happyDomain/happyDeliver
2
0
Fork 0
Code Issues 7 Pull requests 8 Projects Releases Packages Wiki Activity Actions

WIP add dnssec test
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse source
This commit is contained in:
nemunaire 2025-11-18 13:38:31 +07:00
commit 5d1dce038f
6 changed files with 235 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
api/openapi.yaml
View file

@ -942,6 +942,10 @@ components:
$ref: '#/components/schemas/DMARCRecord'
bimi_record:
$ref: '#/components/schemas/BIMIRecord'
dnssec_enabled:
type: boolean
description: Whether the From domain has DNSSEC enabled with valid chain of trust
example: true
ptr_records:
type: array
items:

21
pkg/analyzer/dns.go
View file

@ -127,6 +127,12 @@ func (d *DNSAnalyzer) AnalyzeDNS(email *EmailMessage, authResults *api.Authentic
// Check BIMI record (for From domain - branding is based on visible sender)
results.BimiRecord = d.checkBIMIRecord(fromDomain, "default")
// Check DNSSEC status (for From domain)
dnssecEnabled, err := d.resolver.IsDNSSECEnabled(nil, fromDomain)
if err == nil {
results.DnssecEnabled = &dnssecEnabled
}
return results
}
@ -149,6 +155,12 @@ func (d *DNSAnalyzer) AnalyzeDomainOnly(domain string) *api.DNSResults {
// Check BIMI record with default selector
results.BimiRecord = d.checkBIMIRecord(domain, "default")
// Check DNSSEC status
dnssecEnabled, err := d.resolver.IsDNSSECEnabled(nil, domain)
if err == nil {
results.DnssecEnabled = &dnssecEnabled
}
return results
}
@ -204,11 +216,16 @@ func (d *DNSAnalyzer) CalculateDNSScore(results *api.DNSResults, senderIP string
score := 0
// DNSSEC: 10 points
if results.DnssecEnabled != nil && *results.DnssecEnabled {
score += 10
}
// PTR and Forward DNS: 20 points
score += 20 * d.calculatePTRScore(results, senderIP) / 100
// MX Records: 20 points (10 for From domain, 10 for Return-Path domain)
score += 20 * d.calculateMXScore(results) / 100
// MX Records: 10 points (5 for From domain, 5 for Return-Path domain)
score += 10 * d.calculateMXScore(results) / 100
// SPF Records: 20 points
score += 20 * d.calculateSPFScore(results) / 100

41
pkg/analyzer/dns_resolver.go
View file

@ -48,6 +48,10 @@ type DNSResolver interface {
// LookupHost looks up the given hostname using the local resolver.
// It returns a slice of that host's addresses (IPv4 and IPv6).
LookupHost(ctx context.Context, host string) ([]string, error)
// IsDNSSECEnabled checks if the given domain has DNSSEC enabled by querying for DNSKEY records.
// Returns true if the domain has DNSSEC configured and the chain of trust is valid.
IsDNSSECEnabled(ctx context.Context, domain string) (bool, error)
}
// StandardDNSResolver is the default DNS resolver implementation that uses goresolver with DNSSEC validation.
@ -194,3 +198,40 @@ func (r *StandardDNSResolver) LookupHost(ctx context.Context, host string) ([]st
return allAddrs, nil
}
// IsDNSSECEnabled checks if the given domain has DNSSEC enabled by querying for DNSKEY records.
// It uses DNSSEC validation to ensure the chain of trust is valid.
// Returns true if DNSSEC is properly configured and validated, false otherwise.
func (r *StandardDNSResolver) IsDNSSECEnabled(ctx context.Context, domain string) (bool, error) {
// Ensure the domain ends with a dot for DNS queries
queryName := domain
if !strings.HasSuffix(queryName, ".") {
queryName = queryName + "."
}
// Query for DNSKEY records with DNSSEC validation
// If this succeeds, it means:
// 1. The domain has DNSKEY records (DNSSEC is configured)
// 2. The DNSSEC chain of trust is valid (validated by StrictNSQuery)
rrs, err := r.resolver.StrictNSQuery(queryName, dns.TypeDNSKEY)
if err != nil {
// DNSSEC is not enabled or validation failed
return false, nil
}
// Check if we got any DNSKEY records
if len(rrs) == 0 {
return false, nil
}
// Verify we actually have DNSKEY records (not just any RR type)
hasDNSKEY := false
for _, rr := range rrs {
if _, ok := rr.(*dns.DNSKEY); ok {
hasDNSKEY = true
break
}
}
return hasDNSKEY, nil
}

