@blamejs/core 0.12.47 → 0.12.49

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.49 (2026-05-25) — **`b.network.dns.dnssec.verifyDenial` — NSEC / NSEC3 denial-of-existence.** Prove a DNS name does not exist, or has no records of a given type, from the signed NSEC (RFC 4034 §4) or NSEC3 (RFC 5155) records a server returns. This is the other half of local DNSSEC verification: verifyRrset proves a positive answer, verifyDenial proves a negative — so a resolver client can confirm an NXDOMAIN / NODATA itself instead of trusting the upstream resolver. NSEC3 proofs run the closest-encloser / next-closer / covering-range logic over iterated-SHA-1 hashes, with the iteration count capped (default 500) to bound the work an attacker can force, and an Opt-Out NXDOMAIN refused unless explicitly accepted (opt-out only proves 'no signed records', not non-existence). The companion b.network.dns.dnssec.nsec3Hash computes the RFC 5155 §5 hash directly. NSEC verifyRrset support is also enabled: per RFC 6840 §5.1 the NSEC Next Domain Name is not downcased, so its RDATA is verbatim-canonical. **Added:** *`b.network.dns.dnssec.verifyDenial(opts)`* — Proves NXDOMAIN or NODATA from already-verified NSEC / NSEC3 records (supply one of `opts.nsec3` or `opts.nsec`). Like `verifyDs`, it checks the denial RELATION — closest-encloser matching, covering ranges, and type-bitmap absence — not the record signatures, which the caller verifies with `verifyRrset` first. NSEC3 supports name-error proofs (matching closest encloser + covered next-closer + covered wildcard), NODATA (matching record with the type and CNAME absent from the bitmap), Opt-Out DS NODATA, and wildcard NODATA. The iterated-SHA-1 count is capped by `opts.maxIterations` (default 500); an NXDOMAIN proof that depends on an Opt-Out NSEC3 is refused unless `opts.allowOptOut` is set. NSEC supports covering-name NXDOMAIN (with the source-of-synthesis wildcard) and matching-name NODATA. Verified end-to-end against a live iana.org NXDOMAIN proof. · *`b.network.dns.dnssec.nsec3Hash(name, opts)`* — Computes the RFC 5155 §5 NSEC3 hash of a name — iterated SHA-1 over the canonical (lowercased, root-terminated) wire form with the zone salt. The base32hex encoding of the result is the NSEC3 owner label. SHA-1 is the only hash IANA registers for NSEC3, so this is a wire-protocol constant rather than a cryptographic default. Useful for checking an owner label or analyzing a zone's hashing parameters. **Changed:** *`verifyRrset` now accepts NSEC and NSEC3 RRsets* — NSEC (type 47) and NSEC3 (type 50) are no longer refused as uncanonicalizable: NSEC3's next-owner is a hash, and per RFC 6840 §5.1 the NSEC Next Domain Name field is not downcased for DNSSEC canonical form, so both RDATAs are verbatim-canonical. This lets a caller verify the signatures on the records that `verifyDenial` then reasons over.
+
+- v0.12.48 (2026-05-25) — **`b.network.dns.dnssec` — local DNSSEC signature verification (RFC 4035).** Verify a DNS answer's RRSIG signature yourself instead of trusting the upstream resolver's AD bit. b.network.dns.dnssec.verifyRrset reconstructs the RFC 4034 §3.1.8.1 signed data — the RRSIG RDATA without the signature, followed by the RRset in canonical form (owner names lowercased, RRs ordered by canonical RDATA, the RRSIG's Original TTL) — and checks the signature against the DNSKEY, enforcing the inception / expiration window. Supports RSA/SHA-256 (alg 8), ECDSA P-256/SHA-256 (13), ECDSA P-384/SHA-384 (14), and Ed25519 (15) — the modern deployed set. verifyDs checks a delegation-signer digest against a DNSKEY (SHA-256 / SHA-384) and keyTag computes the RFC 4034 Appendix B key tag. The verification core is what a chain-walker composes; it defends against a compromised or on-path resolver that lies about authentication. **Added:** *`b.network.dns.dnssec.verifyRrset(opts)`* — Verifies an RRSIG over a canonicalised RRset against a DNSKEY. `opts` carries the owner `name`, the RR `type`, the wire-format `rdatas`, the parsed `rrsig` (algorithm / labels / originalTtl / inception / expiration / keyTag / signerName / signature), and the `dnskey` (algorithm + raw public key). The signed data is rebuilt per RFC 4034 §3.1.8.1: the RRSIG prefix (type covered | algorithm | labels | original TTL | expiration | inception | key tag | canonical signer name) followed by each RR in canonical form (lowercased owner | type | class | original TTL | rdlen | rdata), sorted by `Buffer.compare` on the RDATA. The validity window is enforced against `opts.at` (defaults to now; an invalid Date is refused, not treated as now). An RRSIG whose algorithm disagrees with the DNSKEY is refused before any key is built. RR types that embed domain names in their RDATA (NS, CNAME, SOA, MX, SRV, …) need RDATA-internal name-lowercasing this version does not perform, so they are refused with `dnssec/uncanonicalizable-type` rather than mis-validated; the security-critical DNSKEY / DS and the name-free address / text types (A, AAAA, TXT, CAA, TLSA, …) are fully supported. · *`b.network.dns.dnssec.verifyDs(opts)` / `b.network.dns.dnssec.keyTag(dnskeyRdata)`* — `verifyDs` confirms a delegation-signer record matches a DNSKEY: it checks the key tag, then compares the DS digest (SHA-256 type 2 / SHA-384 type 4) against the digest computed over the canonical owner name and the DNSKEY RDATA, constant-time. `keyTag` computes the RFC 4034 Appendix B 16-bit key tag from a DNSKEY's full RDATA — the identifier an RRSIG or DS uses to select the signing key. Together with `verifyRrset` these are the per-RRset building blocks a recursive chain-walk (root → TLD → zone) composes; the chain-walk itself, NSEC / NSEC3 denial-of-existence, and the bundled IANA root trust anchor are not part of this core.
