Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1597309 - dnsmasq does not pass DNSSEC data
Summary: dnsmasq does not pass DNSSEC data
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: dnsmasq
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Petr Menšík
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1597804 1638703
TreeView+ depends on / blocked
 
Reported: 2018-07-02 14:32 UTC by Petr Menšík
Modified: 2018-10-12 09:49 UTC (History)
9 users (show)

Fixed In Version: dnsmasq-2.79-3.fc28 dnsmasq-2.79-3.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1597804 (view as bug list)
Environment:
Last Closed: 2018-07-05 18:38:18 UTC


Attachments (Terms of Use)

Description Petr Menšík 2018-07-02 14:32:29 UTC
Description of problem:
dnsmasq is used in libvirt as DHCP and DNS server. It has option to enable dnssec validation, which is by default turned off. To enable it, it requires configuration of trust anchors - root keys for DNS.

When validation is turned off (default), any cached record prevents dnssec enabled query forward also mandatory signatures.

Version-Release number of selected component (if applicable):
dnsmasq-2.79-1.fc27

How reproducible:
always

Steps to Reproduce:
1. dnf install dnsmasq ldns-utils unbound-libs
2. systemctl start dnsmasq
3. drill @localhost -S fedoraproject.org # works
4. drill @localhost fedoraproject.org # cached, breaks secure requests
5. drill @localhost -S fedoraproject.org # no longer can validate

Actual results:
;; Number of trusted keys: 2
;; Chasing: fedoraproject.org. A


DNSSEC Trust tree:
<no data>
No trusted keys found in tree: first error was: No DNSSEC public key(s)
;; Chase failed.


Expected results:
;; Number of trusted keys: 2
;; Chasing: fedoraproject.org. A


DNSSEC Trust tree:
fedoraproject.org. (A)
|---fedoraproject.org. (DNSKEY keytag: 7725 alg: 5 flags: 256)
    |---fedoraproject.org. (DNSKEY keytag: 16207 alg: 5 flags: 257)
    |---fedoraproject.org. (DS keytag: 16207 digest type: 1)
    |   |---org. (DNSKEY keytag: 1862 alg: 7 flags: 256)
    |       |---org. (DNSKEY keytag: 9795 alg: 7 flags: 257)
    |       |---org. (DNSKEY keytag: 17883 alg: 7 flags: 257)
    |       |---org. (DS keytag: 9795 digest type: 2)
    |       |   |---. (DNSKEY keytag: 41656 alg: 8 flags: 256)
    |       |       |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
    |       |---org. (DS keytag: 9795 digest type: 1)
    |           |---. (DNSKEY keytag: 41656 alg: 8 flags: 256)
    |               |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
    |---fedoraproject.org. (DS keytag: 16207 digest type: 2)
        |---org. (DNSKEY keytag: 1862 alg: 7 flags: 256)
            |---org. (DNSKEY keytag: 9795 alg: 7 flags: 257)
            |---org. (DNSKEY keytag: 17883 alg: 7 flags: 257)
            |---org. (DS keytag: 9795 digest type: 2)
            |   |---. (DNSKEY keytag: 41656 alg: 8 flags: 256)
            |       |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
            |---org. (DS keytag: 9795 digest type: 1)
                |---. (DNSKEY keytag: 41656 alg: 8 flags: 256)
                    |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
;; Chase successful


Additional info:
This issue was fixed by upstream commit:

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=a997ca0da044719a0ce8a232d14da8b30022592b

Flushing the cache would restore validation until first query is done on the hostname.

Comment 1 Fedora Update System 2018-07-02 18:44:46 UTC
dnsmasq-2.79-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-31974dc1e0

Comment 2 Fedora Update System 2018-07-02 18:45:38 UTC
dnsmasq-2.79-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b287866a1f

Comment 3 Fedora Update System 2018-07-03 14:01:22 UTC
dnsmasq-2.79-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-31974dc1e0

Comment 4 Fedora Update System 2018-07-03 17:54:55 UTC
dnsmasq-2.79-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b287866a1f

Comment 5 Fedora Update System 2018-07-05 18:38:18 UTC
dnsmasq-2.79-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2018-07-31 17:09:58 UTC
dnsmasq-2.79-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.