resolve: print a noisy warning if we show crypto keys that could not be authenticated

Doing DNS retrieval on non-authenticated crypt keys is useless, hence warn
loudly about it.

1 files changed, 17 insertions, 0 deletions

diff --git a/src/resolve/resolve-tool.c b/src/resolve/resolve-tool.c
index 9aade8e490..c1be03fbb2 100644
--- a/src/resolve/resolve-tool.c
+++ b/src/resolve/resolve-tool.c
@@ -339,6 +339,7 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_
         uint64_t flags;
         int r;
         usec_t ts;
+        bool needs_authentication = false;
 
         assert(name);
 
@@ -421,6 +422,10 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_
                         log_warning_errno(errno, "Failed to resolve interface name for index %i: %m", ifindex);
 
                 printf("%s%s%s\n", s, isempty(ifname) ? "" : " # interface ", ifname);
+
+                if (dns_type_needs_authentication(t))
+                        needs_authentication = true;
+
                 n++;
         }
         if (r < 0)
@@ -441,6 +446,18 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_
 
         print_source(flags, ts);
 
+        if ((flags & SD_RESOLVED_AUTHENTICATED) == 0 && needs_authentication) {
+                fflush(stdout);
+
+                fprintf(stderr, "\n%s"
+                       "WARNING: The resources shown contain cryptographic key data which could not be\n"
+                       "         authenticated. It is not suitable to authenticate any communication.\n"
+                       "         This is usually indication that DNSSEC authentication was not enabled\n"
+                       "         or is not available for the selected protocol or DNS servers.%s\n",
+                       ansi_highlight_red(),
+                       ansi_normal());
+        }
+
         return 0;
 }