[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1117918: marked as done (packages.debian.org: DANE validation failed)

Your message dated Mon, 13 Oct 2025 17:42:55 +0100
with message-id <df8e8ff65ebd73c17613c784bf777e22c8f6b8f1.camel@adam-barratt.org.uk>
and subject line Re: Bug#1117918: packages.debian.org: DANE validation failed
has caused the Debian Bug report #1117918,
regarding packages.debian.org: DANE validation failed
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1117918: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117918
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: www.debian.org
Severity: minor

Hi,

The website https://packages.debian.org has a TLSA DNS record for DANE (DNS-based Authentication of Named Entities) but it is invalid. DNSSEC has no issue, only DANE.

This can be checked with:
* the Firefox extension DNSSEC/DANE Padlock <https://addons.mozilla.org/en-US/firefox/addon/dnssec-dane-padlock/> (I’m its author)
* the website <https://www.huque.com/bin/danecheck>
* dig + OpenSSL :

$ dig +short _443._tcp.packages.debian.org TLSA
3 1 1 6EBF947F6FAB92630ECE6E3FE1D1EAC06C915EE1A4D4B0BD0DD18F21 2D223EE5

$ openssl s_client -connect '[2a04:4e42:400::644]:443' -servername packages.debian.org -dane_tlsa_domain packages.debian.org -dane_tlsa_rrdata '3 1 1 6EBF947F6FAB92630ECE6E3FE1D1EAC06C915EE1A4D4B0BD0DD18F21 2D223EE5'
…
---
SSL handshake has read 3159 bytes and written 375 bytes
Verification error: No matching DANE TLSA records
---
…

All other subdomains I checked are valid for DNSSEC and DANE: d.o, bugs.d.o, lists.d.o, salsa.d.o, tracker.d.o, sources.d.o.

I’m pretty sure DANE was correct on packages.debian.org on 2024-05-10 when I added the entry on my list <https://codeberg.org/Seb35/DNSSEC-DANE_Padlock/wiki/Examples-of-websites>.

A common issue with DANE-EE ("3 1 x" selector) is that the certificate is renewed but the TLSA record is not updated. It can be fixed:
* either by keeping the same public key ("reuse_key = True" with Let’s Encrypt);
* either with a script updating the TLSA record after the renewal.

Sincerely,
Sébastien Beyou / Seb35

--- End Message ---
--- Begin Message --- 
Hi,

On Sun, 2025-10-12 at 14:26 +0200, Seb35 wrote:
> The website https://packages.debian.org has a TLSA DNS record for
> DANE (DNS-based Authentication of Named Entities) but it is invalid.
[...]
> I’m pretty sure DANE was correct on packages.debian.org on 2024-05-10
> when I added the entry on my list
> <https://codeberg.org/Seb35/DNSSEC-DANE_Padlock/wiki/Examples-of-webs
> ites>.

Thanks for the report.

This is a side effect of the service now being fronted by the Fastly
CDN, and as a side effect the certificate deployed on the individual
web servers (which were previously also the frontends) and the frontend
not being the same.

Our tooling currently uses the local certificate when generating TLSA
records. We might update it to support publishing records for the CDN
certificate instead, but for now I've told it to not publish the TLSA
record for packages.debian.org:443.

Regards,

Adam

--- End Message ---
Reply to: