Add -DisableDnssecValidation switch to most cmdlets.

Okay, I get it. Printing DNSSEC status for every single cmdlet was starting to get old. Plus, you might want to ignore DNSSEC for some reason (troubleshooting) even though it's a best practice. Thus, most cmdlets now support the new -DisableDnssecVerification switch. This does exactly what it sounds like; it sets the CD flag on upstream queries, and does not print any DNSSEC information. This switch will be ignored when checking DANE records, as those require DNSSEC.
rhymeswithmogul · Mar 28, 2024 · ed87edc · ed87edc
1 parent 49d7115
commit ed87edc
Show file tree

Hide file tree

Showing 18 changed files with 566 additions and 92 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,8 +1,9 @@
 # MailPolicyExplainer Change Log
 
 ## Version 1.4.0
+- **NEW** Most cmdlets now have a switch, `-DisableDnssecValidation`, that does just that.
 - **NEW** `Test-DkimRecord` will print the full DKIM TXT record to the verbose stream.  Thanks to [Jason Berry](https://github.com/skyblaster) for writing [the pull request](https://github.com/rhymeswithmogul/MailPolicyExplainer/pull/1)!
-- **FIX** DNSSEC results are shown even when records are not found, to show proof of non-existence.
+- **FIX** DNSSEC results are shown even when records are not found, to show proof of non-existence (unless DNSSEC validation is disabled).
 - **FIX** The SPF qualifier is no longer prepended to IPv4 addresses.
 
 ## Version 1.3.4 (Wednesday, January 24, 2024)

diff --git a/MailPolicyExplainer.psd1 b/MailPolicyExplainer.psd1
@@ -114,6 +114,7 @@ PrivateData = @{
 
 		ReleaseNotes = '- Test-DkimRecord will emit the full DKIM TXT record to the verbose stream.
 - DNSSEC-authenticated denial-of-existence is now shown by default.
+- Added the `-DisableDnssecVerification` switch to most cmdlets to disable all DNSSEC checks (except for DANE).
 - Removed the `ip4:` qualifier from parser output.'
 	}
 }

diff --git a/NEWS.md b/NEWS.md
@@ -3,7 +3,9 @@
 ## Version 1.4.0
 This will be released soon.
 
-One new feature.  `Test-DkimRecord` will print the full DKIM TXT record to the verbose stream (i.e., the one that's visible when using `-Verbose` or setting the appropriate `$VerbosePreference` value).  Thanks to [Jason Berry](https://github.com/skyblaster) for writing [the pull request](https://github.com/rhymeswithmogul/MailPolicyExplainer/pull/1)!
+New features:
+ - Most cmdlets now have a `-DisableDnssecVerification` switch that will disable all DNSSEC checks.  While it is still a best practice, maybe your DNS host doesn't support it (for some reason) and you'd like this cmdlet not to nag you every time.  Note that DNSSEC checks are still done for DANE records, as the former is a prerequisite for the latter, whether this switch is specified or not.
+ - `Test-DkimRecord` will print the full DKIM TXT record to the verbose stream (i.e., the one that's visible when using `-Verbose` or setting the appropriate `$VerbosePreference` value).  Thanks to [Jason Berry](https://github.com/skyblaster) for writing [the pull request](https://github.com/rhymeswithmogul/MailPolicyExplainer/pull/1)!
 
 Two bugs were fixed:
  - The SPF parser would sometimes show IPv4 addresses with a character prepended;  for example, "Accept mail from the IPv4 address +192.0.2.1" or "Reject mail from the IPv4 address -192.0.2.2".  This has been corrected by fixing the parser.

diff --git a/en-US/MailPolicyExplainer-help.xml b/en-US/MailPolicyExplainer-help.xml
diff --git a/en-US/about_MailPolicyExplainer.help.txt b/en-US/about_MailPolicyExplainer.help.txt
@@ -79,6 +79,20 @@ Help
     help topics in case you'd like to learn more about the standards that are
     being tested.
 
+Disabling DNSSEC Validation
+    You may disable most cmdlets' built-in DNSSEC verification by specifying the 
+    `-DisableDnssecValidation` (alias: `-CD`).  Queries to the upstream resolver
+    will request that  DNSSEC checking be disabled;  thus, DNSSEC validation of
+    resource records will not occur, nor will you be informed of unauthenticated
+    denial of existence of DNS records.
+
+    It is best practice that all zones, records, and delegations be signed with
+    DNSSEC.  Using this switch is NOT RECOMMENDED for production use and should
+    only be used for diagnostic and troubleshooting purposes only!
+
+    Note that DANE requires DNSSEC.  Using this switch with `Test-DaneRecord`
+    will print a warning, and DNSSEC validation will occur normally
+
 Limitations
     While this module does its best to test the correctness of DNS records, it
     cannot ensure the complete validity of everything.  For example:

diff --git a/man/en-US/Invoke-GooglePublicDnsApi.md b/man/en-US/Invoke-GooglePublicDnsApi.md
@@ -13,7 +13,7 @@ Performs a DNS lookup against the Google Public DNS API.
 ## SYNTAX
 
 ```
-Invoke-GooglePublicDnsApi [-InputObject] <String> [[-Type] <String>] [<CommonParameters>]
+Invoke-GooglePublicDnsApi [-InputObject] <String> [[-Type] <String>] [-DisableDnssecVerification] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -61,6 +61,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -DisableDnssecVerification
+Disable DNSSEC validation.  This cmdlet will not request authenticated data from the resolver;  thus, DNSSEC validation of resource records will not occur, nor will the user be informed about unauthenticated denial of existence of DNS records.  Using this switch is NOT RECOMMENDED for production use and should only be used for diagnostic and troubleshooting purposes only!
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: CD, DnssecCD, NoDnssec, DisableDnssec
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### CommonParameters
 This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
 

diff --git a/man/en-US/Test-AdspRecord.md b/man/en-US/Test-AdspRecord.md
@@ -13,7 +13,7 @@ Tests a domain's DKIM Author Domain Signing Practices record.
 ## SYNTAX
 
 ```
-Test-AdspRecord [-DomainName] <String> [<CommonParameters>]
+Test-AdspRecord [-DomainName] <String> [-DisableDnssecVerification] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -51,6 +51,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -DisableDnssecVerification
+Disable DNSSEC validation.  This cmdlet will not request authenticated data from the resolver;  thus, DNSSEC validation of resource records will not occur, nor will the user be informed about unauthenticated denial of existence of DNS records.  Using this switch is NOT RECOMMENDED for production use and should only be used for diagnostic and troubleshooting purposes only!
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: CD, DnssecCD, NoDnssec, DisableDnssec
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### CommonParameters
 This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
 

diff --git a/man/en-US/Test-BimiSelector.md b/man/en-US/Test-BimiSelector.md
@@ -13,7 +13,7 @@ Tests a domain's BIMI selector for correctness.
 ## SYNTAX
 
 ```
-Test-BimiSelector [-DomainName] <String> [[-Name] <String>] [<CommonParameters>]
+Test-BimiSelector [-DomainName] <String> [[-Name] <String>] [-DisableDnssecVerification] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -81,6 +81,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -DisableDnssecVerification
+Disable DNSSEC validation.  This cmdlet will not request authenticated data from the resolver;  thus, DNSSEC validation of resource records will not occur, nor will the user be informed about unauthenticated denial of existence of DNS records.  Using this switch is NOT RECOMMENDED for production use and should only be used for diagnostic and troubleshooting purposes only!
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: CD, DnssecCD, NoDnssec, DisableDnssec
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### CommonParameters
 This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
 

diff --git a/man/en-US/Test-DaneRecord.md b/man/en-US/Test-DaneRecord.md
@@ -82,6 +82,8 @@ This cmdlet does not generate pipeline output.
 ## NOTES
 This cmdlet does not attempt to connect to the server and test that the DANE records are valid.  It only tests them for correctness.
 
+DNSSEC is a requirement for DANE;  thus, DNSSEC validation cannot be disabled for this cmdlet.
+
 ## RELATED LINKS
 
 [Test-MXRecord]()

diff --git a/man/en-US/Test-DkimSelector.md b/man/en-US/Test-DkimSelector.md
@@ -13,7 +13,7 @@ Tests a DKIM selector for correctness and best practices.
 ## SYNTAX
 
