+++ This bug was initially created as a clone of Bug #2067270 +++ Description of problem: When dnssec validation is enabled and trust anchor filled, dnsmasq does not pass all algorithms on rootcanary.org/test. Digest 3(gosthash94) fails with SERVFAIL instead of INSECURE. Nettle on Fedora/RHEL has GOST implementation disabled, but it has no way to Version-Release number of selected component (if applicable): dnsmasq-2.86-5.fc35.x86_64 How reproducible: always Steps to Reproduce: 1. enable dnssec and trust anchor 2. start dnsmasq 3. use local dnsmasq as resolver 4. visit https://rootcanary.org/test.html Actual results: All GOST algorithms fail with SERVFAIL. If GOST is disabled explicitly, it should fail with Expected results: Names like secure.d3a7n3.rootcanary.net should either be INSECURE or VALID, but current result is bogus. Additional info: --- Additional comment from Petr Menšík on 2022-03-23 18:23:15 CET --- GOST support in Fedora or RHEL is unwanted. Possible fix would be explicitly disabling its support from dnsmasq.
Created attachment 1867932 [details] gost disable patch Makes GOST digest and key algorithm unsupported, therefore it makes it pass without ad flag and validation result is INSECURE. Patch for 2.85
Alternative fix would be switching to OpenSSL backend (bug #1956873), which handles GOST algorithm well.
Proposed candidate patch: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q4/016686.html
Fixed by these upstream commits in release 2.88: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=02f87543399ca311651dc446a830f0e24d21061c http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=9ed3ee67ecd2a388d319bff116b27bcc62286ccc http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=1f9215f5f92c5478c8aaba8054d192a5e6280e95 http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=f52cfdd8c37e09d77abdc151a4ddcf94f49f4821