feat: extend checks for DNS CAA records to warn when accounturi or va…

…lidationmethod is missing. Closed #14.
sesh · Aug 24, 2023 · 43988ee · 43988ee
1 parent b2eeff4
commit 43988ee
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -73,6 +73,7 @@ There are no required dependencies, but two optional dependencies that enable so
 - SPF includes use less than 10 DNS requests
 - DMARC record should exist
 - DMARC record should contain p=reject
+- SPF should be "v=spf1 -all" if there are no MX records or MX record is "."
 - Robots.txt exists and is a text file
 - Security.txt exists and is a text file that contains required attributes
 - Favicon is served at /favicon.ico
@@ -83,9 +84,12 @@ There are no required dependencies, but two optional dependencies that enable so
 - SSL connection fails when using TLS 1.1
 - SSL connection fails when using TLS 1.0
 - DNS CAA should be enabled
+- DNS CAA should include accounturi
+- DNS CAA should include validationmethods
 - Response should be a 200 (after redirects)
 
 
+
 ### Potential / WIP
 
 - GraphQL introspection is not enabled

diff --git a/ready/checks/ssl.py b/ready/checks/ssl.py
@@ -133,3 +133,40 @@ def check_dns_caa_record_should_exist(responses, **kwargs):
         "ssl_dns_caa",
         **kwargs,
     )
+
+
+# Check: DNS CAA should include accounturi
+def check_dns_css_record_should_include_accounturi(responses, **kwargs):
+    records = [r["data"] for r in responses["dns_caa_response"].json.get("Answer", []) if "data" in r]
+
+    if not records and "dns_caa_response_fld" in responses:
+        records = [r["data"] for r in responses["dns_caa_response_fld"].json.get("Answer", []) if "data" in r]
+
+    # filter to just the issue records
+    records = [r for r in records if "issue " in r]
+
+    return result(
+        records and all(["accounturi=" in r for r in records]),
+        f"DNS CAA should include accounturi ({records})",
+        "ssl_dns_caa_accounturi",
+        warn_on_fail=True,
+        **kwargs,
+    )
+
+# Check: DNS CAA should include validationmethods
+def check_dns_css_record_should_include_validationmethods(responses, **kwargs):
+    records = [r["data"] for r in responses["dns_caa_response"].json.get("Answer", []) if "data" in r]
+
+    if not records and "dns_caa_response_fld" in responses:
+        records = [r["data"] for r in responses["dns_caa_response_fld"].json.get("Answer", []) if "data" in r]
+
+    # filter to just the issue records
+    records = [r for r in records if "issue " in r]
+
+    return result(
+        records and all(["validationmethods=" in r for r in records]),
+        f"DNS CAA should include validationmethods ({records})",
+        "ssl_dns_caa_validationmethods",
+        warn_on_fail=True,
+        **kwargs,
+    )
diff --git a/ready/ready.py b/ready/ready.py
@@ -79,6 +79,8 @@
     check_ssl_connection_fails_with_tls_1_1,
     check_ssl_expiry_should_be_greater_than_five_days,
     check_ssl_expiry_should_be_less_than_one_year,
+    check_dns_css_record_should_include_accounturi,
+    check_dns_css_record_should_include_validationmethods,
 )
 from ready.checks.status import check_http_response_should_be_200
 from ready.checks.swagger import check_swagger_should_not_return_200
@@ -223,6 +225,8 @@ def ready(domain, print_headers=False, print_content=False, json_output=False, h
             check_ssl_connection_fails_with_tls_1_1,
             check_ssl_connection_fails_with_tls_1_0,
             check_dns_caa_record_should_exist,
+            check_dns_css_record_should_include_accounturi,
+            check_dns_css_record_should_include_validationmethods,
             check_at_least_two_nameservers_configured,
             check_cookies_should_be_samesite,
             check_cookies_should_be_secure,