On Tue, 2020-03-24 at 15:48 +0100, Elmar Stellnberger wrote: > I hope this is gonna happen anytime soon. DANE and thus a valid TLSA > record is of very high value and importance for getting a genuine > download of Debian. As I have mentioned before downloads via Tor can be > spoofed like my last Debian Live 10 download which turned out to be > infected by debchecheckrooting against the Debian 10 DL-BD. TBH, very few people care about DNSSEC and vastly fewer than that care about DANE so I expect at some point support for both will disappear from both the DNS root servers and all DNS software. You shouldn't be relying on DNSSEC/DANE/TLS to verify Debian image downloads anyway, since they have OpenPGP signatures: https://www.debian.org/CD/faq/#verify https://www.debian.org/CD/verify -- bye, pabs https://wiki.debian.org/PaulWise
Attachment:
signature.asc
Description: This is a digitally signed message part