3.110. <Resolver> Previous topic Parent topic Child topic Next topic

<Resolver> provides DNS and name resolution services for the <AuthBy DNSROAM> clause. For more information, see Section 3.73. <AuthBy DNSROAM>. Use <Resolver> only if you use <AuthBy DNSROAM> in your configuration. Other AuthBys do not require using <Resolver>.
<AuthBy DNSROAM> uses <Resolver> to do NAPTR, SRV, A, and AAAA lookups on a DNS name server in order to discover the name, address, and possibly other attributes, such as protocol and whether to use TLS encryption, of a server that is used to handle requests for a certain Realm.
By default, <Resolver> consults DNS using the standard resolver configuration for your host. On Unix or Linux systems, for example, it finds the resolver details by consulting /etc/ resolv.conf, $HOME/.resolv.conf or ./.resolv.conf. You can override these defaults and specify the used DNS name server, search path, and other options by using parameters in the Resolver clause.
<Resolver> requires the Net::DNS Perl module which in turn requires the Socket6 module and the IO::Socket::INET6 module if you want to consult a DNS server via IPv6. These are all available as source from CPAN, or possibly as pre-built packages for your operating system or Perl distribution. For more information, see Section 2.1.2. CPAN.
Note
Currently <Resolver> does not work with Net::DNS 1.03 or later.
<Resolver> uses the following algorithm to discover server names and addresses for a given Realm:
  1. Look for NAPTR records for the Realm.
  2. For each found NAPTR record, examine the Service field and use it to determine the transport protocol and TLS requirements for the server. The Service field starts with ’AAA’ for insecure and ’AAAS’ for TLS secured. The Service field contains ’+RADSECS’ for RadSec over SCTP, ’+RADSECT’ for RadSec over TCP or ’+RADIUS’ for RADIUS protocol over UDP. The most common Service field is ’AAAS+RADSECT’ for TLS secured RadSec over TCP.
  3. If the NAPTR has the ’S’ flag, look for SRV records for the name. For each SRV record found, note the Port number and look for A and AAAA records corresponding to the name in the SRV record.
  4. If the NAPTR has the ’A’ flag, look for A and AAAA records for the name.
  5. If no NAPTR records are found and DirectAddressLookup is enabled, look for A and AAAA records based directly on the realm name. For example, if the realm is ’examplerealm.edu’, it looks for records such as ’_radsec._tcp.examplerealm.edu’, ’_radsec._sctp.examplerealm.edu’ and ’_radius._udp.examplerealm.edu’.
  6. All A and AAAA records found are ordered according to their Order and Preference fields. The most preferable server address is used as the target server address, along with any other server attributes discovered from DNS. If no SRV records was found for the address, the DNSROAM configured Port is used.
For example, if the user name is fred@example.com, the Realm is ‘example.com’, and DNS contains the following records:
example.com.IN NAPTR 50 50 "s" "AAAS+RADSECT" "" _radsec._
tcp.example.com.
_radsec._tcp.example.com. IN SRV 0 10 2083 radsec.example.com.
radsec.example.com. IN AAAA 2001::202:44ff:fe0a:f704
In the previous example, the selected target is a RadSec server on port 2083 at IPv6 address 2001::202:44ff:fe0a:f704. The connection is made over TCP/IP, and TLS encryption is used. This complete specification of the realm is the most flexible and is recommended.
More concise DNS configurations are possible, too:
example.com. IN NAPTR 50 50 "a" "AAAS+RADSECS" "" radsec.example.com.
radsec.example.com. IN AAAA 2001::202:44ff:fe0a:f704
In this case, the selected target is a RadSec server at IPv6 address 2001::202:44ff:fe0a:f704. The connection is made over SCTP, and TLS encryption is used. The port used is the default Port configured into <AuthBy DNSROAM>.
The DNS can contain just this record:
_radius._udp.example.com. IN A 203.63.154.10
In this case, the selected target is a RADIUS server at IPv4 address 203.63.154.10. The connection is made over UDP. The Port and Secret used are the defaults configured into <AuthBy DNSROAM>.
Tip
The simplest Resolver clause you can have is:
<Resolver>
</Resolver>
This definition gets all its configuration from /etc/resolv.conf or the equivalent on your platform.