On 08.09.21 21:12, Greg Wooledge wrote: > On Wed, Sep 08, 2021 at 08:28:18PM +0200, Ulf Volmer wrote: >> On 08.09.21 16:50, Lee wrote: >> >>> Are you using a dnssec validating resolver? >>> >>> It'd be nice of somebody that understands dnssec would double-check, >>> but it looks like name lookups for security.debian.org has dnssec >>> enabled and not enabled for deb.debian.org >> >> deb.debian.org is a CNAME and this CNAME is correctly DNSSEC validated. >> But this CNAME points to an A record outside of debian.org which is not >> secured by DNSSEC. > > Apt uses SRV records, so: > > unicorn:~$ dig +short SRV _http._tcp.deb.debian.org > 10 1 80 debian.map.fastlydns.net. > > It still points outside of *.debian.org, but the CNAME part doesn't > matter. At least, not for apt in a recent Debian release in the > absence of a proxy.
That may be true, but finally debian.map.fastlydns.net is not DNSSEC validated. Best regards Ulf
