Re: sources.list 's security line

[Greg Wooledge <greg@wooledge.org>]

On Wed, Sep 08, 2021 at 08:28:18PM +0200, Ulf Volmer wrote:
> On 08.09.21 16:50, Lee wrote:
> 
> > Are you using a dnssec validating resolver?
> > 
> > It'd be nice of somebody that understands dnssec would double-check,
> > but it looks like name lookups for security.debian.org has dnssec
> > enabled and not enabled for deb.debian.org
> 
> deb.debian.org is a CNAME and this CNAME is correctly DNSSEC validated.
> But this CNAME points to an A record outside of debian.org which is not
> secured by DNSSEC.

Apt uses SRV records, so:

unicorn:~$ dig +short SRV _http._tcp.deb.debian.org
10 1 80 debian.map.fastlydns.net.

It still points outside of *.debian.org, but the CNAME part doesn't
matter.  At least, not for apt in a recent Debian release in the
absence of a proxy.