resolved: log recognizably about DNSSEC downgrades

If we downgrade from DNSSEC to non-DNSSEC mode, let's log about this in a recognizable way (i.e. with a message ID), after all, this is of major importance.
author: Lennart Poettering <lennart@poettering.net> 2016-01-22 13:39:31 +0100
committer: Lennart Poettering <lennart@poettering.net> 2016-01-25 17:19:19 +0100
commit: 1e02e182f1e06fcbe389474175de228103be39cb (patch)
tree: 2bd48d564b63d60d75ea2343d8d618114f1fc692 /src/resolve/resolved-dns-transaction.c
parent: dd0bc0f1414cc1d0fa73a29470bd14944e4942d3 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index 43ee783ba9..02269498c9 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -296,6 +296,8 @@ void dns_transaction_complete(DnsTransaction *t, DnsTransactionState state) {
                            "DNS_TRANSACTION=%" PRIu16, t->id,
                            "DNS_QUESTION=%s", dns_transaction_key_string(t),
                            "DNSSEC_RESULT=%s", dnssec_result_to_string(t->answer_dnssec_result),
+                           "DNS_SERVER=%s", dns_server_string(t->server),
+                           "DNS_SERVER_FEATURE_LEVEL=%s", dns_server_feature_level_to_string(t->server->possible_feature_level),
                            NULL);
 
         /* Note that this call might invalidate the query. Callers
@@ -708,6 +710,9 @@ static void dns_transaction_process_dnssec(DnsTransaction *t) {
                 return;
         }
 
+        if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER)
+                dns_server_warn_downgrade(t->server);
+
         dns_transaction_cache_answer(t);
 
         if (t->answer_rcode == DNS_RCODE_SUCCESS)
@@ -2568,7 +2573,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
         if (!dns_transaction_dnssec_supported_full(t)) {
                 /* The server does not support DNSSEC, or doesn't augment responses with RRSIGs. */
                 t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER;
-                log_debug("Not validating response, server lacks DNSSEC support.");
+                log_debug("Not validating response for %" PRIu16 ", server lacks DNSSEC support.", t->id);
                 return 0;
         }
author	Lennart Poettering <lennart@poettering.net>	2016-01-22 13:39:31 +0100
committer	Lennart Poettering <lennart@poettering.net>	2016-01-25 17:19:19 +0100
commit	1e02e182f1e06fcbe389474175de228103be39cb (patch)
tree	2bd48d564b63d60d75ea2343d8d618114f1fc692 /src/resolve/resolved-dns-transaction.c
parent	dd0bc0f1414cc1d0fa73a29470bd14944e4942d3 (diff)