On 08.09.21 16:50, Lee wrote: > Are you using a dnssec validating resolver? > > It'd be nice of somebody that understands dnssec would double-check, > but it looks like name lookups for security.debian.org has dnssec > enabled and not enabled for deb.debian.org
deb.debian.org is a CNAME and this CNAME is correctly DNSSEC validated. But this CNAME points to an A record outside of debian.org which is not secured by DNSSEC. Best regards Ulf
