Bug ID 1192282
Summary dnsmasq 2.86 does not handle DNSSEC well
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.2
Hardware x86-64
OS openSUSE Leap 15.2
Status NEW
Severity Normal
Priority P5 - None
Component Network
Assignee screening-team-bugs@suse.de
Reporter werner@suse.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

Currently I can not resolve hosts which requires DNSSEC by configuration,
first shown is the output of

 journalctl -b 0 --unit dnsmasq.service

next is the resolve of www.heise.de:

Nov 03 08:24:01 boole dnsmasq[21209]: reading
/etc/dnsmasq.d/resolv.conf.dnsmasq
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain
arch.suse.de (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for
domain arch.suse.de (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.6#53 for
domain nue.suse.com (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.70#53 for
domain nue.suse.com (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain
openvpn.suse.de (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for
domain openvpn.suse.de (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.162.0.1#53 for domain
qa.suse.de (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for
domain qa.suse.de (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain
suse.de (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for
domain suse.de (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain
10.in-addr.arpa (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for
domain 10.in-addr.arpa (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain
16.172.in-addr.arpa (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for
domain 16.172.in-addr.arpa (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain
168.192.in-addr.arpa (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for
domain 168.192.in-addr.arpa (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.100.2.10#53 for
domain suse.cz (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.70#53 for
domain suse.cz (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain
opensuse.org (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for
domain opensuse.org (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.67.0.8#53 for domain
suse.asia (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.70#53 for
domain suse.asia (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.84.2.20#53 for domain
suse.net (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.70#53 for
domain suse.net (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.6#53 for
domain suse.com (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.70#53 for
domain suse.com (no DNSSEC)
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver
2620:113:80c0:8080:10:160:0:1#53
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver
2620:113:80c0:8080:10:160:2:88#53
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53
Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53
Nov 03 08:24:01 boole dnsmasq[21209]: read /etc/hosts - 18 addresses

boole:~ # host www.heise.de 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

Host www.heise.de not found: 2(SERVFAIL)


.... and now the journal again:

Nov 01 08:20:40 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support
Nov 01 08:20:40 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support
Nov 01 08:20:48 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support
Nov 01 08:20:48 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support
Nov 01 08:20:48 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support
Nov 01 08:20:50 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support
Nov 01 08:20:50 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support
Nov 01 08:20:50 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support
Nov 01 08:20:50 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support
Nov 01 08:20:51 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support
Nov 01 08:20:51 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support
Nov 01 08:20:58 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support
Nov 01 08:20:58 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support
Nov 01 08:20:58 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support
Nov 01 08:21:05 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support
Nov 01 08:21:05 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support
Nov 01 08:21:14 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support
Nov 01 08:21:14 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support
Nov 01 08:21:21 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support
Nov 01 08:21:21 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support
Nov 01 08:21:27 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support
Nov 01 08:21:27 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support
Nov 01 08:21:36 boole dnsmasq[25233]: Insecure DS reply received for com, check
domain configuration and upstream DNS server DNSSEC support

You are receiving this mail because: