Description of problem: dnsmasq is used in libvirt as DHCP and DNS server. It has option to enable dnssec validation, which is by default turned off. To enable it, it requires configuration of trust anchors - root keys for DNS. When validation is turned off (default), any cached record prevents dnssec enabled query forward also mandatory signatures. Version-Release number of selected component (if applicable): dnsmasq-2.79-1.fc27 How reproducible: always Steps to Reproduce: 1. dnf install dnsmasq ldns-utils unbound-libs 2. systemctl start dnsmasq 3. drill @localhost -S fedoraproject.org # works 4. drill @localhost fedoraproject.org # cached, breaks secure requests 5. drill @localhost -S fedoraproject.org # no longer can validate Actual results: ;; Number of trusted keys: 2 ;; Chasing: fedoraproject.org. A DNSSEC Trust tree: <no data> No trusted keys found in tree: first error was: No DNSSEC public key(s) ;; Chase failed. Expected results: ;; Number of trusted keys: 2 ;; Chasing: fedoraproject.org. A DNSSEC Trust tree: fedoraproject.org. (A) |---fedoraproject.org. (DNSKEY keytag: 7725 alg: 5 flags: 256) |---fedoraproject.org. (DNSKEY keytag: 16207 alg: 5 flags: 257) |---fedoraproject.org. (DS keytag: 16207 digest type: 1) | |---org. (DNSKEY keytag: 1862 alg: 7 flags: 256) | |---org. (DNSKEY keytag: 9795 alg: 7 flags: 257) | |---org. (DNSKEY keytag: 17883 alg: 7 flags: 257) | |---org. (DS keytag: 9795 digest type: 2) | | |---. (DNSKEY keytag: 41656 alg: 8 flags: 256) | | |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) | |---org. (DS keytag: 9795 digest type: 1) | |---. (DNSKEY keytag: 41656 alg: 8 flags: 256) | |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) |---fedoraproject.org. (DS keytag: 16207 digest type: 2) |---org. (DNSKEY keytag: 1862 alg: 7 flags: 256) |---org. (DNSKEY keytag: 9795 alg: 7 flags: 257) |---org. (DNSKEY keytag: 17883 alg: 7 flags: 257) |---org. (DS keytag: 9795 digest type: 2) | |---. (DNSKEY keytag: 41656 alg: 8 flags: 256) | |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) |---org. (DS keytag: 9795 digest type: 1) |---. (DNSKEY keytag: 41656 alg: 8 flags: 256) |---. (DNSKEY keytag: 19036 alg: 8 flags: 257) ;; Chase successful Additional info: This issue was fixed by upstream commit: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=a997ca0da044719a0ce8a232d14da8b30022592b Flushing the cache would restore validation until first query is done on the hostname.
dnsmasq-2.79-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-31974dc1e0
dnsmasq-2.79-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b287866a1f
dnsmasq-2.79-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-31974dc1e0
dnsmasq-2.79-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b287866a1f
dnsmasq-2.79-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
dnsmasq-2.79-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.