diff --git a/configure.ac b/configure.ac
index 3e7af7694c..90e79d7799 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1326,6 +1326,11 @@ AC_ARG_WITH(default-dnssec,
         [DEFAULT_DNSSEC_MODE="$withval"],
         [DEFAULT_DNSSEC_MODE="allow-downgrade"])
 
+if test "x$have_gcrypt" = xno -a "x${DEFAULT_DNSSEC_MODE}" != xno ; then
+        AC_MSG_WARN(default-dnssec cannot be set to yes or allow-downgrade when gcrypt is disabled. Setting default-dnssec to no.)
+        DEFAULT_DNSSEC_MODE="no"
+fi
+
 AS_CASE("x${DEFAULT_DNSSEC_MODE}",
         [xno], [mode=DNSSEC_NO],
         [xyes], [mode=DNSSEC_YES],
diff --git a/meson.build b/meson.build
index 407d7ea08e..0c6293dba4 100644
--- a/meson.build
+++ b/meson.build
@@ -603,11 +603,6 @@ kill_user_processes = get_option('default-kill-user-processes')
 conf.set10('KILL_USER_PROCESSES', kill_user_processes)
 substs.set('KILL_USER_PROCESSES', kill_user_processes ? 'yes' : 'no')
 
-default_dnssec = get_option('default-dnssec')
-conf.set('DEFAULT_DNSSEC_MODE',
-         'DNSSEC_' + default_dnssec.underscorify().to_upper())
-substs.set('DEFAULT_DNSSEC_MODE', default_dnssec)
-
 dns_servers = get_option('dns-servers')
 conf.set_quoted('DNS_SERVERS', dns_servers)
 substs.set('DNS_SERVERS', dns_servers)
@@ -953,6 +948,15 @@ else
         libgpg_error = []
 endif
 
+default_dnssec = get_option('default-dnssec')
+if default_dnssec != 'no' and not conf.get('HAVE_GCRYPT', false)
+        message('default-dnssec cannot be set to yes or allow-downgrade when gcrypt is disabled. Setting default-dnssec to no.')
+        default_dnssec = 'no'
+endif
+conf.set('DEFAULT_DNSSEC_MODE',
+         'DNSSEC_' + default_dnssec.underscorify().to_upper())
+substs.set('DEFAULT_DNSSEC_MODE', default_dnssec)
+
 want_importd = get_option('importd')
 if want_importd != 'false'
         have_deps = (conf.get('HAVE_LIBCURL', false) and
diff --git a/src/resolve/resolved-conf.c b/src/resolve/resolved-conf.c
index 97334a0af7..75636e0e56 100644
--- a/src/resolve/resolved-conf.c
+++ b/src/resolve/resolved-conf.c
@@ -246,6 +246,12 @@ int manager_parse_config_file(Manager *m) {
                         return r;
         }
 
+#ifndef HAVE_GCRYPT
+        if (m->dnssec_mode != DNSSEC_NO) {
+                log_warning("DNSSEC option cannot be enabled or set to allow-downgrade when systemd-resolved is built without gcrypt support. Turning off DNSSEC support.");
+                m->dnssec_mode = DNSSEC_NO;
+        }
+#endif
         return 0;
 
 }
diff --git a/src/resolve/resolved-link.c b/src/resolve/resolved-link.c
index d06096f3f2..fc59a675e2 100644
--- a/src/resolve/resolved-link.c
+++ b/src/resolve/resolved-link.c
@@ -313,6 +313,12 @@ void link_set_dnssec_mode(Link *l, DnssecMode mode) {
 
         assert(l);
 
+#ifndef HAVE_GCRYPT
+        if (mode == DNSSEC_YES || mode == DNSSEC_ALLOW_DOWNGRADE)
+                log_warning("DNSSEC option for the link cannot be enabled or set to allow-downgrade when systemd-resolved is built without gcrypt support. Turning off DNSSEC support.");
+        return;
+#endif
+
         if (l->dnssec_mode == mode)
                 return;