example.com". The result should be the
hostname of the authoritative radius server. So far, so good.

If no NAPTR record is found, the implementation queries for an A/AAAA 
record for "_radsec._tcp.example.com", and if it receives a result, 
connects to that IP address.

The question: is that behaviour (A-query to _radsec._tcp) acceptable? Is 
it wise?

My feeling would be that it's correct by the book, but that there is 
potential for trouble as A-records are usually associated to hostnames 
and then the underscore would be an invalid character.

The cleaner solution seems to be a SRV record associated to _radsec._tcp.

Any comments are welcome...


Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473

More information about the dns-operations mailing list