suggestions from @ghostwheel42

2025-11-23 22:04:47 +02:00 · 2021-09-05 18:49:07 +02:00
parent 9888efe55d
commit 0f0459e9b2
1 changed files with 8 additions and 2 deletions
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@@ -47,7 +47,7 @@ resolver.flags = dns.flags.AD | dns.flags.RD
 def has_dane_record(domain, timeout=10):
    try:
        result = resolver.query(f'_25._tcp.{domain}', dns.rdatatype.TLSA,dns.rdataclass.IN, lifetime=timeout)
-        if (result.response.flags & dns.flags.AD) == dns.flags.AD:
+        if result.response.flags & dns.flags.AD):
            for record in result:
                if isinstance(record, dns.rdtypes.ANY.TLSA.TLSA):
                    record.validate()
@@ -57,8 +57,14 @@ def has_dane_record(domain, timeout=10):
        # If the DNSSEC data is invalid and the DNS resolver is DNSSEC enabled
        # we will receive this non-specific exception. The safe behaviour is to
        # accept to defer the email.
+        flask.current_app.logger.warn(f'Unable to lookup the TLSA record for {domain}. Is the DNSSEC zone okay on https://dnsviz.net/d/{domain}/dnssec/?')
        return app.config['DEFER_ON_TLS_ERROR']
-    except:
+    except dns.exception.Timeout:
+        flask.current_app.logger.warn(f'Timeout while resolving the TLSA record for {domain} ({timeout}s).')
+    except dns.resolver.NXDOMAIN:
+        pass # this is expected, not TLSA record is fine
+    except Exception as e:
+        flask.current_app.logger.error(f'Error while looking up the TLSA record for {domain} {e}')
        pass

 # Rate limiter