resolved: ignore DNSSEC= option when resolved is built without gcrypt (#6084)

Fixes #5583.

2 files changed, 12 insertions, 0 deletions

diff --git a/src/resolve/resolved-conf.c b/src/resolve/resolved-conf.c
index 97334a0af7..75636e0e56 100644
--- a/src/resolve/resolved-conf.c
+++ b/src/resolve/resolved-conf.c
@@ -246,6 +246,12 @@ int manager_parse_config_file(Manager *m) {
                         return r;
         }
 
+#ifndef HAVE_GCRYPT
+        if (m->dnssec_mode != DNSSEC_NO) {
+                log_warning("DNSSEC option cannot be enabled or set to allow-downgrade when systemd-resolved is built without gcrypt support. Turning off DNSSEC support.");
+                m->dnssec_mode = DNSSEC_NO;
+        }
+#endif
         return 0;
 
 }
diff --git a/src/resolve/resolved-link.c b/src/resolve/resolved-link.c
index d06096f3f2..fc59a675e2 100644
--- a/src/resolve/resolved-link.c
+++ b/src/resolve/resolved-link.c
@@ -313,6 +313,12 @@ void link_set_dnssec_mode(Link *l, DnssecMode mode) {
 
         assert(l);
 
+#ifndef HAVE_GCRYPT
+        if (mode == DNSSEC_YES || mode == DNSSEC_ALLOW_DOWNGRADE)
+                log_warning("DNSSEC option for the link cannot be enabled or set to allow-downgrade when systemd-resolved is built without gcrypt support. Turning off DNSSEC support.");
+        return;
+#endif
+
         if (l->dnssec_mode == mode)
                 return;