Bug#993272: marked as done (allow using multiple SRV records to load balance mirrors without CDNs)

To: Julian Andres Klode <jak@debian.org>
Subject: Bug#993272: marked as done (allow using multiple SRV records to load balance mirrors without CDNs)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Mon, 30 Aug 2021 07:57:04 +0000
Message-id: <[🔎] handler.993272.D993272.16303099833180.ackdone@bugs.debian.org>
Reply-to: 993272@bugs.debian.org
References: <20210830095054.GA3381733@debian.org> <[🔎] WCCMYQ.338Y3M087Y0E2@onenetbeyond.org>

Your message dated Mon, 30 Aug 2021 09:52:57 +0200
with message-id <20210830095054.GA3381733@debian.org>
and subject line Re: Bug#993272: allow using multiple SRV records to load balance mirrors without CDNs
has caused the Debian Bug report #993272,
regarding allow using multiple SRV records to load balance mirrors without CDNs
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
993272: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993272
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian BTS <submit@bugs.debian.org>

Subject: allow using multiple SRV records to load balance mirrors without CDNs

From: Pirate Praveen <praveen@onenetbeyond.org>

Date: Mon, 30 Aug 2021 02:16:08 +0530

Message-id: <[🔎] WCCMYQ.338Y3M087Y0E2@onenetbeyond.org>
Package: apt
version: 2.3.8
severity: wishlist
If I understand correctly, the current SRV record implementation istargetting CDNs so all servers will be responsind to the same hostnameand will have certificates matching the main hostname.
I'm exploring the possibility of using SRV records to transparentlyload balance between multiple mirrors. This works well for http butwill fail for https.
Current DNS setting is,

$ dig +noall +answer -t SRV _https._tcp.fasttrack-mirror.fsci.in
_https._tcp.fasttrack-mirror.fsci.in. 60 IN SRV 10 1 443fasttrack.debian.net._https._tcp.fasttrack-mirror.fsci.in. 60 IN SRV 10 1 443mirror.linux.pizza.
and the error
Err:3 https://fasttrack-mirror.fsci.in/debian-fasttrackbullseye-fasttrack InReleaseCertificate verification failed: The certificate is NOT trusted. Thename in the certificate does not match the expected. Could nothandshake: Error in the certificate verification. [IP: 185.181.160.236443]
This is expected because neither fasttrack.debian.net normirror.linux.pizza has tls certificates for fasttrack-mirror.fsci.in
Would it be possible to use the hostnames mentioned in SRV records forretrieving the data instead of the main hostname? Is there any securityconcerns for doing that?
See https://salsa.debian.org/fasttrack-team/support/-/issues/25 forthings I tried already
--- End Message ---

--- Begin Message ---

To: Pirate Praveen <praveen@onenetbeyond.org>, 993272-close@bugs.debian.org
Subject: Re: Bug#993272: allow using multiple SRV records to load balance mirrors without CDNs
From: Julian Andres Klode <jak@debian.org>
Date: Mon, 30 Aug 2021 09:52:57 +0200
Message-id: <20210830095054.GA3381733@debian.org>
In-reply-to: <[🔎] WCCMYQ.338Y3M087Y0E2@onenetbeyond.org>
References: <[🔎] WCCMYQ.338Y3M087Y0E2@onenetbeyond.org>

On Mon, Aug 30, 2021 at 02:16:08AM +0530, Pirate Praveen wrote:
> Package: apt
> version: 2.3.8
> severity: wishlist
> 
> If I understand correctly, the current SRV record implementation is
> targetting CDNs so all servers will be responsind to the same hostname and
> will have certificates matching the main hostname.
> 
> I'm exploring the possibility of using SRV records to transparently load
> balance between multiple mirrors. This works well for http but will fail for
> https.
> 
> Current DNS setting is,
> 
> $ dig +noall +answer -t SRV _https._tcp.fasttrack-mirror.fsci.in
> _https._tcp.fasttrack-mirror.fsci.in. 60 IN SRV 10 1 443
> fasttrack.debian.net.
> _https._tcp.fasttrack-mirror.fsci.in. 60 IN SRV 10 1 443 mirror.linux.pizza.
> 
> and the error
> Err:3 https://fasttrack-mirror.fsci.in/debian-fasttrack bullseye-fasttrack
> InRelease
>  Certificate verification failed: The certificate is NOT trusted. The name
> in the certificate does not match the expected. Could not handshake: Error
> in the certificate verification. [IP: 185.181.160.236 443]
> 
> This is expected because neither fasttrack.debian.net nor mirror.linux.pizza
> has tls certificates for fasttrack-mirror.fsci.in
> 
> Would it be possible to use the hostnames mentioned in SRV records for
> retrieving the data instead of the main hostname? Is there any security
> concerns for doing that?

Can't use the target hostnames, as the SRV record, like all DNS, is not
trusted. You'll have to redirect at an http(s) level if you want this,
or issue certificates for the hostname to all SRV endpoints.
-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

--- End Message ---

Reply to:

References:
- Bug#993272: allow using multiple SRV records to load balance mirrors without CDNs
  - From: Pirate Praveen <praveen@onenetbeyond.org>

Prev by Date: Re: Bug#969631: can base-passwd provide the user _apt?
Next by Date: Re: Bug#969631: can base-passwd provide the user _apt?
Previous by thread: Bug#993272: allow using multiple SRV records to load balance mirrors without CDNs
Next by thread: Bug#993272: allow using multiple SRV records to load balance mirrors without CDNs
Index(es):
- Date
- Thread