Re: sources.list 's security line
On 08.09.21 21:12, Greg Wooledge wrote:
> On Wed, Sep 08, 2021 at 08:28:18PM +0200, Ulf Volmer wrote:
>> On 08.09.21 16:50, Lee wrote:
>>
>>> Are you using a dnssec validating resolver?
>>>
>>> It'd be nice of somebody that understands dnssec would double-check,
>>> but it looks like name lookups for security.debian.org has dnssec
>>> enabled and not enabled for deb.debian.org
>>
>> deb.debian.org is a CNAME and this CNAME is correctly DNSSEC validated.
>> But this CNAME points to an A record outside of debian.org which is not
>> secured by DNSSEC.
>
> Apt uses SRV records, so:
>
> unicorn:~$ dig +short SRV _http._tcp.deb.debian.org
> 10 1 80 debian.map.fastlydns.net.
>
> It still points outside of *.debian.org, but the CNAME part doesn't
> matter. At least, not for apt in a recent Debian release in the
> absence of a proxy.
That may be true, but finally debian.map.fastlydns.net is not DNSSEC
validated.
Best regards
Ulf
Reply to: