Fix DANE parser's handling of domains without MX records.

This commit fixes `Test-DaneRecords` to properly support domains that, confusingly, do not specify MX records. In this case (which is spelled out in the RFC), the A and AAAA records of the domain itself (`@`) are used to construct an implied MX host with preference 0. In previous versions, a DANE check would mistakenly be performed on a null domain (`""`) instead of the domain name itself.
rhymeswithmogul · Dec 7, 2023 · 7c261ea · 7c261ea
1 parent 36f9850
commit 7c261ea
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 ## Version 1.3.1 (Wednesday, December 9, 2023)
 - **NEW** The IP version checks are now displayed with an indentation when run as a part of `Test-MailPolicy`.
+- **FIX** `Test-DaneRecords` now correctly checks DANE records for domains without MX records.
 - **FIX** The DMARC `fo` token is now parsed correctly when multiple values are present.
 - **FIX** The DMARC `rf` token is now parsed correctly.
 - **FIX** The SPF `mx` token parser no longer generates a spurious error when not counting DNS lookups.

diff --git a/MailPolicyExplainer.psd1 b/MailPolicyExplainer.psd1
@@ -170,6 +170,7 @@ PrivateData = @{
 		ReleaseNotes = 'This release adds one new feature: IP version checks are now indented when run from `Test-MailPolicy`.
 
 Many bugs were fixed, too:
+- `Test-DaneRecords` now correctly checks DANE records for domains without MX records.
 - The DMARC `fo` token is now parsed correctly when multiple values are present.
 - The DMARC `rf` token is now parsed correctly.
 - The IntelliSense handling of `Test-SpfRecord` has been improved by hiding some internal-use-only parameters.

diff --git a/src/MailPolicyExplainer.psm1 b/src/MailPolicyExplainer.psm1
@@ -1115,7 +1115,7 @@ Function Test-SpfRecord
 			If ($CountDnsLookups) {
 				$DnsLookups.Value++
 			}
-			
+
 			If ($token -Match "^\+?mx$") {
 				Write-GoodNews "${RecordType}: Accept mail from $DomainName's MX servers.$(Write-DnsLookups $DnsLookups -Enabled:$CountDnsLookups)"
 			}
@@ -1432,7 +1432,16 @@ Function Test-DaneRecord
 		Return
 	}
 
-	If ($MXServers.Count -eq 0) {
+	# Check for the confusing case where a domain has no MX servers, and does
+	# not publish a null MX record. In that case, the domain's A and AAAA records
+	# will be substituted as a mail exchanger with preference 0. (Really, that's
+	# what it says to do in the RFC.  Go look it up.)
+	#
+	# We're checking for a count of zero, or a count of one where the server
+	# name is blank, just in case I add options for other DNS APIs in the future.
+	# Google Public DNS's API returns the latter format.
+	If ($MXServers.Count -eq 0 -or ($MXServers.Count -eq 1 -and $null -eq $MXServers[0].Name))
+	{
 		$MXServers = @(@{'Preference'=0; 'Server'=$DomainName})
 	}