resolve: print a noisy warning if we show crypto keys that could not be authenticated

Doing DNS retrieval on non-authenticated crypt keys is useless, hence warn loudly about it.
author: Lennart Poettering <lennart@poettering.net> 2016-02-15 21:25:33 +0100
committer: Lennart Poettering <lennart@poettering.net> 2016-02-16 15:30:03 +0100
commit: 41815a4aa66c59070dc86aa99eebfa720e8a263e (patch)
tree: 5342fa63c694dcd1615415d58429101917028333 /src/resolve/dns-type.c
parent: 9dc907f9c93636cb63ca90300fa3b8c03812701f (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/src/resolve/dns-type.c b/src/resolve/dns-type.c
index b2f479cae5..78d9d5733f 100644
--- a/src/resolve/dns-type.c
+++ b/src/resolve/dns-type.c
@@ -193,6 +193,23 @@ bool dns_type_is_obsolete(uint16_t type) {
                       DNS_TYPE_NULL);
 }
 
+bool dns_type_needs_authentication(uint16_t type) {
+
+        /* Returns true for all (non-obsolete) RR types where records are not useful if they aren't
+         * authenticated. I.e. everything that contains crypto keys. */
+
+        return IN_SET(type,
+                      DNS_TYPE_CERT,
+                      DNS_TYPE_SSHFP,
+                      DNS_TYPE_IPSECKEY,
+                      DNS_TYPE_DS,
+                      DNS_TYPE_DNSKEY,
+                      DNS_TYPE_TLSA,
+                      DNS_TYPE_CDNSKEY,
+                      DNS_TYPE_OPENPGPKEY,
+                      DNS_TYPE_CAA);
+}
+
 int dns_type_to_af(uint16_t t) {
         switch (t) {
author	Lennart Poettering <lennart@poettering.net>	2016-02-15 21:25:33 +0100
committer	Lennart Poettering <lennart@poettering.net>	2016-02-16 15:30:03 +0100
commit	41815a4aa66c59070dc86aa99eebfa720e8a263e (patch)
tree	5342fa63c694dcd1615415d58429101917028333 /src/resolve/dns-type.c
parent	9dc907f9c93636cb63ca90300fa3b8c03812701f (diff)