Hi, On Sun, Mar 03, 2024 at 09:39:42AM +0000, Andre Rodier wrote: > I was checking the Debian domain, and noticed that it is DNSSEC compliant. > > However, when I check "deb.debian.org", the DNS validation fails.
Things in the debian.org domain are responding correctly with DNSSEC but deb.debian.org is a CNAME to debian.map.fastlydns.net, and *that* domain doesn't (yet?) use DNSSEC. $ delv deb.debian.org ; fully validated deb.debian.org. 3600 IN CNAME debian.map.fastlydns.net. deb.debian.org. 3600 IN RRSIG CNAME 8 3 3600 20240405180549 20240225172415 59788 debian.org. YnRgyoBEdwn9PHKTN9pIHNp+VyY+J0hripSOOV7feEsJmgfJwwslnsTR pC0QTkKZQlNflC2sPGqAc5/sKSHHGkHdKYemVCH7IcDTKOZ6wilVUlvT zumWhTZDk+ntLoptwmDblI6emnj8z8wimiFuyGv3+bU16RbdzdFvMdQI Ys9Ldyz6eQSMMyD58OwpiwDxFWjns92iUb05VB+yLeVeFwQ9uvJW1lZa oASmDhoyNijntU9UjA6h/Bzx6ZJvLHlE ; unsigned answer debian.map.fastlydns.net. 30 IN A 146.75.74.132 > After checking the status using Verisign > (https://dnssec-debugger.verisignlabs.com/deb.debian.org), I understand > Debian is using a CDN (Content Delivery Network). > > Is there a stable domain we can use that doesn't rely on a CDN, please ? I am left to wonder what problem(s) you are trying to avoid by "not relying on a CDN", but you can just use a different mirror. But note that Debian mirrors are operated by many diverse organisations and individuals, most of which probably aren't Debian developers. Debian itself has no legal entity; SPI, inc only deals with some financial matters, so trying to form a notion of any kind of legislative or administrative control structure is difficult. Or to put it another way, if it bothers you that responsibility for operation of a mirror passes outside of the people who control the debian.org zone, I have bad news for you. For example, if you chose ftp.uk.debian.org… $ delv ftp.uk.debian.org ; fully validated ftp.uk.debian.org. 300 IN CNAME debian.hands.com. ftp.uk.debian.org. 300 IN RRSIG CNAME 8 4 300 20240401002934 20240220235036 59788 debian.org. Pu+9FflqjMDfCjNxUoQy32dA5X3atU92LH3hozdZcDk3ZZwtyqcAoA6x IZSLZEzJvXa6+gTd3P0pOib+rIoypUYz47OulgYTWqQdLILtV3cRMVxU hf+z5xOYmOzzwSKAuI7iho4PNCmChccyfFdc3p4nKtciQmyWYbUeNJRu s83Ki0YEdvgMP+74HCwH6BNUEFhCuYFeDc+XWTzwg55EDSAmyMdXU9rl BRfpyCg4VU0NeJMFGci5sxKooAwbstvs ; unsigned answer debian.hands.com. 14030 IN A 78.129.164.123 …you again end up at something that doesn't use DNSSEC. It isn't a CDN though, so maybe you like it more (?). I haven't gone through all of the mirrors to see if there are any ones that use DNSSEC. I wouldn't be surprised if there were some, but again, I don't know what your threat model is so I'm not suggesting this matters. Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting