search

cisagov / trustymail

Scan domains and return data based on trustworthy email best practices
Creative Commons Zero v1.0 Universal
195 stars 32 forks source link

SPF & DMARC Record DNSSEC always false? #143

Closed VonZubinski closed 1 year ago

VonZubinski commented 1 year ago

🐛 Summary

I was taking trustymail for a first test-drive with some domains, I know have proper DNSSEC. But all of them show SPF Record DNSSEC & DMARC Record DNSSEC as "False".

To reproduce

Steps to reproduce the behavior:

  1. Open terminal
  2. trustymail --debug techrecruitment.io
  3. Check results.csv file

Expected behavior

This domain has all green checkmarks on https://dnssec-analyzer.verisignlabs.com/techrecruitment.io I was expecting SPF & DMARC Record DNSSEC to show "true"

Maybe I'm misunderstanding something here, since there is not much detailed info about that check in the Readme.

jsf9k commented 1 year ago

Thanks for the issue @VonZubinski!

I get TRUE for both the SPF Record DNSSEC and DMARC Record DNSSEC columns when I run the tool. Do you get the same results if you run trustymail techrecruitment.io --debug --dns="8.8.8.8,8.8.4.4"? (The --dns="8.8.8.8,8.8.4.4" forces the tool to use Google's DNS versus whatever is configured for your local machine.)

VonZubinski commented 1 year ago

So I tried the following:

Control: trustymail techrecruitment.io --debug still FALSE

Setting the DNS to 8.8.8.8 in the Ubuntu network settings, also FALSE

Using the --dns="8.8.8.8,8.8.4.4" option, I get TRUE

Testing the ISP DNS resolver with dnssec-failed.org, didn't show the page, so I'm assuming it has DNSSEC enabled.

Does this mean, the DNS resolver from the ISP isn't passing down specific information? Since I'm testing from a Cowork, is this maybe a firewall/internal hardware issue?

jsf9k commented 1 year ago

Does this mean, the DNS resolver from the ISP isn't passing down specific information? Since I'm testing from a Cowork, is this maybe a firewall/internal hardware issue?

Since using --dns="8.8.8.8,8.8.4.4" worked I think you're indeed seeing an ISP or cowork internal networking issue.

I see that the TTLs for techrecruitment.io's DNS records are all set to 3600 (one hour). You might try setting the DNS to 8.8.8.8 in the Ubuntu network settings, waiting a little over an hour, and then retrying. Either way, I highly recommend specifying your DNS servers (via --dns="8.8.8.8,8.8.4.4", for example) to avoid surprises.

I'll go ahead and close this issue since I think we've determined that the problem is not with this repo, but if you add any comments here afterwards I'll still see them.