Package: www.debian.org Severity: minor Hi,
The website https://packages.debian.org has a TLSA DNS record for DANE (DNS-based Authentication of Named Entities) but it is invalid. DNSSEC has no issue, only DANE. This can be checked with: * the Firefox extension DNSSEC/DANE Padlock <https://addons.mozilla.org/en-US/firefox/addon/dnssec-dane-padlock/> (I’m its author) * the website <https://www.huque.com/bin/danecheck> * dig + OpenSSL : $ dig +short _443._tcp.packages.debian.org TLSA 3 1 1 6EBF947F6FAB92630ECE6E3FE1D1EAC06C915EE1A4D4B0BD0DD18F21 2D223EE5 $ openssl s_client -connect '[2a04:4e42:400::644]:443' -servername packages.debian.org -dane_tlsa_domain packages.debian.org -dane_tlsa_rrdata '3 1 1 6EBF947F6FAB92630ECE6E3FE1D1EAC06C915EE1A4D4B0BD0DD18F21 2D223EE5' … --- SSL handshake has read 3159 bytes and written 375 bytes Verification error: No matching DANE TLSA records --- … All other subdomains I checked are valid for DNSSEC and DANE: d.o, bugs.d.o, lists.d.o, salsa.d.o, tracker.d.o, sources.d.o. I’m pretty sure DANE was correct on packages.debian.org on 2024-05-10 when I added the entry on my list <https://codeberg.org/Seb35/DNSSEC-DANE_Padlock/wiki/Examples-of-websites>. A common issue with DANE-EE ("3 1 x" selector) is that the certificate is renewed but the TLSA record is not updated. It can be fixed: * either by keeping the same public key ("reuse_key = True" with Let’s Encrypt); * either with a script updating the TLSA record after the renewal. Sincerely, Sébastien Beyou / Seb35
