[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#993272: allow using multiple SRV records to load balance mirrors without CDNs

Package: apt
version: 2.3.8
severity: wishlist
If I understand correctly, the current SRV record implementation is targetting CDNs so all servers will be responsind to the same hostname and will have certificates matching the main hostname.
I'm exploring the possibility of using SRV records to transparently load balance between multiple mirrors. This works well for http but will fail for https. 

Current DNS setting is,

$ dig +noall +answer -t SRV _https._tcp.fasttrack-mirror.fsci.in
_https._tcp.fasttrack-mirror.fsci.in. 60 IN SRV 10 1 443 fasttrack.debian.net. _https._tcp.fasttrack-mirror.fsci.in. 60 IN SRV 10 1 443 mirror.linux.pizza. 

and the error
Err:3 https://fasttrack-mirror.fsci.in/debian-fasttrack bullseye-fasttrack InRelease Certificate verification failed: The certificate is NOT trusted. The name in the certificate does not match the expected. Could not handshake: Error in the certificate verification. [IP: 185.181.160.236 443]
This is expected because neither fasttrack.debian.net nor mirror.linux.pizza has tls certificates for fasttrack-mirror.fsci.in
Would it be possible to use the hostnames mentioned in SRV records for retrieving the data instead of the main hostname? Is there any security concerns for doing that?
See https://salsa.debian.org/fasttrack-team/support/-/issues/25 for things I tried already
Reply to: