On Wed, Sep 08, 2021 at 08:28:18PM +0200, Ulf Volmer wrote: > On 08.09.21 16:50, Lee wrote: > > > Are you using a dnssec validating resolver? > > > > It'd be nice of somebody that understands dnssec would double-check, > > but it looks like name lookups for security.debian.org has dnssec > > enabled and not enabled for deb.debian.org > > deb.debian.org is a CNAME and this CNAME is correctly DNSSEC validated. > But this CNAME points to an A record outside of debian.org which is not > secured by DNSSEC.
Apt uses SRV records, so: unicorn:~$ dig +short SRV _http._tcp.deb.debian.org 10 1 80 debian.map.fastlydns.net. It still points outside of *.debian.org, but the CNAME part doesn't matter. At least, not for apt in a recent Debian release in the absence of a proxy.
