Re: DNSSEC status of deb.debian.org
On 03/03/2024 14:06, Andy Smith wrote: Hi, On Sun, Mar 03, 2024 at 09:39:42AM +, Andre Rodier wrote: I was checking the Debian domain, and noticed that it is DNSSEC compliant. However, when I check "deb.debian.org", the DNS validation fails. Things in the debian.org domain are responding correctly with DNSSEC but deb.debian.org is a CNAME to debian.map.fastlydns.net, and *that* domain doesn't (yet?) use DNSSEC. $ delv deb.debian.org ; fully validated deb.debian.org. 3600IN CNAME debian.map.fastlydns.net. deb.debian.org. 3600IN RRSIG CNAME 8 3 3600 20240405180549 20240225172415 59788 debian.org. YnRgyoBEdwn9PHKTN9pIHNp+VyY+J0hripSOOV7feEsJmgfJwwslnsTR pC0QTkKZQlNflC2sPGqAc5/sKSHHGkHdKYemVCH7IcDTKOZ6wilVUlvT zumWhTZDk+ntLoptwmDblI6emnj8z8wimiFuyGv3+bU16RbdzdFvMdQI Ys9Ldyz6eQSMMyD58OwpiwDxFWjns92iUb05VB+yLeVeFwQ9uvJW1lZa oASmDhoyNijntU9UjA6h/Bzx6ZJvLHlE ; unsigned answer debian.map.fastlydns.net. 30IN A 146.75.74.132 After checking the status using Verisign (https://dnssec-debugger.verisignlabs.com/deb.debian.org), I understand Debian is using a CDN (Content Delivery Network). Is there a stable domain we can use that doesn't rely on a CDN, please ? I am left to wonder what problem(s) you are trying to avoid by "not relying on a CDN", but you can just use a different mirror. But note that Debian mirrors are operated by many diverse organisations and individuals, most of which probably aren't Debian developers. Debian itself has no legal entity; SPI, inc only deals with some financial matters, so trying to form a notion of any kind of legislative or administrative control structure is difficult. Or to put it another way, if it bothers you that responsibility for operation of a mirror passes outside of the people who control the debian.org zone, I have bad news for you. For example, if you chose ftp.uk.debian.org… $ delv ftp.uk.debian.org ; fully validated ftp.uk.debian.org. 300 IN CNAME debian.hands.com. ftp.uk.debian.org. 300 IN RRSIG CNAME 8 4 300 20240401002934 20240220235036 59788 debian.org. Pu+9FflqjMDfCjNxUoQy32dA5X3atU92LH3hozdZcDk3ZZwtyqcAoA6x IZSLZEzJvXa6+gTd3P0pOib+rIoypUYz47OulgYTWqQdLILtV3cRMVxU hf+z5xOYmOzzwSKAuI7iho4PNCmChccyfFdc3p4nKtciQmyWYbUeNJRu s83Ki0YEdvgMP+74HCwH6BNUEFhCuYFeDc+XWTzwg55EDSAmyMdXU9rl BRfpyCg4VU0NeJMFGci5sxKooAwbstvs ; unsigned answer debian.hands.com. 14030 IN A 78.129.164.123 …you again end up at something that doesn't use DNSSEC. It isn't a CDN though, so maybe you like it more (?). I haven't gone through all of the mirrors to see if there are any ones that use DNSSEC. I wouldn't be surprised if there were some, but again, I don't know what your threat model is so I'm not suggesting this matters. Thanks, Andy Thanks for the answer, Andy. This make sense. Kind regards, André Rodier
Re: DNSSEC status of deb.debian.org
On 03/03/2024 14:03, Max Nikulin wrote: On 03/03/2024 16:39, Andre Rodier wrote: Is there a stable domain we can use that doesn't rely on a CDN, please ? https://www.debian.org/mirror/list APT relies on GPG signed metadata, so DNSSEC is not necessary for repositories. Thanks, this make sense. Kind regards, André Rodier
Re: DNSSEC status of deb.debian.org
On Sun, Mar 03, 2024 at 02:06:00PM +, Andy Smith wrote: > On Sun, Mar 03, 2024 at 09:39:42AM +, Andre Rodier wrote: > > I was checking the Debian domain, and noticed that it is DNSSEC compliant. > > > > However, when I check "deb.debian.org", the DNS validation fails. > > Things in the debian.org domain are responding correctly with DNSSEC > but deb.debian.org is a CNAME to debian.map.fastlydns.net, and > *that* domain doesn't (yet?) use DNSSEC. > > $ delv deb.debian.org > ; fully validated > deb.debian.org. 3600IN CNAME debian.map.fastlydns.net. > deb.debian.org. 3600IN RRSIG CNAME 8 3 3600 20240405180549 > 20240225172415 59788 debian.org. > YnRgyoBEdwn9PHKTN9pIHNp+VyY+J0hripSOOV7feEsJmgfJwwslnsTR > pC0QTkKZQlNflC2sPGqAc5/sKSHHGkHdKYemVCH7IcDTKOZ6wilVUlvT > zumWhTZDk+ntLoptwmDblI6emnj8z8wimiFuyGv3+bU16RbdzdFvMdQI > Ys9Ldyz6eQSMMyD58OwpiwDxFWjns92iUb05VB+yLeVeFwQ9uvJW1lZa > oASmDhoyNijntU9UjA6h/Bzx6ZJvLHlE > > ; unsigned answer > debian.map.fastlydns.net. 30IN A 146.75.74.132 In addition to all of that, please note that deb.debian.org uses SRV records instead of regular A or records. This is explained (not fully) on http://deb.debian.org/ if you care to read it.
