Bug ID | 1192282 |
---|---|
Summary | dnsmasq 2.86 does not handle DNSSEC well |
Classification | openSUSE |
Product | openSUSE Distribution |
Version | Leap 15.2 |
Hardware | x86-64 |
OS | openSUSE Leap 15.2 |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Network |
Assignee | screening-team-bugs@suse.de |
Reporter | werner@suse.com |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
Currently I can not resolve hosts which requires DNSSEC by configuration, first shown is the output of journalctl -b 0 --unit dnsmasq.service next is the resolve of www.heise.de: Nov 03 08:24:01 boole dnsmasq[21209]: reading /etc/dnsmasq.d/resolv.conf.dnsmasq Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain arch.suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain arch.suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.6#53 for domain nue.suse.com (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.70#53 for domain nue.suse.com (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain openvpn.suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain openvpn.suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.162.0.1#53 for domain qa.suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain qa.suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain 10.in-addr.arpa (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain 10.in-addr.arpa (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain 16.172.in-addr.arpa (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain 16.172.in-addr.arpa (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain 168.192.in-addr.arpa (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain 168.192.in-addr.arpa (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.100.2.10#53 for domain suse.cz (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.70#53 for domain suse.cz (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain opensuse.org (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain opensuse.org (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.67.0.8#53 for domain suse.asia (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.70#53 for domain suse.asia (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.84.2.20#53 for domain suse.net (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.70#53 for domain suse.net (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.6#53 for domain suse.com (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.70#53 for domain suse.com (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 2620:113:80c0:8080:10:160:0:1#53 Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 2620:113:80c0:8080:10:160:2:88#53 Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 Nov 03 08:24:01 boole dnsmasq[21209]: read /etc/hosts - 18 addresses boole:~ # host www.heise.de 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: Host www.heise.de not found: 2(SERVFAIL) .... and now the journal again: Nov 01 08:20:40 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:40 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:48 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:48 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:48 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:50 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:50 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:50 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:50 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:51 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:51 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:58 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:58 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:58 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:05 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:05 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:14 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:14 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:21 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:21 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:27 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:27 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:36 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support