Clean up DANE/resolver integration

Author: mxsasha

checks/categories.py

@@ -1470,7 +1470,7 @@ def result_not_trusted(self):
     def result_not_in_cert(self):
         self._status(STATUS_SUCCESS)
         self.verdict = "detail web tls ocsp-stapling verdict not-in-cert"
-        self.tech_data = "detail tech data not-in-cert"
+        self.tech_data = "detail tech data not-applicable"
 
 
 class WebTlsKexHashFunc(Subtest):

checks/tasks/dnssec.py

@@ -328,12 +328,12 @@ def do_mail_is_secure(self, mailservers, url, *args, **kwargs):
     try:
         mx_status = shared.get_mail_servers_mxstatus(mailservers)
         if mx_status != MxStatus.has_mx:
-            mailservers = [(url, None, mx_status)]
+            mailservers = [(url, mx_status)]
         else:
-            mailservers.insert(0, (url, None, mx_status))
+            mailservers.insert(0, (url, mx_status))
 
         res = OrderedDict()
-        for domain, _, mx_status in mailservers:
+        for domain, mx_status in mailservers:
             if domain != "":
                 res[domain] = dnssec_status(
                     domain,
@@ -346,7 +346,7 @@ def do_mail_is_secure(self, mailservers, url, *args, **kwargs):
 
     except SoftTimeLimitExceeded:
         log.debug("Soft time limit exceeded.")
-        for domain, _, mx_status in mailservers:
+        for domain, mx_status in mailservers:
             if domain != "" and not res.get(domain):
                 res[domain] = dict(
                     status=DnssecStatus.dnserror.value,

checks/tasks/ipv6.py

@@ -394,7 +394,7 @@ def do_mx(self, url, *args, **kwargs):
         if mx_status != MxStatus.has_mx:
             mailservers = []
 
-        for mailserver, _, _ in mailservers:
+        for mailserver, _ in mailservers:
             # Check if we already have cached results.
             cache_id = redis_id.mail_ipv6.id.format(mailserver)
             cache_ttl = redis_id.mail_ipv6.ttl

checks/tasks/shared.py

@@ -1,6 +1,5 @@
 # Copyright: 2022, ECP, NLnet Labs and the Internet.nl contributors
 # SPDX-License-Identifier: Apache-2.0
-import binascii
 import re
 import socket
 from collections import defaultdict
@@ -11,19 +10,15 @@
 
 import dns
 from dns.exception import DNSException
-from dns.rdatatype import RdataType
-from dns.resolver import NXDOMAIN, NoAnswer, NoNameservers, LifetimeTimeout
+from dns.resolver import LifetimeTimeout, NXDOMAIN, NoAnswer, NoNameservers
 
 from checks.models import MxStatus
 from checks.resolver import (
     dns_resolve_spf,
     dns_resolve_a,
     dns_resolve_aaaa,
-    DNSSECStatus,
-    dns_resolve_tlsa,
     dns_resolve_ns,
     dns_resolve_mx,
-    dns_resolve,
 )
 from checks.tasks.spf_parser import parse as spf_parse
 from checks.scoring import ORDERED_STATUSES, STATUS_MAX
@@ -131,8 +126,8 @@ def batch_resolve_ns(self, qname, *args, **kwargs):
 
 def do_mail_get_servers(self, url, *args, **kwargs):
     """
-    Resolve the domain's mailservers and TLSA records.
-    Returns [mailserver, dane_data, MxStatus].
+    Resolve the domain's mailservers.
+    Returns [mailserver, MxStatus].
 
     """
     mailservers = []
@@ -146,19 +141,18 @@ def do_mail_get_servers(self, url, *args, **kwargs):
         if is_null_mx:
             if len(mxlist) > 1:
                 # Invalid NULL MX next to other MX.
-                return [(None, None, MxStatus.null_mx_with_other_mx)]
+                return [(None, MxStatus.null_mx_with_other_mx)]
             elif not do_resolve_single_a_aaaa(url):
                 return [(None, None, MxStatus.null_mx_without_a_aaaa)]
-            return [(None, None, MxStatus.null_mx)]
+            return [(None, MxStatus.null_mx)]
 
         rdata = rdata.lower().strip()
         if rdata == "":
             rdata = "."
         elif re.match(MX_LOCALHOST_RE, rdata):
             # Ignore "localhost".
             continue
-        dane_cb_data = resolve_dane(25, rdata)
-        mailservers.append((rdata, dane_cb_data, MxStatus.has_mx))
+        mailservers.append((rdata, MxStatus.has_mx))
 
     if not mailservers:
         if do_resolve_single_a_aaaa(url):
@@ -167,10 +161,10 @@ def do_mail_get_servers(self, url, *args, **kwargs):
                 if spf_data:
                     spf_parsed = spf_parse(spf_data)
                     if spf_parsed.get("terms", []) == ["-all"]:
-                        return [(None, None, MxStatus.no_null_mx)]
+                        return [(None, MxStatus.no_null_mx)]
             except DNSException:
                 pass
-        return [(None, None, MxStatus.no_mx)]
+        return [(None, MxStatus.no_mx)]
 
     # Sort the mailservers on their name so that the same ones are tested for
     # all related tests.
@@ -179,7 +173,7 @@ def do_mail_get_servers(self, url, *args, **kwargs):
 
 
 def get_mail_servers_mxstatus(mailservers):
-    return mailservers[0][2]
+    return mailservers[0][1]
 
 
 def do_resolve_single_a_aaaa(qname):
@@ -224,7 +218,7 @@ def do_resolve_mx_ips(self, url, *args, **kwargs):
     """
     mx_ips_pairs = []
 
-    for mx_name, _, status in do_mail_get_servers(self, url, *args, **kwargs):
+    for mx_name, status in do_mail_get_servers(self, url, *args, **kwargs):
         if status is not MxStatus.has_mx:
             continue
 
@@ -267,28 +261,6 @@ def do_resolve_ns_ips(qname):
             raise Exception(f"resolver failed on ns_name: {ns_name=} {ns_list=} {qname=} {ve=}")
 
 
-def resolve_dane(port, dname, check_nxdomain=False):
-    # Due to its complex use, the API of this call is backwards compatible
-    qname = f"_{port}._tcp.{dname}"
-    try:
-        if check_nxdomain:
-            rrset, dnssec_status = dns_resolve(qname, RdataType.A)
-            data = [rr.address for rr in rrset]
-        else:
-            rrset, dnssec_status = dns_resolve_tlsa(qname)
-            data = [(rr.usage, rr.selector, rr.mtype, binascii.hexlify(rr.cert).decode("ascii")) for rr in rrset]
-    except NXDOMAIN:
-        return {"nxdomain": True}
-    except (NoNameservers, NoAnswer, NoNameservers, LifetimeTimeout, dns.name.EmptyLabel):
-        data = None
-        dnssec_status = None
-    return {
-        "data": data,
-        "bogus": dnssec_status == DNSSECStatus.BOGUS,
-        "secure": dnssec_status == DNSSECStatus.SECURE,
-    }
-
-
 def results_per_domain(results):
     """
     Results contain data per test per domain (or IP).