I've noticed that Debian Jessie still contains the version of dnsmasq which
SERVFAIL for _all_ zones signed by ECDSA. This bug was fixed in upstream by
in January 2015.
I've patched 2.72-3+deb8u1 on my own and confirm that this trivial fix is
sufficient to change the
response from SERVFAIL to NOERROR with AD flag set. Tested with ECDSAP256SHA256
Simon, could you please consider applying this fix to Debian's stable branch?
With the increasing
adoption of ECDSA as a replacement of RSA, this bug becomes more important than
it was one or two
years ago (see e.g. conclusions in