 ```
-Test-DkimSelector [-DomainName] <String> [-Name] <String> [<CommonParameters>]
+Test-DkimSelector [-DomainName] <String> [-Name] <String> [-DisableDnssecVerification] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -73,6 +73,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -DisableDnssecVerification
+Disable DNSSEC validation.  This cmdlet will not request authenticated data from the resolver;  thus, DNSSEC validation of resource records will not occur, nor will the user be informed about unauthenticated denial of existence of DNS records.  Using this switch is NOT RECOMMENDED for production use and should only be used for diagnostic and troubleshooting purposes only!
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: CD, DnssecCD, NoDnssec, DisableDnssec
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### CommonParameters
 This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
 

diff --git a/man/en-US/Test-DmarcRecord.md b/man/en-US/Test-DmarcRecord.md
@@ -13,7 +13,7 @@ Tests a domain's DMARC record.
 ## SYNTAX
 
 ```
-Test-DmarcRecord [-DomainName] <String> [<CommonParameters>]
+Test-DmarcRecord [-DomainName] <String> [-DisableDnssecVerification] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -51,6 +51,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -DisableDnssecVerification
+Disable DNSSEC validation.  This cmdlet will not request authenticated data from the resolver;  thus, DNSSEC validation of resource records will not occur, nor will the user be informed about unauthenticated denial of existence of DNS records.  Using this switch is NOT RECOMMENDED for production use and should only be used for diagnostic and troubleshooting purposes only!
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: CD, DnssecCD, NoDnssec, DisableDnssec
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### CommonParameters
 This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
 

diff --git a/man/en-US/Test-IPVersions.md b/man/en-US/Test-IPVersions.md
@@ -64,5 +64,6 @@ This cmdlet does not generate pipeline output.
 This cmdlet merely tests to make sure DNS A and AAAA records exist.  It does not test to make sure that these IP addresses are actually working.  This is done because not all hosts running this cmdlet are guaranteed to have both IPv4 and IPv6 addresses (i.e., an IPv4-only network or a NAT64 network without CLAT).
 
 ## RELATED LINKS
+
 [Test-MailPolicy](https://github.com/rhymeswithmogul/MailPolicyExplainer/blob/main/man/en-US/Test-MailPolicy.md)
 [about_MailPolicyExplainer](https://github.com/rhymeswithmogul/MailPolicyExplainer/blob/main/en-US/about_MailPolicyExplainer.help.txt)
diff --git a/man/en-US/Test-MXRecord.md b/man/en-US/Test-MXRecord.md
@@ -13,7 +13,7 @@ Tests a domain's MX records.
 ## SYNTAX
 
 ```
-Test-MXRecord [-DomainName] <String> [<CommonParameters>]
+Test-MXRecord [-DomainName] <String> [-DisableDnssecVerification] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -47,6 +47,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -DisableDnssecVerification
+Disable DNSSEC validation.  This cmdlet will not request authenticated data from the resolver;  thus, DNSSEC validation of resource records will not occur, nor will the user be informed about unauthenticated denial of existence of DNS records.  Using this switch is NOT RECOMMENDED for production use and should only be used for diagnostic and troubleshooting purposes only!
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: CD, DnssecCD, NoDnssec, DisableDnssec
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### CommonParameters
 This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
 

