Package: dnsmasq
Version: 2.72-3+deb8u1
Severity: normal


I've noticed that Debian Jessie still contains the version of dnsmasq which 
incorrectly returns
SERVFAIL for _all_ zones signed by ECDSA. This bug was fixed in upstream by;a=commitdiff;h=6ef15b34ca83c62a939f69356d5c3f7a6bfef3d0
in January 2015.

I've patched 2.72-3+deb8u1 on my own and confirm that this trivial fix is 
sufficient to change the
response from SERVFAIL to NOERROR with AD flag set. Tested with ECDSAP256SHA256 
(alg=13) and domain.

Simon, could you please consider applying this fix to Debian's stable branch? 
With the increasing
adoption of ECDSA as a replacement of RSA, this bug becomes more important than 
it was one or two
years ago (see e.g. conclusions in

Best regards.

Martin Svec

Reply via email to