Package: dnsmasq Version: 2.72-3+deb8u1 Severity: normal Hello,
I've noticed that Debian Jessie still contains the version of dnsmasq which incorrectly returns SERVFAIL for _all_ zones signed by ECDSA. This bug was fixed in upstream by http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=6ef15b34ca83c62a939f69356d5c3f7a6bfef3d0 in January 2015. I've patched 2.72-3+deb8u1 on my own and confirm that this trivial fix is sufficient to change the response from SERVFAIL to NOERROR with AD flag set. Tested with ECDSAP256SHA256 (alg=13) and cloudflare.com domain. Simon, could you please consider applying this fix to Debian's stable branch? With the increasing adoption of ECDSA as a replacement of RSA, this bug becomes more important than it was one or two years ago (see e.g. conclusions in https://labs.ripe.net/Members/gih/dnssec-and-ecdsa). Best regards. Martin Svec
