Thank you for you fast response. Sounds like it isn't fixable in jessie :/.
I solved the problem with apt pinning for me. It isn't the nicest solution but it works. I don't think so many people uses DNSSEC but I think it would be good to have a warning in the config file that ECDSA isn't supported with the current dnsmasq version. So people know that they should not us it or update to a newer version. Regards Norbert On 11/20/2015 10:25 PM, Simon Kelley wrote: > I suspect that the proximate cause of this is lack of support for the > ECDSA ciphersuite in 2.72. As you pointed out, this works OK in 2.75. > > 2.72 was a very early release for DNSSEC in dnsmasq, and there have been > many changes and fixes between 2.72 and 2.75. Backporting so many > changes is not really practical, so I guess the only solutions are to > use backports, or move stable to 2.75. I'm not sure how the later fits > with policy these days. > > > Cheers, > > Simon. > > > > On 19/11/15 22:17, Norbert Summer wrote: >> Package: dnsmasq >> Version: 2.72-3+deb8u1 >> Severity: normal >> >> Dear Maintainer, >> >> Since cloudflare.com changed to dnssec dnsmasq can't resolve any domain >> which is hosted by them. >> I can easyly reproduce this issue if I create a blank debian jessie (I >> used docker), install dnsmasq and enable dnssec as in the changed config >> file attached. As parent dns server I used 8.8.8.8, I also try other >> servers but always the same issue. >> >> If I use now dig I get an empty response. >> With nslookup I get the follow error: >> ** server can't find cloudflare.com: SERVFAIL >> >> In the docker container I can resolve the problem with a update to the >> newer version of dnsmasq from stretch. But I think it should also get >> fixed in the stable release. >> >> >> -- System Information: >> Debian Release: 8.2 >> APT prefers stable >> APT policy: (500, 'stable') >> Architecture: amd64 (x86_64) >> Foreign Architectures: i386 >> >> Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) >> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: >> LC_ALL set to en_US.utf8) >> Shell: /bin/sh linked to /bin/dash >> Init: systemd (via /run/systemd/system) >> >> Versions of packages dnsmasq depends on: >> ii dnsmasq-base 2.72-3+deb8u1 >> ii init-system-helpers 1.22 >> ii netbase 5.3 >> >> dnsmasq recommends no packages. >> >> Versions of packages dnsmasq suggests: >> pn resolvconf <none> >> >> -- Configuration Files: >> /etc/dnsmasq.conf changed: >> conf-file=/usr/share/dnsmasq-base/trust-anchors.conf >> dnssec >> resolv-file=/etc/resolv.dnsmasq.conf >> >> >> -- no debconf information >>
