On Sun, Mar 03, 2024 at 02:06:00PM +0000, Andy Smith wrote: > On Sun, Mar 03, 2024 at 09:39:42AM +0000, Andre Rodier wrote: > > I was checking the Debian domain, and noticed that it is DNSSEC compliant. > > > > However, when I check "deb.debian.org", the DNS validation fails. > > Things in the debian.org domain are responding correctly with DNSSEC > but deb.debian.org is a CNAME to debian.map.fastlydns.net, and > *that* domain doesn't (yet?) use DNSSEC. > > $ delv deb.debian.org > ; fully validated > deb.debian.org. 3600 IN CNAME debian.map.fastlydns.net. > deb.debian.org. 3600 IN RRSIG CNAME 8 3 3600 20240405180549 > 20240225172415 59788 debian.org. > YnRgyoBEdwn9PHKTN9pIHNp+VyY+J0hripSOOV7feEsJmgfJwwslnsTR > pC0QTkKZQlNflC2sPGqAc5/sKSHHGkHdKYemVCH7IcDTKOZ6wilVUlvT > zumWhTZDk+ntLoptwmDblI6emnj8z8wimiFuyGv3+bU16RbdzdFvMdQI > Ys9Ldyz6eQSMMyD58OwpiwDxFWjns92iUb05VB+yLeVeFwQ9uvJW1lZa > oASmDhoyNijntU9UjA6h/Bzx6ZJvLHlE > > ; unsigned answer > debian.map.fastlydns.net. 30 IN A 146.75.74.132
In addition to all of that, please note that deb.debian.org uses SRV records instead of regular A or AAAA records. This is explained (not fully) on http://deb.debian.org/ if you care to read it.