This commit is contained in:
parent
6ae2c2463d
commit
5d1dce038f
6 changed files with 235 additions and 2 deletions
|
|
@ -127,6 +127,12 @@ func (d *DNSAnalyzer) AnalyzeDNS(email *EmailMessage, authResults *api.Authentic
|
|||
// Check BIMI record (for From domain - branding is based on visible sender)
|
||||
results.BimiRecord = d.checkBIMIRecord(fromDomain, "default")
|
||||
|
||||
// Check DNSSEC status (for From domain)
|
||||
dnssecEnabled, err := d.resolver.IsDNSSECEnabled(nil, fromDomain)
|
||||
if err == nil {
|
||||
results.DnssecEnabled = &dnssecEnabled
|
||||
}
|
||||
|
||||
return results
|
||||
}
|
||||
|
||||
|
|
@ -149,6 +155,12 @@ func (d *DNSAnalyzer) AnalyzeDomainOnly(domain string) *api.DNSResults {
|
|||
// Check BIMI record with default selector
|
||||
results.BimiRecord = d.checkBIMIRecord(domain, "default")
|
||||
|
||||
// Check DNSSEC status
|
||||
dnssecEnabled, err := d.resolver.IsDNSSECEnabled(nil, domain)
|
||||
if err == nil {
|
||||
results.DnssecEnabled = &dnssecEnabled
|
||||
}
|
||||
|
||||
return results
|
||||
}
|
||||
|
||||
|
|
@ -204,11 +216,16 @@ func (d *DNSAnalyzer) CalculateDNSScore(results *api.DNSResults, senderIP string
|
|||
|
||||
score := 0
|
||||
|
||||
// DNSSEC: 10 points
|
||||
if results.DnssecEnabled != nil && *results.DnssecEnabled {
|
||||
score += 10
|
||||
}
|
||||
|
||||
// PTR and Forward DNS: 20 points
|
||||
score += 20 * d.calculatePTRScore(results, senderIP) / 100
|
||||
|
||||
// MX Records: 20 points (10 for From domain, 10 for Return-Path domain)
|
||||
score += 20 * d.calculateMXScore(results) / 100
|
||||
// MX Records: 10 points (5 for From domain, 5 for Return-Path domain)
|
||||
score += 10 * d.calculateMXScore(results) / 100
|
||||
|
||||
// SPF Records: 20 points
|
||||
score += 20 * d.calculateSPFScore(results) / 100
|
||||
|
|
|
|||
|
|
@ -48,6 +48,10 @@ type DNSResolver interface {
|
|||
// LookupHost looks up the given hostname using the local resolver.
|
||||
// It returns a slice of that host's addresses (IPv4 and IPv6).
|
||||
LookupHost(ctx context.Context, host string) ([]string, error)
|
||||
|
||||
// IsDNSSECEnabled checks if the given domain has DNSSEC enabled by querying for DNSKEY records.
|
||||
// Returns true if the domain has DNSSEC configured and the chain of trust is valid.
|
||||
IsDNSSECEnabled(ctx context.Context, domain string) (bool, error)
|
||||
}
|
||||
|
||||
// StandardDNSResolver is the default DNS resolver implementation that uses goresolver with DNSSEC validation.
|
||||
|
|
@ -194,3 +198,40 @@ func (r *StandardDNSResolver) LookupHost(ctx context.Context, host string) ([]st
|
|||
|
||||
return allAddrs, nil
|
||||
}
|
||||
|
||||
// IsDNSSECEnabled checks if the given domain has DNSSEC enabled by querying for DNSKEY records.
|
||||
// It uses DNSSEC validation to ensure the chain of trust is valid.
|
||||
// Returns true if DNSSEC is properly configured and validated, false otherwise.
|
||||
func (r *StandardDNSResolver) IsDNSSECEnabled(ctx context.Context, domain string) (bool, error) {
|
||||
// Ensure the domain ends with a dot for DNS queries
|
||||
queryName := domain
|
||||
if !strings.HasSuffix(queryName, ".") {
|
||||
queryName = queryName + "."
|
||||
}
|
||||
|
||||
// Query for DNSKEY records with DNSSEC validation
|
||||
// If this succeeds, it means:
|
||||
// 1. The domain has DNSKEY records (DNSSEC is configured)
|
||||
// 2. The DNSSEC chain of trust is valid (validated by StrictNSQuery)
|
||||
rrs, err := r.resolver.StrictNSQuery(queryName, dns.TypeDNSKEY)
|
||||
if err != nil {
|
||||
// DNSSEC is not enabled or validation failed
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// Check if we got any DNSKEY records
|
||||
if len(rrs) == 0 {
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// Verify we actually have DNSKEY records (not just any RR type)
|
||||
hasDNSKEY := false
|
||||
for _, rr := range rrs {
|
||||
if _, ok := rr.(*dns.DNSKEY); ok {
|
||||
hasDNSKEY = true
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
return hasDNSKEY, nil
|
||||
}
|
||||
|
|
|
|||
111
pkg/analyzer/dns_resolver_test.go
Normal file
111
pkg/analyzer/dns_resolver_test.go
Normal file
|
|
@ -0,0 +1,111 @@
|
|||
// This file is part of the happyDeliver (R) project.