+
 - v0.12.47 (2026-05-25) — **`b.cose.mac0` / `b.cose.macVerify0` — COSE_Mac0 (RFC 9052 §6.2).** Completes the COSE message-type set (COSE_Sign1 / COSE_Encrypt0 / COSE_Mac0) with single shared-key MACs. b.cose.mac0 produces a tagged COSE_Mac0 over a payload using HMAC-SHA-256/384/512 (the COSE-standard MAC algorithms; HMAC is symmetric, so its post-quantum strength is preserved). b.cose.macVerify0 recomputes the tag over the MAC_structure and compares it in constant time, with a mandatory algorithm allowlist. Use when both parties hold a shared key — e.g. an ECDH-derived key — and a non-repudiable signature is not wanted; detached payloads are supported (the proximity mdoc device-MAC variant and MACed CWTs are the consumers). Composes b.cbor + the framework's constant-time compare; no new runtime dependency. **Added:** *`b.cose.mac0(payload, opts)` / `b.cose.macVerify0(coseMac0, opts)`* — `mac0` emits a tagged COSE_Mac0 (tag 17) with `alg` (`HMAC-256/256` | `HMAC-384/384` | `HMAC-512/512`) in the protected header and the HMAC tag computed over the MAC_structure `["MAC0", protected, external_aad, payload]`; `detached: true` emits a nil payload. `macVerify0` reads the algorithm from the protected header (must be in the required `opts.algorithms` allowlist), recomputes the tag, and compares it constant-time — a wrong key, tampered tag, or `external_aad` mismatch is refused with `cose/bad-tag`; a detached payload is supplied via `opts.externalPayload`. `external_aad` binds context into the tag.
 
 - v0.12.46 (2026-05-25) — **`b.mdoc.verifyDeviceAuth` — ISO 18013-5 mdoc device authentication.** Completes mdoc verification with the holder-binding half (ISO 18013-5 §9.1.3, signature variant). verifyIssuerSigned proves the data is issuer-signed; verifyDeviceAuth proves the presenter controls the device key the issuer bound into the MSO, so a captured issuer-signed document cannot be replayed by anyone else. The device's COSE_Sign1 (deviceSigned.deviceAuth.deviceSignature) is verified over the detached DeviceAuthentication structure ["DeviceAuthentication", SessionTranscript, DocType, DeviceNameSpacesBytes] using the device key from verifyIssuerSigned().deviceKey (now surfaced) and the operator-supplied SessionTranscript that binds the proof to this exact exchange (the presentation protocol — e.g. OpenID4VP — defines the transcript). Composes the v0.12.45 b.cose detached-payload verify + importKey. The MAC variant (deviceMac / COSE_Mac0, used in proximity flows with a reader ephemeral key) is deferred and refused with mdoc/device-mac-unsupported. No new runtime dependency. **Added:** *`b.mdoc.verifyDeviceAuth(opts)` + `deviceKey` on the verifyIssuerSigned result* — `verifyDeviceAuth({ deviceKey, deviceSigned, docType, sessionTranscript, algorithms })` imports the device key (a COSE_Key via `b.cose.importKey`, or a KeyObject), reconstructs the detached `DeviceAuthentication` payload, and verifies the `deviceSignature` COSE_Sign1 against the mandatory algorithm allowlist — a mismatched `sessionTranscript` or `docType` fails the signature. `verifyIssuerSigned` now returns `deviceKey` (the MSO `deviceKeyInfo.deviceKey`) so the two checks chain. The MAC variant (`deviceMac`) is refused with `mdoc/device-mac-unsupported` pending COSE_Mac0 + reader-key support.

package/README.md

@@ -120,7 +120,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
   - In-process CIDR fence (`b.middleware.networkAllowlist`)
   - `Cache-Control: no-store` on every 401 from `requireAuth` / `requireAal` / `requireStepUp` per RFC 9111 §5.2.2.5
 - **Outbound HTTP client** — HTTP/1.1 + HTTP/2 with SSRF gate (cloud-metadata IPs hard-denied; private / loopback / link-local overridable per call); scheme + userinfo + per-host destination allowlist; redirects, multipart, interceptors, progress, encrypted cookie jar (`b.httpClient`, `b.ssrfGuard`, `b.safeUrl`)
-- **Network configurability (`b.network`)** — env-driven NTP / NTS (RFC 8915), IPv4/IPv6 NTP, DNS with IPv6 / DoH / DoT (private-CA pinning) / cache / lookup timeout; outbound HTTP proxy (`HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY`); runtime DPI trust-store CA additions; application-level heartbeats; TCP socket defaults
+- **Network configurability (`b.network`)** — env-driven NTP / NTS (RFC 8915), IPv4/IPv6 NTP, DNS with IPv6 / DoH / DoT (private-CA pinning) / cache / lookup timeout; local DNSSEC signature verification (RFC 4035 — `b.network.dns.dnssec.verifyRrset` over a canonicalised RRset against RSA / ECDSA P-256·P-384 / Ed25519 DNSKEYs, plus DS-digest + key-tag, plus `verifyDenial` for NSEC / NSEC3 (RFC 5155) NXDOMAIN / NODATA proofs with iteration caps + Opt-Out handling) so a resolver client can verify both positive and negative answers instead of trusting the upstream AD bit; outbound HTTP proxy (`HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY`); runtime DPI trust-store CA additions; application-level heartbeats; TCP socket defaults
 - **Error pages** — operator-rendered, no app-frame leakage (`b.errorPage`)
 ### Defensive parsers
 

package/lib/network-dnssec.js

@@ -0,0 +1,732 @@
+"use strict";
+/**
+ * @module b.network.dns.dnssec
+ * @nav    Network
+ * @title  DNSSEC validation
+ *
+ * @intro
+ *   Local DNSSEC signature verification (RFC 4033–4035 / 6605 / 8080) —
+ *   the cryptographic core that lets a resolver client verify a DNS
+ *   answer itself instead of trusting the upstream resolver's AD bit.
+ *   <code>b.network.dns.resolver</code> checks the AD flag; this module
+ *   verifies the actual RRSIG signature over the canonicalised RRset,
+ *   defending against a compromised or on-path resolver.
+ *
+ *   <code>verifyRrset</code> reconstructs the RFC 4034 §3.1.8.1 signed
+ *   data (the RRSIG RDATA without the signature, followed by the RRset
+ *   in canonical form — owner names lowercased, RRs ordered by canonical
+ *   RDATA, the RRSIG's Original TTL) and verifies it with the DNSKEY,
+ *   enforcing the signature's inception / expiration window. The DNSKEY
+ *   algorithms are RSA/SHA-256 (8), ECDSA P-256/SHA-256 (13), ECDSA
+ *   P-384/SHA-384 (14), and Ed25519 (15) — the modern, deployed set.
+ *   <code>verifyDs</code> checks a delegation-signer digest against a
+ *   DNSKEY (SHA-256 / SHA-384), and <code>keyTag</code> computes the
+ *   RFC 4034 Appendix B key tag.
+ *
+ *   <strong>Scope.</strong> This is the verification core. RR types that
+ *   carry domain names in their RDATA (NS, CNAME, SOA, MX, SRV, …) need
+ *   name-lowercasing inside the RDATA (RFC 4034 §6.2) that this version
+ *   does not perform, so they are refused with
+ *   <code>dnssec/uncanonicalizable-type</code> rather than mis-validated
+ *   — the security-critical DNSKEY / DS and the name-free address /
+ *   text types (A, AAAA, TXT, …) are fully supported. The recursive
+ *   chain-walk (root → TLD → zone), NSEC / NSEC3 denial-of-existence,
+ *   and the IANA root trust-anchor bundle are deferred: these primitives
+ *   are the per-RRset building blocks a chain-walker composes.
+ *
+ * @card
+ *   Local DNSSEC verification (RFC 4035) — verify an RRSIG over a
+ *   canonicalised RRset against a DNSKEY (RSA / ECDSA P-256·P-384 /
+ *   Ed25519), plus DS-digest + key-tag. Don't trust the upstream AD bit;
+ *   verify the signature. Name-bearing RR types are refused, not
+ *   mis-validated; chain-walk + NSEC3 deferred.
+ */
+
+var nodeCrypto = require("node:crypto");
+var bCrypto = require("./crypto");
+var validateOpts = require("./validate-opts");
+var { defineClass } = require("./framework-error");
+
+var DnssecError = defineClass("DnssecError", { alwaysPermanent: true });
+
+// DNSSEC algorithm numbers (IANA DNSSEC Algorithm Numbers) → verify params.
+var ALGS = {
+  8:  { name: "RSASHA256",        kind: "rsa",   hash: "sha256" },                          // allow:raw-byte-literal — IANA DNSSEC algorithm number
+  13: { name: "ECDSAP256SHA256",  kind: "ec",    hash: "sha256", crv: "P-256", coord: 32 },   // allow:raw-byte-literal — P-256 coordinate size
+  14: { name: "ECDSAP384SHA384",  kind: "ec",    hash: "sha384", crv: "P-384", coord: 48 },   // allow:raw-byte-literal — P-384 coordinate size
+  15: { name: "ED25519",          kind: "okp",   hash: null,     crv: "Ed25519" },
+};
+
+// DS digest algorithms (IANA) → node hash.
+var DS_DIGESTS = { 2: "sha256", 4: "sha384" };
+
+// RR types whose RDATA contains NO embedded domain name that needs
+// downcasing, so the wire RDATA is already in canonical form (RFC 4034
+// §6.2 needs no rewrite). Name-bearing types are refused rather than
+// silently mis-canonicalised. NSEC (47) is included because RFC 6840
+// §5.1 corrected RFC 4034 §6.2: the NSEC Next Domain Name field is NOT
+// downcased for DNSSEC canonical form, so its uncompressed RDATA is
+// verbatim-canonical. NSEC3 (50) carries a hashed next-owner, not a name.
+// (type numbers IANA): A 1, AAAA 28, TXT 16, DNSKEY 48, DS 43, CAA 257,
+// TLSA 52, SSHFP 44, HINFO 13, CDS 59, CDNSKEY 60, OPENPGPKEY 61, SMIMEA
+// 53, NSEC 47, NSEC3 50.
+var NAME_FREE_TYPE_NUMS = [1, 28, 16, 48, 43, 257, 52, 44, 13, 59, 60, 61, 53, 47, 50];  // allow:raw-byte-literal allow:raw-time-literal — IANA DNS type numbers (no downcased embedded names)
+var TYPE_NUM = {
+  A: 1, NS: 2, CNAME: 5, SOA: 6, PTR: 12, MX: 15, TXT: 16, AAAA: 28, SRV: 33,
+  DS: 43, SSHFP: 44, RRSIG: 46, NSEC: 47, DNSKEY: 48, NSEC3: 50, TLSA: 52,            // allow:raw-byte-literal allow:raw-time-literal — IANA DNS type numbers
+  SMIMEA: 53, CDS: 59, CDNSKEY: 60, OPENPGPKEY: 61, CAA: 257, HINFO: 13,
+};
+
+function _bytes(x, what) {
+  if (Buffer.isBuffer(x)) return x;
+  if (x instanceof Uint8Array) return Buffer.from(x);
+  throw new DnssecError("dnssec/bad-bytes", "dnssec: " + what + " must be a Buffer");
+}
+
+// Canonical wire form of a domain name (RFC 4034 §6.2): each label
+// length-prefixed, ASCII lowercased, terminated by the root label.
+function _canonicalName(name) {
+  if (typeof name !== "string") throw new DnssecError("dnssec/bad-name", "dnssec: name must be a string");
+  var n = name.replace(/\.$/, "");
+  if (n === "") return Buffer.from([0]);
+  var labels = n.split(".");
+  var parts = [];
+  for (var i = 0; i < labels.length; i++) {
+    var lab = Buffer.from(labels[i].toLowerCase(), "ascii");
+    if (lab.length === 0 || lab.length > 63) {                                          // allow:raw-byte-literal — DNS label length cap (RFC 1035)
+      throw new DnssecError("dnssec/bad-name", "dnssec: invalid label in '" + name + "'");
+    }
+    parts.push(Buffer.from([lab.length]), lab);
+  }
+  parts.push(Buffer.from([0]));
+  return Buffer.concat(parts);
+}
+
+function _u16(n) { return Buffer.from([(n >> 8) & 0xff, n & 0xff]); }                    // allow:raw-byte-literal — 16-bit big-endian split
+function _u32(n) {
+  var b = Buffer.alloc(4);
+  b.writeUInt32BE(n >>> 0, 0);
+  return b;
+}
+function _typeNumber(type) {
+  if (typeof type === "number") return type;
+  var t = TYPE_NUM[String(type).toUpperCase()];
+  if (t === undefined) throw new DnssecError("dnssec/unknown-type", "dnssec: unknown RR type '" + type + "'");
+  return t;
+}
+
+// DNSKEY public-key RDATA → JWK (kty/crv allowlisted; RFC 3110 RSA,
+// RFC 6605 ECDSA, RFC 8080 Ed25519). publicKey is the key bytes after
+// the DNSKEY flags/protocol/algorithm fields.
+function _dnskeyToKey(algId, publicKey) {
+  var alg = ALGS[algId];
+  if (!alg) throw new DnssecError("dnssec/unsupported-alg", "dnssec: unsupported DNSKEY algorithm " + algId);
+  var pk = _bytes(publicKey, "dnskey publicKey");
+  if (alg.kind === "rsa") {
+    // RFC 3110: exponent length is 1 byte, or (if that byte is 0) the
+    // next 2 bytes; then exponent, then modulus.
+    var off = 0, explen = pk[0];
+    off = 1;
+    if (explen === 0) { explen = (pk[1] << 8) | pk[2]; off = 3; }                        // allow:raw-byte-literal — RFC 3110 3-byte exponent length
+    if (explen === 0 || off + explen >= pk.length) {
+      throw new DnssecError("dnssec/bad-key", "dnssec: malformed RSA DNSKEY public key");
+    }
+    var exponent = pk.slice(off, off + explen);
+    var modulus = pk.slice(off + explen);
+    return _jwkKey({ kty: "RSA", n: modulus.toString("base64url"), e: exponent.toString("base64url") });
+  }
+  if (alg.kind === "ec") {
+    if (pk.length !== alg.coord * 2) {
+      throw new DnssecError("dnssec/bad-key", "dnssec: " + alg.crv + " key must be " + (alg.coord * 2) + " bytes (x||y)");
+    }
+    return _jwkKey({ kty: "EC", crv: alg.crv, x: pk.slice(0, alg.coord).toString("base64url"), y: pk.slice(alg.coord).toString("base64url") });
+  }
+  // Ed25519
+  if (pk.length !== 32) throw new DnssecError("dnssec/bad-key", "dnssec: Ed25519 key must be 32 bytes");   // allow:raw-byte-literal — Ed25519 key size
+  return _jwkKey({ kty: "OKP", crv: "Ed25519", x: pk.toString("base64url") });
+}
+function _jwkKey(jwk) {
+  try { return nodeCrypto.createPublicKey({ key: jwk, format: "jwk" }); }
+  catch (e) { throw new DnssecError("dnssec/bad-key", "dnssec: could not import DNSKEY: " + ((e && e.message) || e)); }
+}
+
+/**
+ * @primitive b.network.dns.dnssec.keyTag
+ * @signature b.network.dns.dnssec.keyTag(dnskeyRdata)
+ * @since     0.12.48
+ * @status    stable
+ * @related   b.network.dns.dnssec.verifyDs, b.network.dns.dnssec.verifyRrset
+ *
+ * Compute the RFC 4034 Appendix B key tag of a DNSKEY from its full
+ * RDATA (flags || protocol || algorithm || public key) — the 16-bit
+ * identifier an RRSIG / DS references to select the signing key.
+ *
+ * @example
+ *   var tag = b.network.dns.dnssec.keyTag(dnskeyRdata);
+ */
+function keyTag(dnskeyRdata) {
+  var rd = _bytes(dnskeyRdata, "dnskeyRdata");
+  var acc = 0;
+  for (var i = 0; i < rd.length; i++) {
+    acc += (i & 1) ? rd[i] : (rd[i] << 8);                                               // allow:raw-byte-literal — RFC 4034 App B key-tag accumulation
+  }
+  acc += (acc >> 16) & 0xffff;                                                           // allow:raw-byte-literal — App B fold
+  return acc & 0xffff;                                                                   // allow:raw-byte-literal — App B 16-bit tag
+}
+
+/**
+ * @primitive b.network.dns.dnssec.verifyDs
+ * @signature b.network.dns.dnssec.verifyDs(opts)
+ * @since     0.12.48
+ * @status    stable
+ * @related   b.network.dns.dnssec.verifyRrset
+ *
+ * Verify a DS (Delegation Signer) record against a child DNSKEY — the
+ * link that lets a parent zone vouch for a child's key. The DS digest
+ * (SHA-256 / SHA-384) is recomputed over the owner name plus the DNSKEY
+ * RDATA and compared to the DS, with the key tag and algorithm checked.
+ *
+ * @opts
+ *   {
+ *     ownerName:    string,   // the child zone name (the DNSKEY owner)
+ *     dnskeyRdata:  Buffer,   // full DNSKEY RDATA (flags||protocol||alg||publicKey)
+ *     ds: { keyTag, algorithm, digestType, digest: Buffer },  // the parent DS
+ *   }
+ *
+ * @example
+ *   b.network.dns.dnssec.verifyDs({ ownerName: "example.com", dnskeyRdata: ksk, ds: parentDs });
+ */
+function verifyDs(opts) {
+  validateOpts.requireObject(opts, "dnssec.verifyDs", DnssecError);
+  validateOpts(opts, ["ownerName", "dnskeyRdata", "ds"], "dnssec.verifyDs");
+  var ds = opts.ds;
+  if (!ds || typeof ds !== "object") throw new DnssecError("dnssec/bad-ds", "dnssec.verifyDs: opts.ds is required");
+  var hashName = DS_DIGESTS[ds.digestType];
+  if (!hashName) throw new DnssecError("dnssec/unsupported-digest", "dnssec.verifyDs: unsupported DS digest type " + ds.digestType);
+  var rd = _bytes(opts.dnskeyRdata, "dnskeyRdata");
+  if (keyTag(rd) !== ds.keyTag) {
+    throw new DnssecError("dnssec/keytag-mismatch", "dnssec.verifyDs: DNSKEY key tag does not match the DS");
+  }
+  var digestInput = Buffer.concat([_canonicalName(opts.ownerName), rd]);
+  var expected = nodeCrypto.createHash(hashName).update(digestInput).digest();
+  var actual = _bytes(ds.digest, "ds.digest");
+  if (!bCrypto.timingSafeEqual(expected, actual)) {
+    throw new DnssecError("dnssec/ds-mismatch", "dnssec.verifyDs: DS digest does not match the DNSKEY");
+  }
+  return { ok: true, keyTag: ds.keyTag, digestType: ds.digestType };
+}
+
+/**
+ * @primitive b.network.dns.dnssec.verifyRrset
+ * @signature b.network.dns.dnssec.verifyRrset(opts)
+ * @since     0.12.48
+ * @status    stable
+ * @compliance soc2
+ * @related   b.network.dns.dnssec.verifyDs, b.network.dns.resolver.create
+ *
+ * Verify an RRSIG over an RRset against a DNSKEY (RFC 4035 §5.3). The
+ * signed data is reconstructed in canonical form — the RRSIG RDATA
+ * without the signature, then the RRset's records ordered by canonical
+ * RDATA with the RRSIG Original TTL — and the signature is verified with
+ * the DNSKEY (RSA/SHA-256, ECDSA P-256/384, Ed25519). The signature's
+ * inception / expiration window is enforced against <code>opts.at</code>.
