[dns-operations] rfc compliance of a radsec approach?

Peter Dambier peter at peter-dambier.de
Fri Oct 17 13:41:55 UTC 2008


It wont work in France and many French speaking countries.
They do already use the underscore for different things.

Took me days to find that their software turned every
hyphen into an underscore...

Kind regards

Gilles Massen wrote:
> Hello,
> The (slightly unusual) behaviour of a radsec implementation produced some
> RFC-conformance questions, and I would like to ask for comments.
> The scenario:
> A radius software implementing radsec (radius over TLS) receives an
> authentication request for "user at example.com". Having no authority over the
> realm "example.com", it makes first a DNS query to find if there is an
> (appropriate) NAPTR record for "example.com". The result should be the
> hostname of the authoritative radius server. So far, so good.
> If no NAPTR record is found, the implementation queries for an A/AAAA
> record for "_radsec._tcp.example.com", and if it receives a result,
> connects to that IP address.
> The question: is that behaviour (A-query to _radsec._tcp) acceptable? Is
> it wise?
> My feeling would be that it's correct by the book, but that there is
> potential for trouble as A-records are usually associated to hostnames
> and then the underscore would be an invalid character.
> The cleaner solution seems to be a SRV record associated to _radsec._tcp.
> Any comments are welcome...
> Regards,
> Gilles

Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de

More information about the dns-operations mailing list