Bug#805596: dnsmasq: Fails to resolve cloudflare.com domains with dnssec
Shouldn't this report be closed or at least tagged as fixed in stretch? signature.asc Description: This is a digitally signed message part.
Bug#805596: dnsmasq: Fails to resolve cloudflare.com domains with dnssec
Package: dnsmasq Version: 2.72-3+deb8u1 Severity: normal Hello, I've noticed that Debian Jessie still contains the version of dnsmasq which incorrectly returns SERVFAIL for _all_ zones signed by ECDSA. This bug was fixed in upstream by http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=6ef15b34ca83c62a939f69356d5c3f7a6bfef3d0 in January 2015. I've patched 2.72-3+deb8u1 on my own and confirm that this trivial fix is sufficient to change the response from SERVFAIL to NOERROR with AD flag set. Tested with ECDSAP256SHA256 (alg=13) and cloudflare.com domain. Simon, could you please consider applying this fix to Debian's stable branch? With the increasing adoption of ECDSA as a replacement of RSA, this bug becomes more important than it was one or two years ago (see e.g. conclusions in https://labs.ripe.net/Members/gih/dnssec-and-ecdsa). Best regards. Martin Svec
Bug#805596: dnsmasq: Fails to resolve cloudflare.com domains with dnssec
Package: dnsmasq Version: 2.75-1 Followup-For: Bug #805596 I have a similar problem. If I enable dnssec feature in dnsmasq, name resolving service is unreliable. Sometimes, it works. While other times (like when after a swssup/resume) it fails completely. A simple dig results it: rrs@learner:~/.rrs-home/Community/Packaging/libstoragemgmt (master)$ dig www.google.co.in;; Truncated, retrying in TCP mode. ; <<>> DiG 9.9.5-12+b1-Debian <<>> www.google.co.in ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 34514 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.google.co.in. IN A ;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Nov 23 20:49:17 IST 2015 ;; MSG SIZE rcvd: 34 2015-11-23 / 20:49:17 ♒♒♒ ☺ And there's nothing in the dnsmasq journal. -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (101, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.3.0+ (SMP w/4 CPU cores; PREEMPT) Locale: LANG=en_IN.utf8, LC_CTYPE=en_IN.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages dnsmasq depends on: ii dnsmasq-base 2.75-1 ii init-system-helpers 1.24 ii netbase 5.3 dnsmasq recommends no packages. Versions of packages dnsmasq suggests: ii resolvconf 1.78 -- no debconf information
Bug#805596: dnsmasq: Fails to resolve cloudflare.com domains with dnssec
Thank you for you fast response. Sounds like it isn't fixable in jessie :/. I solved the problem with apt pinning for me. It isn't the nicest solution but it works. I don't think so many people uses DNSSEC but I think it would be good to have a warning in the config file that ECDSA isn't supported with the current dnsmasq version. So people know that they should not us it or update to a newer version. Regards Norbert On 11/20/2015 10:25 PM, Simon Kelley wrote: > I suspect that the proximate cause of this is lack of support for the > ECDSA ciphersuite in 2.72. As you pointed out, this works OK in 2.75. > > 2.72 was a very early release for DNSSEC in dnsmasq, and there have been > many changes and fixes between 2.72 and 2.75. Backporting so many > changes is not really practical, so I guess the only solutions are to > use backports, or move stable to 2.75. I'm not sure how the later fits > with policy these days. > > > Cheers, > > Simon. > > > > On 19/11/15 22:17, Norbert Summer wrote: >> Package: dnsmasq >> Version: 2.72-3+deb8u1 >> Severity: normal >> >> Dear Maintainer, >> >> Since cloudflare.com changed to dnssec dnsmasq can't resolve any domain >> which is hosted by them. >> I can easyly reproduce this issue if I create a blank debian jessie (I >> used docker), install dnsmasq and enable dnssec as in the changed config >> file attached. As parent dns server I used 8.8.8.8, I also try other >> servers but always the same issue. >> >> If I use now dig I get an empty response. >> With nslookup I get the follow error: >> ** server can't find cloudflare.com: SERVFAIL >> >> In the docker container I can resolve the problem with a update to the >> newer version of dnsmasq from stretch. But I think it should also get >> fixed in the stable release. >> >> >> -- System Information: >> Debian Release: 8.2 >> APT prefers stable >> APT policy: (500, 'stable') >> Architecture: amd64 (x86_64) >> Foreign Architectures: i386 >> >> Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) >> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: >> LC_ALL set to en_US.utf8) >> Shell: /bin/sh linked to /bin/dash >> Init: systemd (via /run/systemd/system) >> >> Versions of packages dnsmasq depends on: >> ii dnsmasq-base 2.72-3+deb8u1 >> ii init-system-helpers 1.22 >> ii netbase 5.3 >> >> dnsmasq recommends no packages. >> >> Versions of packages dnsmasq suggests: >> pn resolvconf >> >> -- Configuration Files: >> /etc/dnsmasq.conf changed: >> conf-file=/usr/share/dnsmasq-base/trust-anchors.conf >> dnssec >> resolv-file=/etc/resolv.dnsmasq.conf >> >> >> -- no debconf information >>
Bug#805596: dnsmasq: Fails to resolve cloudflare.com domains with dnssec
I suspect that the proximate cause of this is lack of support for the ECDSA ciphersuite in 2.72. As you pointed out, this works OK in 2.75. 2.72 was a very early release for DNSSEC in dnsmasq, and there have been many changes and fixes between 2.72 and 2.75. Backporting so many changes is not really practical, so I guess the only solutions are to use backports, or move stable to 2.75. I'm not sure how the later fits with policy these days. Cheers, Simon. On 19/11/15 22:17, Norbert Summer wrote: > Package: dnsmasq > Version: 2.72-3+deb8u1 > Severity: normal > > Dear Maintainer, > > Since cloudflare.com changed to dnssec dnsmasq can't resolve any domain > which is hosted by them. > I can easyly reproduce this issue if I create a blank debian jessie (I > used docker), install dnsmasq and enable dnssec as in the changed config > file attached. As parent dns server I used 8.8.8.8, I also try other > servers but always the same issue. > > If I use now dig I get an empty response. > With nslookup I get the follow error: > ** server can't find cloudflare.com: SERVFAIL > > In the docker container I can resolve the problem with a update to the > newer version of dnsmasq from stretch. But I think it should also get > fixed in the stable release. > > > -- System Information: > Debian Release: 8.2 > APT prefers stable > APT policy: (500, 'stable') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: > LC_ALL set to en_US.utf8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages dnsmasq depends on: > ii dnsmasq-base 2.72-3+deb8u1 > ii init-system-helpers 1.22 > ii netbase 5.3 > > dnsmasq recommends no packages. > > Versions of packages dnsmasq suggests: > pn resolvconf > > -- Configuration Files: > /etc/dnsmasq.conf changed: > conf-file=/usr/share/dnsmasq-base/trust-anchors.conf > dnssec > resolv-file=/etc/resolv.dnsmasq.conf > > > -- no debconf information >
Bug#805596: dnsmasq: Fails to resolve cloudflare.com domains with dnssec
Package: dnsmasq Version: 2.72-3+deb8u1 Severity: normal Dear Maintainer, Since cloudflare.com changed to dnssec dnsmasq can't resolve any domain which is hosted by them. I can easyly reproduce this issue if I create a blank debian jessie (I used docker), install dnsmasq and enable dnssec as in the changed config file attached. As parent dns server I used 8.8.8.8, I also try other servers but always the same issue. If I use now dig I get an empty response. With nslookup I get the follow error: ** server can't find cloudflare.com: SERVFAIL In the docker container I can resolve the problem with a update to the newer version of dnsmasq from stretch. But I think it should also get fixed in the stable release. -- System Information: Debian Release: 8.2 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.utf8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages dnsmasq depends on: ii dnsmasq-base 2.72-3+deb8u1 ii init-system-helpers 1.22 ii netbase 5.3 dnsmasq recommends no packages. Versions of packages dnsmasq suggests: pn resolvconf -- Configuration Files: /etc/dnsmasq.conf changed: conf-file=/usr/share/dnsmasq-base/trust-anchors.conf dnssec resolv-file=/etc/resolv.dnsmasq.conf -- no debconf information