Re: DNSSEC status of deb.debian.org
Hi, On Sun, Mar 03, 2024 at 09:39:42AM +, Andre Rodier wrote: > I was checking the Debian domain, and noticed that it is DNSSEC compliant. > > However, when I check "deb.debian.org", the DNS validation fails. Things in the debian.org domain are responding correctly with DNSSEC but deb.debian.org is a CNAME to debian.map.fastlydns.net, and *that* domain doesn't (yet?) use DNSSEC. $ delv deb.debian.org ; fully validated deb.debian.org. 3600IN CNAME debian.map.fastlydns.net. deb.debian.org. 3600IN RRSIG CNAME 8 3 3600 20240405180549 20240225172415 59788 debian.org. YnRgyoBEdwn9PHKTN9pIHNp+VyY+J0hripSOOV7feEsJmgfJwwslnsTR pC0QTkKZQlNflC2sPGqAc5/sKSHHGkHdKYemVCH7IcDTKOZ6wilVUlvT zumWhTZDk+ntLoptwmDblI6emnj8z8wimiFuyGv3+bU16RbdzdFvMdQI Ys9Ldyz6eQSMMyD58OwpiwDxFWjns92iUb05VB+yLeVeFwQ9uvJW1lZa oASmDhoyNijntU9UjA6h/Bzx6ZJvLHlE ; unsigned answer debian.map.fastlydns.net. 30IN A 146.75.74.132 > After checking the status using Verisign > (https://dnssec-debugger.verisignlabs.com/deb.debian.org), I understand > Debian is using a CDN (Content Delivery Network). > > Is there a stable domain we can use that doesn't rely on a CDN, please ? I am left to wonder what problem(s) you are trying to avoid by "not relying on a CDN", but you can just use a different mirror. But note that Debian mirrors are operated by many diverse organisations and individuals, most of which probably aren't Debian developers. Debian itself has no legal entity; SPI, inc only deals with some financial matters, so trying to form a notion of any kind of legislative or administrative control structure is difficult. Or to put it another way, if it bothers you that responsibility for operation of a mirror passes outside of the people who control the debian.org zone, I have bad news for you. For example, if you chose ftp.uk.debian.org… $ delv ftp.uk.debian.org ; fully validated ftp.uk.debian.org. 300 IN CNAME debian.hands.com. ftp.uk.debian.org. 300 IN RRSIG CNAME 8 4 300 20240401002934 20240220235036 59788 debian.org. Pu+9FflqjMDfCjNxUoQy32dA5X3atU92LH3hozdZcDk3ZZwtyqcAoA6x IZSLZEzJvXa6+gTd3P0pOib+rIoypUYz47OulgYTWqQdLILtV3cRMVxU hf+z5xOYmOzzwSKAuI7iho4PNCmChccyfFdc3p4nKtciQmyWYbUeNJRu s83Ki0YEdvgMP+74HCwH6BNUEFhCuYFeDc+XWTzwg55EDSAmyMdXU9rl BRfpyCg4VU0NeJMFGci5sxKooAwbstvs ; unsigned answer debian.hands.com. 14030 IN A 78.129.164.123 …you again end up at something that doesn't use DNSSEC. It isn't a CDN though, so maybe you like it more (?). I haven't gone through all of the mirrors to see if there are any ones that use DNSSEC. I wouldn't be surprised if there were some, but again, I don't know what your threat model is so I'm not suggesting this matters. Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: DNSSEC status of deb.debian.org
On 03/03/2024 16:39, Andre Rodier wrote: Is there a stable domain we can use that doesn't rely on a CDN, please ? https://www.debian.org/mirror/list APT relies on GPG signed metadata, so DNSSEC is not necessary for repositories.
DNSSEC status of deb.debian.org
Hello, I was checking the Debian domain, and noticed that it is DNSSEC compliant. However, when I check "deb.debian.org", the DNS validation fails. After checking the status using Verisign (https://dnssec-debugger.verisignlabs.com/deb.debian.org), I understand Debian is using a CDN (Content Delivery Network). Is there a stable domain we can use that doesn't rely on a CDN, please ? Thanks, André Rodier. PS: Sorry to send an empty subject before.
