~jj mentioned on the Jammy MP that another feasible option would be to backport 2.91 due to the complexity of the upstream commit and later followups to fix DNSSEC retry woes. This is not unprecedented: we did already bump major versions in Jammy to address CVEs.
I looked at the diff between questing-devel and noble-devel and the upstream changelog, and here are what I think are the most relevant changes. 1. New --do-0x20-encoding option: explicit opt-in, does not change existing behavior if not set. 2. New --dhcp-option-pxe: also explicit opt-in. 3. --fast-dns-retries is now enabled by default when DNSSEC is active. 4. Changed behavior of --synth-domain when using IPv6 to be IDNA2008 compliant. 5. Truncated upstream answers return partial RRs instead of empty. 6. Some EDNS0 UDP packet size handling changes. 7. Improved TCP behavior for non-responsive/slow upstream servers. (1) and (2) are probably safe since they are opt-in, but the others represent non-trivial behavior differences that could trigger some regressions for LTS users. Even considering that, I think it's probably safer to do a full backport of 2.91 instead of trying to pick and backport the specific changes related to DNSSEC+truncation+cache to 2.90. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2138412 Title: DNSSEC validation with stale cache enabled does not properly retry truncated response To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/2138412/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