+ * RR types carrying embedded domain names are refused
+ * (<code>dnssec/uncanonicalizable-type</code>) rather than mis-validated.
+ *
+ * @opts
+ *   {
+ *     name:    string,    // owner name of the RRset
+ *     type:    string|number, // RR type (e.g. "DNSKEY", "A")
+ *     class?:  number,    // default 1 (IN)
+ *     rdatas:  Buffer[],  // each record's wire-format RDATA
+ *     rrsig: {            // the RRSIG covering the RRset
+ *       algorithm, labels, originalTtl, expiration, inception, keyTag,
+ *       signerName: string, signature: Buffer,
+ *     },
+ *     dnskey: { algorithm, publicKey: Buffer },  // the signing DNSKEY (publicKey = bytes after flags/proto/alg)
+ *     at?:     Date,      // validity instant (default now); must be a valid Date
+ *   }
+ *
+ * @example
+ *   b.network.dns.dnssec.verifyRrset({ name: "example.com", type: "DNSKEY", rdatas: keys, rrsig: sig, dnskey: ksk });
+ */
+function verifyRrset(opts) {
+  validateOpts.requireObject(opts, "dnssec.verifyRrset", DnssecError);
+  validateOpts(opts, ["name", "type", "class", "rdatas", "rrsig", "dnskey", "at"], "dnssec.verifyRrset");
+  var rrsig = opts.rrsig;
+  var dnskey = opts.dnskey;
+  if (!rrsig || typeof rrsig !== "object") throw new DnssecError("dnssec/bad-rrsig", "dnssec.verifyRrset: opts.rrsig is required");
+  if (!dnskey || typeof dnskey !== "object") throw new DnssecError("dnssec/bad-key", "dnssec.verifyRrset: opts.dnskey is required");
+  if (!Array.isArray(opts.rdatas) || opts.rdatas.length === 0) {
+    throw new DnssecError("dnssec/empty-rrset", "dnssec.verifyRrset: opts.rdatas must be a non-empty array");
+  }
+  var alg = ALGS[rrsig.algorithm];
+  if (!alg) throw new DnssecError("dnssec/unsupported-alg", "dnssec.verifyRrset: unsupported algorithm " + rrsig.algorithm);
+  if (dnskey.algorithm !== rrsig.algorithm) {
+    throw new DnssecError("dnssec/alg-mismatch", "dnssec.verifyRrset: DNSKEY algorithm does not match the RRSIG");
+  }
+
+  var typeNum = _typeNumber(opts.type);
+  if (NAME_FREE_TYPE_NUMS.indexOf(typeNum) === -1) {
+    throw new DnssecError("dnssec/uncanonicalizable-type",
+      "dnssec.verifyRrset: RR type " + typeNum + " carries embedded names; RDATA-name canonicalisation is not supported (refused, not mis-validated)");
+  }
+
+  // Validity window (fail closed on a bad opts.at).
+  var atMs;
+  if (opts.at !== undefined && opts.at !== null) {
+    if (!(opts.at instanceof Date) || !isFinite(opts.at.getTime())) {
+      throw new DnssecError("dnssec/bad-at", "dnssec.verifyRrset: opts.at must be a valid Date");
+    }
+    atMs = opts.at.getTime();
+  } else {
+    atMs = Date.now();
+  }
+  var nowSec = Math.floor(atMs / 1000);                       // allow:raw-time-literal — ms→NumericDate seconds (RRSIG inception/expiration are seconds since epoch, RFC 4034 §3.1.5)
+  if (nowSec < (rrsig.inception >>> 0)) throw new DnssecError("dnssec/not-yet-valid", "dnssec.verifyRrset: RRSIG inception is in the future");
+  if (nowSec > (rrsig.expiration >>> 0)) throw new DnssecError("dnssec/expired", "dnssec.verifyRrset: RRSIG has expired");
+
+  var klass = typeof opts.class === "number" ? opts.class : 1;
+  var ownerWire = _canonicalName(opts.name);
+  var ttl = _u32(rrsig.originalTtl);
+
+  // Canonical RRset (RFC 4034 §6.3): order records by canonical RDATA.
+  var rdatas = opts.rdatas.map(function (r, i) { return _bytes(r, "rdatas[" + i + "]"); });
+  var sorted = rdatas.slice().sort(Buffer.compare);
+  var rrParts = [];
+  for (var i = 0; i < sorted.length; i++) {
+    rrParts.push(ownerWire, _u16(typeNum), _u16(klass), ttl, _u16(sorted[i].length), sorted[i]);
+  }
+
+  // RRSIG RDATA without the signature (RFC 4034 §3.1.8.1).
+  var rrsigPrefix = Buffer.concat([
+    _u16(typeNum), Buffer.from([rrsig.algorithm & 0xff, rrsig.labels & 0xff]),           // allow:raw-byte-literal — single-octet alg + labels fields
+    _u32(rrsig.originalTtl), _u32(rrsig.expiration), _u32(rrsig.inception),
+    _u16(rrsig.keyTag), _canonicalName(rrsig.signerName),
+  ]);
+  var signedData = Buffer.concat([rrsigPrefix].concat(rrParts));
+
+  var key = _dnskeyToKey(dnskey.algorithm, dnskey.publicKey);
+  var signature = _bytes(rrsig.signature, "rrsig.signature");
+  var ok;
+  try {
+    if (alg.kind === "okp") {
+      ok = nodeCrypto.verify(null, signedData, key, signature);
+    } else if (alg.kind === "ec") {
+      ok = nodeCrypto.verify(alg.hash, signedData, { key: key, dsaEncoding: "ieee-p1363" }, signature);
+    } else {
+      ok = nodeCrypto.verify(alg.hash, signedData, key, signature);
+    }
+  } catch (e) {
+    throw new DnssecError("dnssec/verify-threw", "dnssec.verifyRrset: signature verification threw: " + ((e && e.message) || e));
+  }
+  if (!ok) throw new DnssecError("dnssec/bad-signature", "dnssec.verifyRrset: RRSIG signature did not verify");
+  return { ok: true, algorithm: alg.name, keyTag: rrsig.keyTag, signerName: rrsig.signerName };
+}
+
+// ---------------------------------------------------------------------------
+// Denial of existence (RFC 4034 §4 NSEC, RFC 5155 NSEC3).
+//
+// These helpers prove a name (or a name+type) DOES NOT EXIST from the
+// signed NSEC / NSEC3 records a server returns in the Authority section.
+// They operate on records the caller has ALREADY verified with
+// verifyRrset — like verifyDs, this is the relation check, not the
+// signature check. Passing unverified records proves nothing.
+// ---------------------------------------------------------------------------
+
+var BASE32HEX = "0123456789ABCDEFGHIJKLMNOPQRSTUV";          // allow:raw-byte-literal — RFC 4648 §7 extended-hex alphabet (RFC number in comment)
+var TYPE_DS = 43;                                            // allow:raw-byte-literal — IANA RR type DS
+var TYPE_CNAME = 5;
+var NSEC3_HASH_SHA1 = 1;                                     // RFC 5155 §5 — the only registered NSEC3 hash
+var DEFAULT_MAX_NSEC3_ITERATIONS = 500;                      // allow:raw-time-literal — DoS ceiling on iterated SHA-1 (RFC 9276 wants 0; deployed zones still use >0)
+
+// RFC 4648 §7 base32hex decode (no padding, case-insensitive) — the
+// label encoding of an NSEC3 owner-name hash.
+function _base32hexDecode(s, label) {
+  var up = String(s).toUpperCase();
+  var bits = 0, value = 0, out = [];
+  for (var i = 0; i < up.length; i++) {
+    var idx = BASE32HEX.indexOf(up[i]);
+    if (idx === -1) throw new DnssecError("dnssec/bad-nsec3", "dnssec: " + label + " is not valid base32hex");
+    value = (value << 5) | idx;                              // allow:raw-byte-literal — base32 5-bit group
+    bits += 5;                                               // allow:raw-byte-literal — base32 5-bit group
+    if (bits >= 8) { bits -= 8; out.push((value >> bits) & 0xff); }   // allow:raw-byte-literal — emit a full octet
+  }
+  return Buffer.from(out);
+}
+
+// RFC 4034 §4.1.2 / RFC 5155 §3.2.1 type bitmap → Set of type numbers.
+function _parseTypeBitmaps(buf, off, end) {
+  var types = new Set();
+  var i = off;
+  while (i + 2 <= end) {
+    var win = buf[i], len = buf[i + 1];
+    i += 2;
+    if (len < 1 || len > 32 || i + len > end) {              // allow:raw-byte-literal — bitmap window ≤ 256 bits = 32 octets (RFC 4034 §4.1.2)
+      throw new DnssecError("dnssec/bad-bitmap", "dnssec: malformed NSEC type bitmap");
+    }
+    for (var j = 0; j < len; j++) {
+      var octet = buf[i + j];
+      for (var bit = 0; bit < 8; bit++) {                    // allow:raw-byte-literal — 8 bits per octet
+        if (octet & (0x80 >> bit)) types.add(win * 256 + j * 8 + bit);   // allow:raw-byte-literal — bit→type-number (window*256 + octet*8 + bit)
+      }
+    }
+    i += len;
+  }
+  return types;
+}
+
+// Read an uncompressed wire-format domain name (compression pointers are
+// illegal in signed RDATA). Returns { name, end }.
+function _readWireName(buf, off) {
+  var labels = [];
+  var i = off;
+  for (;;) {
+    if (i >= buf.length) throw new DnssecError("dnssec/bad-name", "dnssec: truncated name in RDATA");
+    var len = buf[i];
+    if (len === 0) { i++; break; }
+    if ((len & 0xc0) !== 0) throw new DnssecError("dnssec/bad-name", "dnssec: compression pointer in signed RDATA");   // allow:raw-byte-literal — RFC 1035 label-length top-two-bits flag
+    i++;
+    labels.push(buf.slice(i, i + len).toString("ascii"));
+    i += len;
+  }
+  return { name: labels.length ? labels.join(".") + "." : ".", end: i };
+}
+
+function _parseNsec3Rdata(rd) {
+  if (rd.length < 6) throw new DnssecError("dnssec/bad-nsec3", "dnssec: NSEC3 RDATA too short");   // allow:raw-byte-literal — fixed NSEC3 header octets
+  var hashAlg = rd[0], flags = rd[1], iterations = rd.readUInt16BE(2), saltLen = rd[4];
+  var off = 5 + saltLen;
+  if (off + 1 > rd.length) throw new DnssecError("dnssec/bad-nsec3", "dnssec: NSEC3 salt overruns RDATA");
+  var salt = rd.slice(5, 5 + saltLen);
+  var hashLen = rd[off]; off += 1;
+  if (off + hashLen > rd.length) throw new DnssecError("dnssec/bad-nsec3", "dnssec: NSEC3 next-hashed-owner overruns RDATA");
+  var nextHashed = rd.slice(off, off + hashLen);
+  return { hashAlg: hashAlg, flags: flags, iterations: iterations, salt: salt, nextHashed: nextHashed, types: _parseTypeBitmaps(rd, off + hashLen, rd.length) };
+}
+
+function _parseNsecRdata(rd) {
+  var n = _readWireName(rd, 0);
+  return { nextName: n.name, types: _parseTypeBitmaps(rd, n.end, rd.length) };
+}
+
+// RFC 5155 §5 iterated hash: IH(salt, x, 0)=SHA-1(x‖salt);
+// IH(salt, x, k)=SHA-1(IH(salt,x,k-1)‖salt). SHA-1 is the only NSEC3
+// hash IANA defines — a wire-protocol constant, not a framework default.
+function _nsec3HashWire(nameWire, salt, iterations) {
+  var h = nodeCrypto.createHash("sha1").update(Buffer.concat([nameWire, salt])).digest();
+  for (var k = 0; k < iterations; k++) {
+    h = nodeCrypto.createHash("sha1").update(Buffer.concat([h, salt])).digest();
+  }
+  return h;
+}
+
+function _nameLabels(name) {
+  var n = String(name).replace(/\.$/, "");
+  return n === "" ? [] : n.split(".");
+}
+
+// RFC 4034 §6.1 canonical name ordering: compare label sequences from
+// the least-significant (rightmost) label, octets lowercased.
+function _canonicalNameCompare(a, b) {
+  var la = _nameLabels(a).reverse(), lb = _nameLabels(b).reverse();
+  var min = Math.min(la.length, lb.length);
+  for (var i = 0; i < min; i++) {
+    var c = Buffer.compare(Buffer.from(la[i].toLowerCase(), "ascii"), Buffer.from(lb[i].toLowerCase(), "ascii"));
+    if (c !== 0) return c;
+  }
+  return la.length - lb.length;
+}
+
+// Closest-encloser candidates: proper suffixes of qname from longest
+// (qname minus one label) down to the zone apex, longest first.
+function _closestEncloserCandidates(qname, zone) {
+  var ql = _nameLabels(qname), zl = _nameLabels(zone);
+  var out = [];
+  for (var k = ql.length - 1; k >= zl.length; k--) {
+    out.push(ql.slice(ql.length - k).join(".") + ".");
+  }
+  return out;
+}
+
+// The "next closer" name: the closest encloser with one more label of
+// qname prepended (RFC 5155 §1.3).
+function _nextCloser(qname, ce) {
+  var ql = _nameLabels(qname), n = _nameLabels(ce).length + 1;
+  return ql.slice(ql.length - n).join(".") + ".";
+}
+
+/**
+ * @primitive b.network.dns.dnssec.nsec3Hash
+ * @signature b.network.dns.dnssec.nsec3Hash(name, opts)
+ * @since     0.12.49
+ * @status    stable
+ * @related   b.network.dns.dnssec.verifyDenial
+ *
+ * Compute the RFC 5155 §5 NSEC3 hash of a name — iterated SHA-1 over the
+ * canonical (lowercased, root-terminated) wire form with the zone's salt.
+ * The result is the unencoded hash; the NSEC3 owner label is its
+ * base32hex encoding. SHA-1 is the only hash IANA registers for NSEC3,
+ * so this is a wire-protocol constant, not a cryptographic default.
+ *
+ * @opts
+ *   {
+ *     salt:        Buffer,  // zone NSEC3 salt (may be empty)
+ *     iterations:  number,  // additional hash iterations (>= 0)
+ *   }
+ *
+ * @example
+ *   var h = b.network.dns.dnssec.nsec3Hash("a.example.com", { salt: salt, iterations: 0 });
+ */
+function nsec3Hash(name, opts) {
+  validateOpts.requireObject(opts, "dnssec.nsec3Hash", DnssecError);
+  validateOpts(opts, ["salt", "iterations"], "dnssec.nsec3Hash");
+  var salt = _bytes(opts.salt, "salt");
+  var iters = opts.iterations;
+  if (typeof iters !== "number" || !isFinite(iters) || iters < 0 || Math.floor(iters) !== iters) {
+    throw new DnssecError("dnssec/bad-iterations", "dnssec.nsec3Hash: iterations must be a non-negative integer");
+  }
+  return _nsec3HashWire(_canonicalName(name), salt, iters);
+}
+
+/**
+ * @primitive b.network.dns.dnssec.verifyDenial
+ * @signature b.network.dns.dnssec.verifyDenial(opts)
+ * @since     0.12.49
+ * @status    stable
+ * @compliance soc2
+ * @related   b.network.dns.dnssec.verifyRrset, b.network.dns.dnssec.nsec3Hash
+ *
+ * Prove that a name does not exist (NXDOMAIN) or that a name has no
+ * records of a given type (NODATA) from the signed NSEC (RFC 4034 §4) or
+ * NSEC3 (RFC 5155) records in a response's Authority section. This is the
+ * other half of "verify the answer yourself": <code>verifyRrset</code>
+ * proves a positive answer, <code>verifyDenial</code> proves a negative.
+ *
+ * The records MUST already be verified with <code>verifyRrset</code> —
+ * this checks the denial RELATION (closest-encloser, covering ranges,
+ * type-bitmap absence), not the signatures. For NSEC3, the iterated-hash
+ * count is capped (<code>opts.maxIterations</code>, default 500) to bound
+ * the SHA-1 work an attacker can force. An NXDOMAIN proof that relies on
+ * an Opt-Out NSEC3 (RFC 5155 §6) is refused unless
+ * <code>opts.allowOptOut</code> — opt-out only proves "no signed records",
+ * not non-existence.
