Public bug reported:
The bug occurs when the use-stale-cache feature is enabled alongside
DNSSEC validation.
When a query response is served from cache, dnsmasq immediately returns
it to the client. However, this bypasses the normal retry mechanism that
dnsmasq's DNSSEC implementation depends on. Specifically, dnsmasq
expects clients to retry truncated DNSSEC queries over TCP.
When background cache refresh requires DNSSEC validation and the DNSKEY
response exceeds 1232 bytes (which is typical for the root DNSKEY), the
query is truncated. Since the client never retries, validation fails.
This triggers repeated validation attempts for every cached response. It
has resulted in fleet-wide query storm that can persist for up to 48
hours (the TTL of the root DNSKEY).
This issue is fixed in upstream commit f5cdb00, which performs the TCP
retry internally without requiring the client to trigger it. This fix is
included in dnsmasq 2.91 but is not present in version 2.90 currently
available in Jammy and Focal repositories.
** Affects: dnsmasq (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2138412
Title:
DNSSEC validation with stale cache enabled does not properly retry
truncated response
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/2138412/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
