Bug 1597309

Summary: dnsmasq does not pass DNSSEC data
Product: [Fedora] Fedora Reporter: Petr Menšík <pemensik>
Component: dnsmasqAssignee: Petr Menšík <pemensik>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: code, dougsland, itamar, jima, laine, p, pemensik, thozza, veillard
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: dnsmasq-2.79-3.fc28 dnsmasq-2.79-3.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1597804 (view as bug list) Environment:
Last Closed: 2018-07-05 18:38:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1597804, 1638703    

Description Petr Menšík 2018-07-02 14:32:29 UTC 
Description of problem:
dnsmasq is used in libvirt as DHCP and DNS server. It has option to enable dnssec validation, which is by default turned off. To enable it, it requires configuration of trust anchors - root keys for DNS.

When validation is turned off (default), any cached record prevents dnssec enabled query forward also mandatory signatures.

Version-Release number of selected component (if applicable):
dnsmasq-2.79-1.fc27

How reproducible:
always

Steps to Reproduce:
1. dnf install dnsmasq ldns-utils unbound-libs
2. systemctl start dnsmasq
3. drill @localhost -S fedoraproject.org # works
4. drill @localhost fedoraproject.org # cached, breaks secure requests
5. drill @localhost -S fedoraproject.org # no longer can validate

Actual results:
;; Number of trusted keys: 2
;; Chasing: fedoraproject.org. A


DNSSEC Trust tree:
<no data>
No trusted keys found in tree: first error was: No DNSSEC public key(s)
;; Chase failed.


Expected results:
;; Number of trusted keys: 2
;; Chasing: fedoraproject.org. A


DNSSEC Trust tree:
fedoraproject.org. (A)
|---fedoraproject.org. (DNSKEY keytag: 7725 alg: 5 flags: 256)
    |---fedoraproject.org. (DNSKEY keytag: 16207 alg: 5 flags: 257)
    |---fedoraproject.org. (DS keytag: 16207 digest type: 1)
    |   |---org. (DNSKEY keytag: 1862 alg: 7 flags: 256)
    |       |---org. (DNSKEY keytag: 9795 alg: 7 flags: 257)
    |       |---org. (DNSKEY keytag: 17883 alg: 7 flags: 257)
    |       |---org. (DS keytag: 9795 digest type: 2)
    |       |   |---. (DNSKEY keytag: 41656 alg: 8 flags: 256)
    |       |       |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
    |       |---org. (DS keytag: 9795 digest type: 1)
    |           |---. (DNSKEY keytag: 41656 alg: 8 flags: 256)
    |               |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
    |---fedoraproject.org. (DS keytag: 16207 digest type: 2)
        |---org. (DNSKEY keytag: 1862 alg: 7 flags: 256)
            |---org. (DNSKEY keytag: 9795 alg: 7 flags: 257)
            |---org. (DNSKEY keytag: 17883 alg: 7 flags: 257)
            |---org. (DS keytag: 9795 digest type: 2)
            |   |---. (DNSKEY keytag: 41656 alg: 8 flags: 256)
            |       |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
            |---org. (DS keytag: 9795 digest type: 1)
                |---. (DNSKEY keytag: 41656 alg: 8 flags: 256)
                    |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
;; Chase successful


Additional info:
This issue was fixed by upstream commit:

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=a997ca0da044719a0ce8a232d14da8b30022592b

Flushing the cache would restore validation until first query is done on the hostname.
Comment 1 Fedora Update System 2018-07-02 18:44:46 UTC 
dnsmasq-2.79-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-31974dc1e0
Comment 2 Fedora Update System 2018-07-02 18:45:38 UTC 
dnsmasq-2.79-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b287866a1f
Comment 3 Fedora Update System 2018-07-03 14:01:22 UTC 
dnsmasq-2.79-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-31974dc1e0
Comment 4 Fedora Update System 2018-07-03 17:54:55 UTC 
dnsmasq-2.79-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b287866a1f
Comment 5 Fedora Update System 2018-07-05 18:38:18 UTC 
dnsmasq-2.79-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2018-07-31 17:09:58 UTC 
dnsmasq-2.79-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.