I suspect that the proximate cause of this is lack of support for the ECDSA ciphersuite in 2.72. As you pointed out, this works OK in 2.75.
2.72 was a very early release for DNSSEC in dnsmasq, and there have been many changes and fixes between 2.72 and 2.75. Backporting so many changes is not really practical, so I guess the only solutions are to use backports, or move stable to 2.75. I'm not sure how the later fits with policy these days. Cheers, Simon. On 19/11/15 22:17, Norbert Summer wrote: > Package: dnsmasq > Version: 2.72-3+deb8u1 > Severity: normal > > Dear Maintainer, > > Since cloudflare.com changed to dnssec dnsmasq can't resolve any domain > which is hosted by them. > I can easyly reproduce this issue if I create a blank debian jessie (I > used docker), install dnsmasq and enable dnssec as in the changed config > file attached. As parent dns server I used 8.8.8.8, I also try other > servers but always the same issue. > > If I use now dig I get an empty response. > With nslookup I get the follow error: > ** server can't find cloudflare.com: SERVFAIL > > In the docker container I can resolve the problem with a update to the > newer version of dnsmasq from stretch. But I think it should also get > fixed in the stable release. > > > -- System Information: > Debian Release: 8.2 > APT prefers stable > APT policy: (500, 'stable') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: > LC_ALL set to en_US.utf8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages dnsmasq depends on: > ii dnsmasq-base 2.72-3+deb8u1 > ii init-system-helpers 1.22 > ii netbase 5.3 > > dnsmasq recommends no packages. > > Versions of packages dnsmasq suggests: > pn resolvconf <none> > > -- Configuration Files: > /etc/dnsmasq.conf changed: > conf-file=/usr/share/dnsmasq-base/trust-anchors.conf > dnssec > resolv-file=/etc/resolv.dnsmasq.conf > > > -- no debconf information >
