Implications of Dynamic Peer Discovery

[khuhtanen]

Implications of Dynamic Peer Discovery One mechanism to discover RADIUS-over-TLS peers dynamically via DNS is specified in {{?RFC7585}}. While this mechanism is still under development and therefore is not a normative dependency of RADIUS/TLS, the use of dynamic discovery has potential future implications that are important to understand.

Both eduroam and OpenRoaming are and have been using DNS discovery in production. We could replace this with a stronger statement that implementations should support dynamic discovery?

@restena-sw What about that SRV record prioritisation? Should we discuss it in this draft or elsewhere? It is more of a DNS service discovery issue, but if affects how RADIUS over TLS connections are made?

[Janfred]

We definitely should change the wording here. I just copied this text from RFC6614 and just changed the reference from the I-D to the RFC (So the "still under development" is also wrong)

I would also recommend going with a SHOULD here. But yet again, RFC 7585 is an experimental, so we would downref from a proposed standard to an experimental. (Is it maybe worth revising 7585 too?)

[restena-sw]

I'm fine with making support for 7585 a SHOULD (and to re-issue that one to avoid a downref).

SRV records have a well-defined prioritisation algorithm defined in the DNS specs. I don't see much need for specific wording for RADIUS use? If there is some, it would indeed be better placed in a 7585-bis. The document at hand is only for TLS context establishment, not about finding the preferred peer.