Check for DNSSEC on MX hostnames

domainaware · Jan 11, 2024 · dd645fa · dd645fa
1 parent 17a39c1
commit dd645fa
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,11 @@
 Changelog
 =========
 
+5.3.0
+-----
+
+- Check DNSSEC on MX hostnames
+
 5.2.7
 -----
 

diff --git a/checkdmarc/_constants.py b/checkdmarc/_constants.py
@@ -18,7 +18,7 @@
 See the License for the specific language governing permissions and
 limitations under the License."""
 
-__version__ = "5.2.7"
+__version__ = "5.3.0"
 
 OS = platform.system()
 OS_RELEASE = platform.release()

diff --git a/checkdmarc/dnssec.py b/checkdmarc/dnssec.py
@@ -58,13 +58,16 @@ def get_dnskey(domain: str, nameservers: list[str] = None,
 
     logging.debug(f"Checking for DNSKEY records at {domain}")
     request = dns.message.make_query(domain,
-                                     dns.rdatatype.DNSKEY)
+                                     dns.rdatatype.DNSKEY,
+                                     want_dnssec=True)
     for nameserver in nameservers:
         try:
             response = dns.query.udp(request, nameserver, timeout=timeout)
             if response is not None:
                 answer = response.answer
                 if len(answer) == 0:
+                    request = dns.message.make_query(domain,
+                                                     dns.rdatatype.DNSKEY)
                     logging.debug(f"No DNSKEY records found at {domain}")
                     base_domain = get_base_domain(domain)
                     if domain != base_domain:

diff --git a/checkdmarc/smtp.py b/checkdmarc/smtp.py
@@ -17,7 +17,7 @@
 from checkdmarc.utils import (DNSException,
                               get_a_records, get_reverse_dns, get_mx_records)
 from checkdmarc.mta_sts import mx_in_mta_sts_patterns
-from checkdmarc.dnssec import get_tlsa_records
+from checkdmarc.dnssec import test_dnssec, get_tlsa_records
 
 """Copyright 2019-2023 Sean Whalen
 
@@ -292,7 +292,9 @@ def get_mx_hosts(domain: str, skip_tls: bool = False,
                      - ``hosts`` - A ``list`` of ``OrderedDict`` with keys of
 
                        - ``hostname`` - A hostname
+                       - ``dnssec`` - DNSSEC status
                        - ``addresses`` - A ``list`` of IP addresses
+                       - ``tlsa`` - A list of TLSA records, if they exist
 
                      - ``warnings`` - A ``list`` of MX resolution warnings
 
@@ -339,6 +341,14 @@ def get_mx_hosts(domain: str, skip_tls: bool = False,
                                 f"policy")
 
         try:
+            dnssec = False
+            try:
+                dnssec = test_dnssec(hostname,
+                                     nameservers=nameservers,
+                                     timeout=timeout)
+            except Exception as e:
+                logging.debug(e)
+            host["dnssec"] = dnssec
             host["addresses"] = []
             host["addresses"] = get_a_records(hostname,
                                               nameservers=nameservers,
@@ -347,6 +357,7 @@ def get_mx_hosts(domain: str, skip_tls: bool = False,
             tlsa_records = get_tlsa_records(hostname,
                                             nameservers=nameservers,
                                             timeout=timeout)
+
             if len(tlsa_records) > 0:
                 host["tlsa"] = tlsa_records
             if len(host["addresses"]) == 0: