http://bugzilla.opensuse.org/show_bug.cgi?id=1192282 Bug ID: 1192282 Summary: dnsmasq 2.86 does not handle DNSSEC well Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: x86-64 OS: openSUSE Leap 15.2 Status: NEW Severity: Normal Priority: P5 - None Component: Network Assignee: screening-team-bugs@suse.de Reporter: werner@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Currently I can not resolve hosts which requires DNSSEC by configuration, first shown is the output of journalctl -b 0 --unit dnsmasq.service next is the resolve of www.heise.de: Nov 03 08:24:01 boole dnsmasq[21209]: reading /etc/dnsmasq.d/resolv.conf.dnsmasq Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain arch.suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain arch.suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.6#53 for domain nue.suse.com (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.70#53 for domain nue.suse.com (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain openvpn.suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain openvpn.suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.162.0.1#53 for domain qa.suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain qa.suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain 10.in-addr.arpa (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain 10.in-addr.arpa (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain 16.172.in-addr.arpa (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain 16.172.in-addr.arpa (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain 168.192.in-addr.arpa (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain 168.192.in-addr.arpa (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.100.2.10#53 for domain suse.cz (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.70#53 for domain suse.cz (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain opensuse.org (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain opensuse.org (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.67.0.8#53 for domain suse.asia (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.70#53 for domain suse.asia (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.84.2.20#53 for domain suse.net (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.70#53 for domain suse.net (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.6#53 for domain suse.com (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.70#53 for domain suse.com (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 2620:113:80c0:8080:10:160:0:1#53 Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 2620:113:80c0:8080:10:160:2:88#53 Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 Nov 03 08:24:01 boole dnsmasq[21209]: read /etc/hosts - 18 addresses boole:~ # host www.heise.de 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: Host www.heise.de not found: 2(SERVFAIL) .... and now the journal again: Nov 01 08:20:40 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:40 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:48 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:48 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:48 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:50 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:50 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:50 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:50 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:51 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:51 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:58 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:58 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:58 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:05 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:05 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:14 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:14 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:21 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:21 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:27 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:27 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:36 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support -- You are receiving this mail because: You are on the CC list for the bug.