Your message dated Mon, 30 Aug 2021 09:52:57 +0200
with message-id <[email protected]>
and subject line Re: Bug#993272: allow using multiple SRV records to load
balance mirrors without CDNs
has caused the Debian Bug report #993272,
regarding allow using multiple SRV records to load balance mirrors without CDNs
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
993272: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993272
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: apt
version: 2.3.8
severity: wishlist
If I understand correctly, the current SRV record implementation is
targetting CDNs so all servers will be responsind to the same hostname
and will have certificates matching the main hostname.
I'm exploring the possibility of using SRV records to transparently
load balance between multiple mirrors. This works well for http but
will fail for https.
Current DNS setting is,
$ dig +noall +answer -t SRV _https._tcp.fasttrack-mirror.fsci.in
_https._tcp.fasttrack-mirror.fsci.in. 60 IN SRV 10 1 443
fasttrack.debian.net.
_https._tcp.fasttrack-mirror.fsci.in. 60 IN SRV 10 1 443
mirror.linux.pizza.
and the error
Err:3 https://fasttrack-mirror.fsci.in/debian-fasttrack
bullseye-fasttrack InRelease
Certificate verification failed: The certificate is NOT trusted. The
name in the certificate does not match the expected. Could not
handshake: Error in the certificate verification. [IP: 185.181.160.236
443]
This is expected because neither fasttrack.debian.net nor
mirror.linux.pizza has tls certificates for fasttrack-mirror.fsci.in
Would it be possible to use the hostnames mentioned in SRV records for
retrieving the data instead of the main hostname? Is there any security
concerns for doing that?
See https://salsa.debian.org/fasttrack-team/support/-/issues/25 for
things I tried already
--- End Message ---
--- Begin Message ---
On Mon, Aug 30, 2021 at 02:16:08AM +0530, Pirate Praveen wrote:
> Package: apt
> version: 2.3.8
> severity: wishlist
>
> If I understand correctly, the current SRV record implementation is
> targetting CDNs so all servers will be responsind to the same hostname and
> will have certificates matching the main hostname.
>
> I'm exploring the possibility of using SRV records to transparently load
> balance between multiple mirrors. This works well for http but will fail for
> https.
>
> Current DNS setting is,
>
> $ dig +noall +answer -t SRV _https._tcp.fasttrack-mirror.fsci.in
> _https._tcp.fasttrack-mirror.fsci.in. 60 IN SRV 10 1 443
> fasttrack.debian.net.
> _https._tcp.fasttrack-mirror.fsci.in. 60 IN SRV 10 1 443 mirror.linux.pizza.
>
> and the error
> Err:3 https://fasttrack-mirror.fsci.in/debian-fasttrack bullseye-fasttrack
> InRelease
> Certificate verification failed: The certificate is NOT trusted. The name
> in the certificate does not match the expected. Could not handshake: Error
> in the certificate verification. [IP: 185.181.160.236 443]
>
> This is expected because neither fasttrack.debian.net nor mirror.linux.pizza
> has tls certificates for fasttrack-mirror.fsci.in
>
> Would it be possible to use the hostnames mentioned in SRV records for
> retrieving the data instead of the main hostname? Is there any security
> concerns for doing that?
Can't use the target hostnames, as the SRV record, like all DNS, is not
trusted. You'll have to redirect at an http(s) level if you want this,
or issue certificates for the hostname to all SRV endpoints.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
--- End Message ---