111
pkg/analyzer/dns_resolver_test.go Normal file
View file

@ -0,0 +1,111 @@
// This file is part of the happyDeliver (R) project.
// Copyright (c) 2025 happyDomain
// Authors: Pierre-Olivier Mercier, et al.
//
// This program is offered under a commercial and under the AGPL license.
// For commercial licensing, contact us at <contact@happydomain.org>.
//
// For AGPL licensing:
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package analyzer
import (
"context"
"testing"
)
func TestIsDNSSECEnabled(t *testing.T) {
resolver := NewStandardDNSResolver()
ctx := context.Background()
tests := []struct {
name string
domain string
expectDNSSEC bool
}{
{
name: "ietf.org has DNSSEC",
domain: "ietf.org",
expectDNSSEC: true,
},
{
name: "google.com doesn't have DNSSEC",
domain: "google.com",
expectDNSSEC: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
enabled, err := resolver.IsDNSSECEnabled(ctx, tt.domain)
if err != nil {
t.Errorf("IsDNSSECEnabled() error = %v", err)
return
}
if enabled != tt.expectDNSSEC {
t.Errorf("IsDNSSECEnabled() for %s = %v, want %v", tt.domain, enabled, tt.expectDNSSEC)
} else {
// Log the result even if we're not validating
if enabled {
t.Logf("%s: DNSSEC is enabled ✅", tt.domain)
} else {
t.Logf("%s: DNSSEC is NOT enabled ⚠️", tt.domain)
}
}
})
}
}
func TestIsDNSSECEnabled_NonExistentDomain(t *testing.T) {
resolver := NewStandardDNSResolver()
ctx := context.Background()
// Test with a domain that doesn't exist
enabled, err := resolver.IsDNSSECEnabled(ctx, "this-domain-definitely-does-not-exist-12345.com")
if err != nil {
// Error is acceptable for non-existent domains
t.Logf("Non-existent domain returned error (expected): %v", err)
return
}
// If no error, DNSSEC should be disabled
if enabled {
t.Error("IsDNSSECEnabled() for non-existent domain should return false")
}
}
func TestIsDNSSECEnabled_WithTrailingDot(t *testing.T) {
resolver := NewStandardDNSResolver()
ctx := context.Background()
// Test that both formats work
domain1 := "cloudflare.com"
domain2 := "cloudflare.com."
enabled1, err1 := resolver.IsDNSSECEnabled(ctx, domain1)
if err1 != nil {
t.Errorf("IsDNSSECEnabled() without trailing dot error = %v", err1)
}
enabled2, err2 := resolver.IsDNSSECEnabled(ctx, domain2)
if err2 != nil {
t.Errorf("IsDNSSECEnabled() with trailing dot error = %v", err2)
}
if enabled1 != enabled2 {
t.Errorf("IsDNSSECEnabled() results differ: without dot = %v, with dot = %v", enabled1, enabled2)
}
}

4
web/src/lib/components/DnsRecordsCard.svelte
View file

@ -10,6 +10,7 @@
import BimiRecordDisplay from "./BimiRecordDisplay.svelte";
import PtrRecordsDisplay from "./PtrRecordsDisplay.svelte";
import PtrForwardRecordsDisplay from "./PtrForwardRecordsDisplay.svelte";
import DnssecDisplay from "./DnssecDisplay.svelte";
interface Props {
domainAlignment?: DomainAlignment;
@ -150,6 +151,9 @@
<!-- BIMI Record -->
<BimiRecordDisplay bimiRecord={dnsResults.bimi_record} />
<!-- DNSSEC -->
<DnssecDisplay dnssecEnabled={dnsResults.dnssec_enabled} domain={dnsResults.from_domain} />
{/if}
</div>
</div>

56
web/src/lib/components/DnssecDisplay.svelte Normal file
View file

@ -0,0 +1,56 @@
<script lang="ts">
interface Props {
dnssecEnabled?: boolean;
domain?: string;
}
let { dnssecEnabled, domain }: Props = $props();
// DNSSEC is valid if it's explicitly enabled
const dnssecIsValid = $derived(dnssecEnabled === true);
</script>
{#if dnssecEnabled !== undefined}
<div class="card mb-4" id="dns-dnssec">
<div class="card-header d-flex justify-content-between align-items-center">
<h5 class="text-muted mb-0">
<i
class="bi"
class:bi-shield-check={dnssecIsValid}
class:text-success={dnssecIsValid}
class:bi-shield-x={!dnssecIsValid}
class:text-warning={!dnssecIsValid}
></i>
DNSSEC
</h5>
<span class="badge bg-secondary">Security</span>
</div>
<div class="card-body">
<p class="card-text small text-muted mb-3">
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records to verify
their authenticity and integrity. It protects against DNS spoofing and cache poisoning
attacks, ensuring that DNS responses haven't been tampered with.
</p>
{#if domain}
<div class="mb-2">
<strong>Domain:</strong> <code>{domain}</code>
</div>
{/if}
{#if dnssecIsValid}
<div class="alert alert-success mb-0">
<i class="bi bi-check-circle me-1"></i>
<strong>Enabled:</strong> DNSSEC is properly configured with a valid chain of trust.
This provides additional security and authenticity for your domain's DNS records.
</div>
{:else}
<div class="alert alert-warning mb-0">
<i class="bi bi-info-circle me-1"></i>
<strong>Not Enabled:</strong> DNSSEC is not configured for this domain. While not
required for email delivery, enabling DNSSEC provides additional security by protecting
against DNS-based attacks. Consider enabling DNSSEC through your domain registrar or
DNS provider.
</div>
{/if}
</div>
</div>
{/if}