From 41815a4aa66c59070dc86aa99eebfa720e8a263e Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 15 Feb 2016 21:25:33 +0100 Subject: resolve: print a noisy warning if we show crypto keys that could not be authenticated Doing DNS retrieval on non-authenticated crypt keys is useless, hence warn loudly about it. --- src/resolve/resolve-tool.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'src/resolve/resolve-tool.c') diff --git a/src/resolve/resolve-tool.c b/src/resolve/resolve-tool.c index 9aade8e490..c1be03fbb2 100644 --- a/src/resolve/resolve-tool.c +++ b/src/resolve/resolve-tool.c @@ -339,6 +339,7 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_ uint64_t flags; int r; usec_t ts; + bool needs_authentication = false; assert(name); @@ -421,6 +422,10 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_ log_warning_errno(errno, "Failed to resolve interface name for index %i: %m", ifindex); printf("%s%s%s\n", s, isempty(ifname) ? "" : " # interface ", ifname); + + if (dns_type_needs_authentication(t)) + needs_authentication = true; + n++; } if (r < 0) @@ -441,6 +446,18 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_ print_source(flags, ts); + if ((flags & SD_RESOLVED_AUTHENTICATED) == 0 && needs_authentication) { + fflush(stdout); + + fprintf(stderr, "\n%s" + "WARNING: The resources shown contain cryptographic key data which could not be\n" + " authenticated. It is not suitable to authenticate any communication.\n" + " This is usually indication that DNSSEC authentication was not enabled\n" + " or is not available for the selected protocol or DNS servers.%s\n", + ansi_highlight_red(), + ansi_normal()); + } + return 0; } -- cgit v1.2.3-54-g00ecf