search

domainaware / checkdmarc

A parser for SPF and DMARC DNS records
https://domainaware.github.io/checkdmarc
Apache License 2.0
244 stars 76 forks source link

DNSSEC for subdomains? #114

Closed alexcolb closed 8 months ago

alexcolb commented 8 months ago

Love the tool!

I'm wondering whether dnssec could be checked for subdomains too, instead of just relying on the base domain's dnssec status.

A use case here would be a subdomain zone that is delegated to another, untrusted name server. In these cases, dnssec works for the base domain, but should/will fail for the subdomain.

seanthegeek commented 8 months ago

I'm honestly not sure how to properly check for DNSSEC on subdomains.

If I comment out the line that forces checking the base domain, the DNSSEC test returns False for hq.dhs.gov, even though the subdomain and base domain both pass Verisign's DNSSEC test.

alexcolb commented 8 months ago

That's odd, I get "dnssec": true when I comment that line out on my machine:

python -m checkdmarc._cli hq.dhs.gov --debug
2023-12-20 14:58:18,827 - DEBUG: Debug output enabled
2023-12-20 14:58:18,827 - DEBUG: Checking: hq.dhs.gov
2023-12-20 14:58:18,851 - DEBUG: COMMENTED OUT line: domain = get_base_domain(domain)
2023-12-20 14:58:18,875 - DEBUG: Getting NS records on hq.dhs.gov
2023-12-20 14:58:18,881 - DEBUG: Checking for a MTA-STS record on hq.dhs.gov
2023-12-20 14:58:18,907 - DEBUG: Checking for MX records on hq.dhs.gov
2023-12-20 14:58:21,215 - DEBUG: Testing STARTTLS on mxa-00376703.gslb.gpphosted.com
2023-12-20 14:58:26,252 - DEBUG: Testing STARTTLS on mx0e-00376703.gpphosted.com
2023-12-20 14:58:31,253 - DEBUG: Checking for a SPF record on hq.dhs.gov
2023-12-20 14:58:31,260 - DEBUG: Parsing the SPF record on hq.dhs.gov
2023-12-20 14:58:31,262 - DEBUG: Checking for a SPF record on spf.dhs.gov
2023-12-20 14:58:31,287 - DEBUG: Parsing the SPF record on spf.dhs.gov
2023-12-20 14:58:31,288 - DEBUG: Checking for a SPF record on spf.protection.outlook.com
2023-12-20 14:58:31,303 - DEBUG: Parsing the SPF record on spf.protection.outlook.com
2023-12-20 14:58:31,303 - DEBUG: Checking for a SPF record on spf-00376703.gpphosted.com
2023-12-20 14:58:31,315 - DEBUG: Parsing the SPF record on spf-00376703.gpphosted.com
2023-12-20 14:58:31,315 - DEBUG: Checking for a DMARC record on hq.dhs.gov
2023-12-20 14:58:31,370 - DEBUG: Parsing the DMARC record for hq.dhs.gov
2023-12-20 14:58:31,370 - DEBUG: Checking for MX records on hq.dhs.gov
2023-12-20 14:58:31,434 - DEBUG: Checking for MX records on dmarc.cyber.dhs.gov
{
  "domain": "hq.dhs.gov",
  "base_domain": "dhs.gov",
  "dnssec": true,

...
seanthegeek commented 8 months ago

Fixed in 5.0.2