+++ This bug was initially created as a clone of Bug #2067270 +++

Description of problem:
When dnssec validation is enabled and trust anchor filled, dnsmasq does not pass all algorithms on rootcanary.org/test. Digest 3(gosthash94) fails with SERVFAIL instead of INSECURE. Nettle on Fedora/RHEL has GOST implementation disabled, but it has no way to

Version-Release number of selected component (if applicable):
dnsmasq-2.86-5.fc35.x86_64

How reproducible:
always

Steps to Reproduce:
1. enable dnssec and trust anchor
2. start dnsmasq
3. use local dnsmasq as resolver
4. visit https://rootcanary.org/test.html

Actual results:
All GOST algorithms fail with SERVFAIL. If GOST is disabled explicitly, it should fail with

Expected results:
Names like secure.d3a7n3.rootcanary.net should either be INSECURE or VALID, but current result is bogus.

Additional info:

— Additional comment from Petr Menšík on 2022-03-23 18:23:15 CET —

GOST support in Fedora or RHEL is unwanted. Possible fix would be explicitly disabling its support from dnsmasq.