Your message dated Wed, 20 Nov 2024 19:45:13 +0100
with message-id <[email protected]>
and subject line Re: Bug#805596: dnsmasq: Fails to resolve cloudflare.com
domains with dnssec
has caused the Debian Bug report #805596,
regarding dnsmasq: Fails to resolve cloudflare.com domains with dnssec
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
805596: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805596
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dnsmasq
Version: 2.72-3+deb8u1
Severity: normal
Dear Maintainer,
Since cloudflare.com changed to dnssec dnsmasq can't resolve any domain
which is hosted by them.
I can easyly reproduce this issue if I create a blank debian jessie (I
used docker), install dnsmasq and enable dnssec as in the changed config
file attached. As parent dns server I used 8.8.8.8, I also try other
servers but always the same issue.
If I use now dig I get an empty response.
With nslookup I get the follow error:
** server can't find cloudflare.com: SERVFAIL
In the docker container I can resolve the problem with a update to the
newer version of dnsmasq from stretch. But I think it should also get
fixed in the stable release.
-- System Information:
Debian Release: 8.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.utf8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages dnsmasq depends on:
ii dnsmasq-base 2.72-3+deb8u1
ii init-system-helpers 1.22
ii netbase 5.3
dnsmasq recommends no packages.
Versions of packages dnsmasq suggests:
pn resolvconf <none>
-- Configuration Files:
/etc/dnsmasq.conf changed:
conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
dnssec
resolv-file=/etc/resolv.dnsmasq.conf
-- no debconf information
--- End Message ---
--- Begin Message ---
Control: notfound -1 2.75-1
Version: 2.75-1
Done: Simon Kelley <[email protected]>
On Fri, 20 Nov 2015 21:25:28 +0000 Simon Kelley <[email protected]> wrote:
> I suspect that the proximate cause of this is lack of support for the
> ECDSA ciphersuite in 2.72. As you pointed out, this works OK in 2.75.
>
> 2.72 was a very early release for DNSSEC in dnsmasq, and there have been
> many changes and fixes between 2.72 and 2.75. Backporting so many
> changes is not really practical, so I guess the only solutions are to
> use backports, or move stable to 2.75. I'm not sure how the later fits
> with policy these days.
Closing this bug based on Simon's reply.
Cheers,
Sven
--
GPG Fingerprint
3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585
signature.asc
Description: This is a digitally signed message part
--- End Message ---