|
||||
// Copyright (c) 2025 happyDomain
|
||||
// Authors: Pierre-Olivier Mercier, et al.
|
||||
//
|
||||
// This program is offered under a commercial and under the AGPL license.
|
||||
// For commercial licensing, contact us at <contact@happydomain.org>.
|
||||
//
|
||||
// For AGPL licensing:
|
||||
// This program is free software: you can redistribute it and/or modify
|
||||
// it under the terms of the GNU Affero General Public License as published by
|
||||
// the Free Software Foundation, either version 3 of the License, or
|
||||
// (at your option) any later version.
|
||||
//
|
||||
// This program is distributed in the hope that it will be useful,
|
||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
// GNU Affero General Public License for more details.
|
||||
//
|
||||
// You should have received a copy of the GNU Affero General Public License
|
||||
// along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
|
||||
package analyzer
|
||||
|
||||
import (
|
||||
"context"
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestIsDNSSECEnabled(t *testing.T) {
|
||||
resolver := NewStandardDNSResolver()
|
||||
ctx := context.Background()
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
domain string
|
||||
expectDNSSEC bool
|
||||
}{
|
||||
{
|
||||
name: "ietf.org has DNSSEC",
|
||||
domain: "ietf.org",
|
||||
expectDNSSEC: true,
|
||||
},
|
||||
{
|
||||
name: "google.com doesn't have DNSSEC",
|
||||
domain: "google.com",
|
||||
expectDNSSEC: false,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
enabled, err := resolver.IsDNSSECEnabled(ctx, tt.domain)
|
||||
if err != nil {
|
||||
t.Errorf("IsDNSSECEnabled() error = %v", err)
|
||||
return
|
||||
}
|
||||
|
||||
if enabled != tt.expectDNSSEC {
|
||||
t.Errorf("IsDNSSECEnabled() for %s = %v, want %v", tt.domain, enabled, tt.expectDNSSEC)
|
||||
} else {
|
||||
// Log the result even if we're not validating
|
||||
if enabled {
|
||||
t.Logf("%s: DNSSEC is enabled ✅", tt.domain)
|
||||
} else {
|
||||
t.Logf("%s: DNSSEC is NOT enabled ⚠️", tt.domain)
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestIsDNSSECEnabled_NonExistentDomain(t *testing.T) {
|
||||
resolver := NewStandardDNSResolver()
|
||||
ctx := context.Background()
|
||||
|
||||
// Test with a domain that doesn't exist
|
||||
enabled, err := resolver.IsDNSSECEnabled(ctx, "this-domain-definitely-does-not-exist-12345.com")
|
||||
if err != nil {
|
||||
// Error is acceptable for non-existent domains
|
||||
t.Logf("Non-existent domain returned error (expected): %v", err)
|
||||
return
|
||||
}
|
||||
|
||||
// If no error, DNSSEC should be disabled
|
||||
if enabled {
|
||||
t.Error("IsDNSSECEnabled() for non-existent domain should return false")
|
||||
}
|
||||
}
|
||||
|
||||
func TestIsDNSSECEnabled_WithTrailingDot(t *testing.T) {
|
||||
resolver := NewStandardDNSResolver()
|
||||
ctx := context.Background()
|
||||
|
||||
// Test that both formats work
|
||||
domain1 := "cloudflare.com"
|
||||
domain2 := "cloudflare.com."
|
||||
|
||||
enabled1, err1 := resolver.IsDNSSECEnabled(ctx, domain1)
|
||||
if err1 != nil {
|
||||
t.Errorf("IsDNSSECEnabled() without trailing dot error = %v", err1)
|
||||
}
|
||||
|
||||
enabled2, err2 := resolver.IsDNSSECEnabled(ctx, domain2)
|
||||
if err2 != nil {
|
||||
t.Errorf("IsDNSSECEnabled() with trailing dot error = %v", err2)
|
||||
}
|
||||
|
||||
if enabled1 != enabled2 {
|
||||
t.Errorf("IsDNSSECEnabled() results differ: without dot = %v, with dot = %v", enabled1, enabled2)
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue