[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DNSSEC status of deb.debian.org

On Sun, Mar 03, 2024 at 02:06:00PM +0000, Andy Smith wrote:
> On Sun, Mar 03, 2024 at 09:39:42AM +0000, Andre Rodier wrote:
> > I was checking the Debian domain, and noticed that it is DNSSEC compliant.
> > 
> > However, when I check "deb.debian.org", the DNS validation fails.
> 
> Things in the debian.org domain are responding correctly with DNSSEC
> but deb.debian.org is a CNAME to debian.map.fastlydns.net, and
> *that* domain doesn't (yet?) use DNSSEC.
> 
> $ delv deb.debian.org
> ; fully validated
> deb.debian.org.         3600    IN      CNAME   debian.map.fastlydns.net.
> deb.debian.org.         3600    IN      RRSIG   CNAME 8 3 3600 20240405180549 20240225172415 59788 debian.org. YnRgyoBEdwn9PHKTN9pIHNp+VyY+J0hripSOOV7feEsJmgfJwwslnsTR pC0QTkKZQlNflC2sPGqAc5/sKSHHGkHdKYemVCH7IcDTKOZ6wilVUlvT zumWhTZDk+ntLoptwmDblI6emnj8z8wimiFuyGv3+bU16RbdzdFvMdQI Ys9Ldyz6eQSMMyD58OwpiwDxFWjns92iUb05VB+yLeVeFwQ9uvJW1lZa oASmDhoyNijntU9UjA6h/Bzx6ZJvLHlE
> 
> ; unsigned answer
> debian.map.fastlydns.net. 30    IN      A       146.75.74.132

In addition to all of that, please note that deb.debian.org uses SRV
records instead of regular A or AAAA records.  This is explained
(not fully) on http://deb.debian.org/ if you care to read it.
Reply to: