Colin Watson <cjwat...@debian.org> writes: > Is it at all likely that the ftpmaster api service might migrate away > from Let's Encrypt at this point? I would assume probably not. In that > case, you could at least make the situation substantially better with no > further DSA work required by pinning the appropriate LE root certificate > in dgit.
debian.org already publishes a CAA record, which conveys that information (although has its own verification concerns, but I think debian.org is using DNSSEC so you can verify the record that way). It says that all debian.org hosts will only use certificates from either LE or Amazon: gwaihir:~$ host -t caa debian.org debian.org has CAA record 0 iodef "mailto:d...@debian.org"; debian.org has CAA record 128 issuewild ";" debian.org has CAA record 128 issue "letsencrypt.org" debian.org has CAA record 128 issue "amazon.com" -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/>
