[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DNSSEC status of deb.debian.org

On 03/03/2024 14:06, Andy Smith wrote:

On Sun, Mar 03, 2024 at 09:39:42AM +0000, Andre Rodier wrote:
I was checking the Debian domain, and noticed that it is DNSSEC compliant.

However, when I check "deb.debian.org", the DNS validation fails.

Things in the debian.org domain are responding correctly with DNSSEC
but deb.debian.org is a CNAME to debian.map.fastlydns.net, and
*that* domain doesn't (yet?) use DNSSEC.

$ delv deb.debian.org
; fully validated
deb.debian.org.         3600    IN      CNAME   debian.map.fastlydns.net.
deb.debian.org.         3600    IN      RRSIG   CNAME 8 3 3600 20240405180549 20240225172415 59788 debian.org. YnRgyoBEdwn9PHKTN9pIHNp+VyY+J0hripSOOV7feEsJmgfJwwslnsTR pC0QTkKZQlNflC2sPGqAc5/sKSHHGkHdKYemVCH7IcDTKOZ6wilVUlvT zumWhTZDk+ntLoptwmDblI6emnj8z8wimiFuyGv3+bU16RbdzdFvMdQI Ys9Ldyz6eQSMMyD58OwpiwDxFWjns92iUb05VB+yLeVeFwQ9uvJW1lZa oASmDhoyNijntU9UjA6h/Bzx6ZJvLHlE

; unsigned answer
debian.map.fastlydns.net. 30    IN      A

After checking the status using Verisign
(https://dnssec-debugger.verisignlabs.com/deb.debian.org), I understand
Debian is using a CDN (Content Delivery Network).

Is there a stable domain we can use that doesn't rely on a CDN, please ?

I am left to wonder what problem(s) you are trying to avoid by "not
relying on a CDN", but you can just use a different mirror.

But note that Debian mirrors are operated by many diverse
organisations and individuals, most of which probably aren't Debian
developers. Debian itself has no legal entity; SPI, inc only deals
with some financial matters, so trying to form a notion of any kind
of legislative or administrative control structure is difficult.

Or to put it another way, if it bothers you that responsibility for
operation of a mirror passes outside of the people who control the
debian.org zone, I have bad news for you.

For example, if you chose ftp.uk.debian.org…

$ delv ftp.uk.debian.org
; fully validated
ftp.uk.debian.org.      300     IN      CNAME   debian.hands.com.
ftp.uk.debian.org.      300     IN      RRSIG   CNAME 8 4 300 20240401002934 20240220235036 59788 debian.org. Pu+9FflqjMDfCjNxUoQy32dA5X3atU92LH3hozdZcDk3ZZwtyqcAoA6x IZSLZEzJvXa6+gTd3P0pOib+rIoypUYz47OulgYTWqQdLILtV3cRMVxU hf+z5xOYmOzzwSKAuI7iho4PNCmChccyfFdc3p4nKtciQmyWYbUeNJRu s83Ki0YEdvgMP+74HCwH6BNUEFhCuYFeDc+XWTzwg55EDSAmyMdXU9rl BRfpyCg4VU0NeJMFGci5sxKooAwbstvs

; unsigned answer
debian.hands.com.       14030   IN      A

…you again end up at something that doesn't use DNSSEC. It isn't a
CDN though, so maybe you like it more (?).

I haven't gone through all of the mirrors to see if there are any
ones that use DNSSEC. I wouldn't be surprised if there were some,
but again, I don't know what your threat model is so I'm not
suggesting this matters.


Thanks for the answer, Andy.

This make sense.

Kind regards,
André Rodier

Reply to: