On Fri, May 30, 2014 at 09:43:47PM +0200, Erwan David wrote:
Note that at least debian.org DNS is segned by DNSSEC and DANE is used, which allows to check that the certificate used by a debian.org site is the real one.
We're not at the point where that can be relied on in the real world. There are still resolvers that filter out DNSSEC records. (Sad, but true.)