[Bug 1192282] New: dnsmasq 2.86 does not handle DNSSEC well
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1192282 Bug ID: 1192282 Summary: dnsmasq 2.86 does not handle DNSSEC well Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: x86-64 OS: openSUSE Leap 15.2 Status: NEW Severity: Normal Priority: P5 - None Component: Network Assignee: screening-team-bugs@suse.de Reporter: werner@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Currently I can not resolve hosts which requires DNSSEC by configuration, first shown is the output of journalctl -b 0 --unit dnsmasq.service next is the resolve of www.heise.de: Nov 03 08:24:01 boole dnsmasq[21209]: reading /etc/dnsmasq.d/resolv.conf.dnsmasq Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain arch.suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain arch.suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.6#53 for domain nue.suse.com (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.70#53 for domain nue.suse.com (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain openvpn.suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain openvpn.suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.162.0.1#53 for domain qa.suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain qa.suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain suse.de (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain 10.in-addr.arpa (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain 10.in-addr.arpa (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain 16.172.in-addr.arpa (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain 16.172.in-addr.arpa (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain 168.192.in-addr.arpa (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain 168.192.in-addr.arpa (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.100.2.10#53 for domain suse.cz (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.70#53 for domain suse.cz (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 for domain opensuse.org (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 for domain opensuse.org (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.67.0.8#53 for domain suse.asia (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.70#53 for domain suse.asia (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.84.2.20#53 for domain suse.net (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.70#53 for domain suse.net (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.6#53 for domain suse.com (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.156.86.70#53 for domain suse.com (no DNSSEC) Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 2620:113:80c0:8080:10:160:0:1#53 Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 2620:113:80c0:8080:10:160:2:88#53 Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.2.88#53 Nov 03 08:24:01 boole dnsmasq[21209]: using nameserver 10.160.0.1#53 Nov 03 08:24:01 boole dnsmasq[21209]: read /etc/hosts - 18 addresses boole:~ # host www.heise.de 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: Host www.heise.de not found: 2(SERVFAIL) .... and now the journal again: Nov 01 08:20:40 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:40 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:48 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:48 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:48 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:50 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:50 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:50 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:50 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:51 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:51 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:58 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:58 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:20:58 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:05 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:05 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:14 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:14 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:21 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:21 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:27 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:27 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 01 08:21:36 boole dnsmasq[25233]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1192282
Andreas Stieger
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1192282
http://bugzilla.opensuse.org/show_bug.cgi?id=1192282#c1
--- Comment #1 from Dr. Werner Fink
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1192282
http://bugzilla.opensuse.org/show_bug.cgi?id=1192282#c2
--- Comment #2 from Dr. Werner Fink
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1192282
http://bugzilla.opensuse.org/show_bug.cgi?id=1192282#c3
Reinhard Max
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1192282
Dr. Werner Fink
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1192282
http://bugzilla.opensuse.org/show_bug.cgi?id=1192282#c7
--- Comment #7 from Dr. Werner Fink
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1192282
http://bugzilla.opensuse.org/show_bug.cgi?id=1192282#c8
--- Comment #8 from Reinhard Max
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1192282
http://bugzilla.opensuse.org/show_bug.cgi?id=1192282#c9
--- Comment #9 from Dr. Werner Fink
1. A Real Time Clock has nothing to do with RealTime scheduling.
2. I don't think that these time windows in DNSSEC are so tight that real time scheduling would make any difference.
3. At first glance I don't see any syscalls asking for RealTime scheduling in dnsmasq, so I guess enabling it in the kernel for the process would not change anything.
Is there any indication that the transient failures you are seeing are caused by missed time windows?
What I see ... after some sorting for domain and unified output Nov 04 10:07:03 tux dnsmasq[32292]: Insecure DS reply received for blog, check domain configuration and upstream DNS server DNSSEC support Nov 03 12:33:06 tux dnsmasq[12211]: Insecure DS reply received for cloudflare.net, check domain configuration and upstream DNS server DNSSEC support Nov 03 12:40:01 tux dnsmasq[12211]: Insecure DS reply received for cloudfront.net, check domain configuration and upstream DNS server DNSSEC support Nov 03 12:03:10 tux dnsmasq[11580]: Insecure DS reply received for com, check domain configuration and upstream DNS server DNSSEC support Nov 04 10:43:55 tux dnsmasq[1532]: Insecure DS reply received for cookiepro.com, check domain configuration and upstream DNS server DNSSEC support Nov 04 09:24:04 tux dnsmasq[12211]: Insecure DS reply received for d.akamaiedge.net, check domain configuration and upstream DNS server DNSSEC support Nov 04 09:52:20 tux dnsmasq[32292]: Insecure DS reply received for de, check domain configuration and upstream DNS server DNSSEC support Nov 03 12:11:50 tux dnsmasq[12211]: Insecure DS reply received for eu, check domain configuration and upstream DNS server DNSSEC support Nov 04 11:16:05 tux dnsmasq[1532]: Insecure DS reply received for example.org, check domain configuration and upstream DNS server DNSSEC support Nov 03 16:51:43 tux dnsmasq[12211]: Insecure DS reply received for fastly.net, check domain configuration and upstream DNS server DNSSEC support Nov 04 11:11:45 tux dnsmasq[1532]: Insecure DS reply received for glb.paypal.com, check domain configuration and upstream DNS server DNSSEC support Nov 04 08:47:20 tux dnsmasq[12211]: Insecure DS reply received for io, check domain configuration and upstream DNS server DNSSEC support Nov 03 13:30:16 tux dnsmasq[12211]: Insecure DS reply received for l.google.com, check domain configuration and upstream DNS server DNSSEC support Nov 04 10:32:07 tux dnsmasq[1532]: Insecure DS reply received for net, check domain configuration and upstream DNS server DNSSEC support Nov 03 13:29:22 tux dnsmasq[12211]: Insecure DS reply received for network, check domain configuration and upstream DNS server DNSSEC support Nov 04 10:41:53 tux dnsmasq[1532]: Insecure DS reply received for org, check domain configuration and upstream DNS server DNSSEC support Nov 04 11:08:54 tux dnsmasq[1532]: Insecure DS reply received for paypal.com, check domain configuration and upstream DNS server DNSSEC support Nov 04 11:46:48 tux dnsmasq[1532]: Insecure DS reply received for paypalcorp.com, check domain configuration and upstream DNS server DNSSEC support Nov 04 08:44:11 tux dnsmasq[12211]: Insecure DS reply received for slackb.com, check domain configuration and upstream DNS server DNSSEC support Nov 04 09:48:10 tux dnsmasq[12211]: Insecure DS reply received for uk, check domain configuration and upstream DNS server DNSSEC support Nov 04 09:20:46 tux dnsmasq[12211]: Insecure DS reply received for vodafonemail.de, check domain configuration and upstream DNS server DNSSEC support Nov 04 11:27:22 tux dnsmasq[1532]: Insecure DS reply received for x.akamaiedge.net, check domain configuration and upstream DNS server DNSSEC support -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com