Hello Belmin, I've prepared a PPA with patched versions for Jammy and Noble. Running your reproducer locally seems to indicate that the problem is fixed with the patch applied. Here's the output of running the reproducer using dnsmasq 2.90-0ubuntu0.22.04.3~ppa1:
Mar 25 18:08:46 dnsmasq[6344]: started, version 2.90 cachesize 150 Mar 25 18:08:46 dnsmasq[6344]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset no-nftset auth cryptohash DNSSEC loop-detect inotify dumpfile Mar 25 18:08:46 dnsmasq[6344]: DNSSEC validation enabled Mar 25 18:08:46 dnsmasq[6344]: configured with trust anchor for <root> keytag 20326 Mar 25 18:08:46 dnsmasq[6344]: using nameserver 8.8.8.8#53 Mar 25 18:08:46 dnsmasq[6344]: read /etc/hosts - 8 names 1. Without TCP retry (+ignore): DNSSEC validation FAILS Mar 25 18:08:48 dnsmasq[6344]: query[A] cloudflare.com from 127.0.0.1 Mar 25 18:08:48 dnsmasq[6344]: forwarded cloudflare.com to 8.8.8.8 Mar 25 18:08:48 dnsmasq[6344]: dnssec-query[DS] com to 8.8.8.8 Mar 25 18:08:48 dnsmasq[6344]: dnssec-query[DNSKEY] . to 8.8.8.8 Mar 25 18:08:48 dnsmasq[6344]: reply . is truncated[DNSKEY] Mar 25 18:08:48 dnsmasq[6344]: dnssec-query[DNSKEY] . to 8.8.8.8 Mar 25 18:08:48 dnsmasq[6344]: reply . is DNSKEY keytag 38696, algo 8 Mar 25 18:08:48 dnsmasq[6344]: reply . is DNSKEY keytag 20326, algo 8 Mar 25 18:08:48 dnsmasq[6344]: reply . is DNSKEY keytag 54393, algo 8 Mar 25 18:08:48 dnsmasq[6344]: reply . is DNSKEY keytag 21831, algo 8 Mar 25 18:08:48 dnsmasq[6344]: reply com is DS for keytag 19718, algo 13, digest 2 Mar 25 18:08:48 dnsmasq[6344]: dnssec-query[DS] cloudflare.com to 8.8.8.8 Mar 25 18:08:48 dnsmasq[6344]: dnssec-query[DNSKEY] com to 8.8.8.8 Mar 25 18:08:48 dnsmasq[6344]: reply com is DNSKEY keytag 35511, algo 13 Mar 25 18:08:48 dnsmasq[6344]: reply com is DNSKEY keytag 19718, algo 13 Mar 25 18:08:48 dnsmasq[6344]: reply cloudflare.com is DS for keytag 2371, algo 13, digest 2 Mar 25 18:08:48 dnsmasq[6344]: dnssec-query[DNSKEY] cloudflare.com to 8.8.8.8 Mar 25 18:08:48 dnsmasq[6344]: reply cloudflare.com is DNSKEY keytag 34505, algo 13 Mar 25 18:08:48 dnsmasq[6344]: reply cloudflare.com is DNSKEY keytag 2371, algo 13 Mar 25 18:08:48 dnsmasq[6344]: validation result is SECURE Mar 25 18:08:48 dnsmasq[6344]: reply cloudflare.com is 104.16.132.229 Mar 25 18:08:48 dnsmasq[6344]: reply cloudflare.com is 104.16.133.229 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40868 Mar 25 18:08:48 dnsmasq[6344]: validation result is SECURE 2. With TCP retry: validation succeeds Mar 25 18:08:48 dnsmasq[6344]: query[A] cloudflare.com from 127.0.0.1 Mar 25 18:08:48 dnsmasq[6344]: cached cloudflare.com is 104.16.132.229 Mar 25 18:08:48 dnsmasq[6344]: cached cloudflare.com is 104.16.133.229 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62759 Mar 25 18:08:48 dnsmasq[6344]: validation result is SECURE 3. From cache: returns instantly (0ms), background refresh has no TCP retry Mar 25 18:08:51 dnsmasq[6344]: query[A] cloudflare.com from 127.0.0.1 Mar 25 18:08:51 dnsmasq[6344]: cached-stale cloudflare.com is 104.16.133.229 Mar 25 18:08:51 dnsmasq[6344]: cached-stale cloudflare.com is 104.16.132.229 Mar 25 18:08:51 dnsmasq[6344]: forwarded cloudflare.com to 8.8.8.8 ; EDE: 3 (Stale Answer) ;; Query time: 0 msec Mar 25 18:08:51 dnsmasq[6344]: cached-stale cloudflare.com is 104.16.132.229 Mar 25 18:08:51 dnsmasq[6344]: forwarded cloudflare.com to 8.8.8.8 Mar 25 18:08:51 dnsmasq[6344]: exiting on receipt of SIGTERM I'll proceed with filling out the SRU template, but it would be nice if you could test this out beforehand. Thanks! PPA: https://launchpad.net/~puida/+archive/ubuntu/lp2138412-dnsmasq -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138412 Title: DNSSEC validation with stale cache enabled does not properly retry truncated response To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/2138412/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