diff --git a/man/en-US/Test-MailPolicy.md b/man/en-US/Test-MailPolicy.md
@@ -14,7 +14,7 @@ Tests all email-related DNS records for a domain.
 
 ```
 Test-MailPolicy [-DomainName] <String> [-CountSpfDnsLookups] [-DkimSelectorsToCheck <String[]>]
- [-BimiSelectorsToCheck <String[]>] [<CommonParameters>]
+ [-BimiSelectorsToCheck <String[]>] [-DisableDnssecVerification] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -112,6 +112,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -DisableDnssecVerification
+Disable DNSSEC validation.  This cmdlet will not request authenticated data from the resolver;  thus, DNSSEC validation of resource records will not occur, nor will the user be informed about unauthenticated denial of existence of DNS records.  Using this switch is NOT RECOMMENDED for production use and should only be used for diagnostic and troubleshooting purposes only!
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: CD, DnssecCD, NoDnssec, DisableDnssec
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### CommonParameters
 This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
 

diff --git a/man/en-US/Test-MtaStsPolicy.md b/man/en-US/Test-MtaStsPolicy.md
@@ -13,7 +13,7 @@ Fetches and checks a domain's MTA-STS record and policy.
 ## SYNTAX
 
 ```
-Test-MtaStsPolicy [-DomainName] <String> [<CommonParameters>]
+Test-MtaStsPolicy [-DomainName] <String> [-DisableDnssecVerification] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -53,6 +53,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -DisableDnssecVerification
+Disable DNSSEC validation.  This cmdlet will not request authenticated data from the resolver;  thus, DNSSEC validation of resource records will not occur, nor will the user be informed about unauthenticated denial of existence of DNS records.  Using this switch is NOT RECOMMENDED for production use and should only be used for diagnostic and troubleshooting purposes only!
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: CD, DnssecCD, NoDnssec, DisableDnssec
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### CommonParameters
 This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
 

diff --git a/man/en-US/Test-SmtpTlsReportingPolicy.md b/man/en-US/Test-SmtpTlsReportingPolicy.md
@@ -13,7 +13,7 @@ Tests a domain's SMTP TLS reporting policy.
 ## SYNTAX
 
 ```
-Test-SmtpTlsReportingPolicy [-DomainName] <String> [<CommonParameters>]
+Test-SmtpTlsReportingPolicy [-DomainName] <String> [-DisableDnssecVerification] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -47,6 +47,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -DisableDnssecVerification
+Disable DNSSEC validation.  This cmdlet will not request authenticated data from the resolver;  thus, DNSSEC validation of resource records will not occur, nor will the user be informed about unauthenticated denial of existence of DNS records.  Using this switch is NOT RECOMMENDED for production use and should only be used for diagnostic and troubleshooting purposes only!
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: CD, DnssecCD, NoDnssec, DisableDnssec
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### CommonParameters
 This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
 

diff --git a/man/en-US/Test-SpfRecord.md b/man/en-US/Test-SpfRecord.md
@@ -13,7 +13,8 @@ Tests and explains a domain's SPF record.
 ## SYNTAX
 
 ```
-Test-SpfRecord [-DomainName] <String> [-CountDnsLookups] [<CommonParameters>]
+Test-SpfRecord [-DomainName] <String> [-CountDnsLookups] [-DisableDnssecVerification]
+ [-Recursions <PSReference>] [-DnsLookups <PSReference>] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -77,6 +78,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -DisableDnssecVerification
+Disable DNSSEC validation.  This cmdlet will not request authenticated data from the resolver;  thus, DNSSEC validation of resource records will not occur, nor will the user be informed about unauthenticated denial of existence of DNS records.  Using this switch is NOT RECOMMENDED for production use and should only be used for diagnostic and troubleshooting purposes only!
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: CD, DnssecCD, NoDnssec, DisableDnssec
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### CommonParameters
 This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
 
@@ -90,6 +106,8 @@ This cmdlet does not accept pipeline input.
 ### System.Void
 This cmdlet does not generate pipeline output.
 
+## NOTES
+
 ## RELATED LINKS
 
 [Test-DkimSelector]()