+ *
+ * @opts
+ *   {
+ *     qname:   string,        // the queried name
+ *     qtype:   string|number, // queried type (required for proof "nodata")
+ *     proof:   string,        // "nxdomain" | "nodata"
+ *     zone:    string,        // the signer zone apex (a suffix of qname)
+ *     nsec3?:  [ { owner: string, rdata: Buffer } ],  // NSEC3 records (owner = base32hex-label.zone)
+ *     nsec?:   [ { owner: string, rdata: Buffer } ],  // NSEC records
+ *     maxIterations?: number, // NSEC3 iteration cap (default 500)
+ *     allowOptOut?:   boolean, // accept an Opt-Out NXDOMAIN proof (default false)
+ *   }
+ *
+ * @example
+ *   b.network.dns.dnssec.verifyDenial({
+ *     qname: "nope.example.com", proof: "nxdomain", zone: "example.com", nsec3: records,
+ *   });
+ */
+function verifyDenial(opts) {
+  validateOpts.requireObject(opts, "dnssec.verifyDenial", DnssecError);
+  validateOpts(opts, ["qname", "qtype", "proof", "zone", "nsec3", "nsec", "maxIterations", "allowOptOut"], "dnssec.verifyDenial");
+  if (typeof opts.qname !== "string" || opts.qname === "") throw new DnssecError("dnssec/bad-arg", "dnssec.verifyDenial: opts.qname is required");
+  if (typeof opts.zone !== "string" || opts.zone === "") throw new DnssecError("dnssec/bad-arg", "dnssec.verifyDenial: opts.zone is required");
+  if (opts.proof !== "nxdomain" && opts.proof !== "nodata") throw new DnssecError("dnssec/bad-arg", "dnssec.verifyDenial: opts.proof must be 'nxdomain' or 'nodata'");
+  var zl = _nameLabels(opts.zone), ql = _nameLabels(opts.qname);
+  if (zl.length > ql.length || zl.join(".").toLowerCase() !== ql.slice(ql.length - zl.length).join(".").toLowerCase()) {
+    throw new DnssecError("dnssec/bad-arg", "dnssec.verifyDenial: opts.zone must be a suffix of opts.qname");
+  }
+  var qtypeNum;
+  if (opts.proof === "nodata") {
+    if (opts.qtype === undefined || opts.qtype === null) throw new DnssecError("dnssec/bad-arg", "dnssec.verifyDenial: opts.qtype is required for a nodata proof");
+    qtypeNum = _typeNumber(opts.qtype);
+  } else if (opts.qtype !== undefined && opts.qtype !== null) {
+    qtypeNum = _typeNumber(opts.qtype);
+  }
+
+  var hasNsec3 = Array.isArray(opts.nsec3) && opts.nsec3.length > 0;
+  var hasNsec = Array.isArray(opts.nsec) && opts.nsec.length > 0;
+  if (hasNsec3 === hasNsec) {
+    throw new DnssecError("dnssec/bad-arg", "dnssec.verifyDenial: supply exactly one of opts.nsec3 or opts.nsec");
+  }
+  return hasNsec3 ? _verifyNsec3Denial(opts, qtypeNum) : _verifyNsecDenial(opts, qtypeNum);
+}
+
+function _verifyNsec3Denial(opts, qtypeNum) {
+  var maxIter = typeof opts.maxIterations === "number" ? opts.maxIterations : DEFAULT_MAX_NSEC3_ITERATIONS;
+  if (typeof maxIter !== "number" || !isFinite(maxIter) || maxIter < 0) throw new DnssecError("dnssec/bad-arg", "dnssec.verifyDenial: maxIterations must be a non-negative number");
+
+  // Parse + sanity-check every NSEC3 record; the chain shares one salt /
+  // iteration / hash-algorithm tuple.
+  var recs = opts.nsec3.map(function (r, i) {
+    if (!r || typeof r.owner !== "string") throw new DnssecError("dnssec/bad-nsec3", "dnssec.verifyDenial: nsec3[" + i + "].owner must be a string");
+    var rd = _bytes(r.rdata, "nsec3[" + i + "].rdata");
+    var p = _parseNsec3Rdata(rd);
+    if (p.hashAlg !== NSEC3_HASH_SHA1) throw new DnssecError("dnssec/unsupported-nsec3-hash", "dnssec.verifyDenial: NSEC3 hash algorithm " + p.hashAlg + " is not supported (only SHA-1 / 1 is defined)");
+    if (p.iterations > maxIter) throw new DnssecError("dnssec/nsec3-iterations-excessive", "dnssec.verifyDenial: NSEC3 iterations " + p.iterations + " exceed the cap " + maxIter);
+    var firstLabel = _nameLabels(r.owner)[0];
+    if (!firstLabel) throw new DnssecError("dnssec/bad-nsec3", "dnssec.verifyDenial: nsec3[" + i + "].owner has no hash label");
+    return { ownerHash: _base32hexDecode(firstLabel, "nsec3[" + i + "].owner"), p: p };
+  });
+  var salt = recs[0].p.salt, iterations = recs[0].p.iterations;
+  for (var s = 1; s < recs.length; s++) {
+    if (recs[s].p.iterations !== iterations || Buffer.compare(recs[s].p.salt, salt) !== 0) {
+      throw new DnssecError("dnssec/nsec3-param-mismatch", "dnssec.verifyDenial: NSEC3 records disagree on salt / iterations");
+    }
+  }
+
+  function hashOf(name) { return _nsec3HashWire(_canonicalName(name), salt, iterations); }
+  function findMatch(name) {
+    var h = hashOf(name);
+    for (var i = 0; i < recs.length; i++) if (Buffer.compare(recs[i].ownerHash, h) === 0) return recs[i];
+    return null;
+  }
+  function findCover(name) {
+    var h = hashOf(name);
+    for (var i = 0; i < recs.length; i++) {
+      var owner = recs[i].ownerHash, next = recs[i].p.nextHashed;
+      var oc = Buffer.compare(owner, next);
+      var covered = oc < 0
+        ? (Buffer.compare(owner, h) < 0 && Buffer.compare(h, next) < 0)
+        : (Buffer.compare(owner, h) < 0 || Buffer.compare(h, next) < 0);   // last NSEC3 wraps past the apex
+      if (covered) return recs[i];
+    }
+    return null;
+  }
+
+  if (opts.proof === "nodata") {
+    // RFC 5155 §8.5 — a matching NSEC3 with the type (and CNAME) absent.
+    var m = findMatch(opts.qname);
+    if (m) {
+      if (qtypeNum === TYPE_DS) {
+        if (m.p.types.has(TYPE_DS)) throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: DS is present in the matching NSEC3 bitmap");
+        return { ok: true, proof: "nodata", mechanism: "nsec3", matched: true };
+      }
+      if (m.p.types.has(qtypeNum)) throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: type " + qtypeNum + " is present in the matching NSEC3 bitmap");
+      if (m.p.types.has(TYPE_CNAME)) throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: name is a CNAME (query should have been redirected)");
+      return { ok: true, proof: "nodata", mechanism: "nsec3", matched: true };
+    }
+    // RFC 5155 §8.6 — Opt-Out DS NODATA: a covering NSEC3 with Opt-Out set
+    // proves an insecure delegation has no DS.
+    if (qtypeNum === TYPE_DS) {
+      var ce = _nsec3ClosestEncloser(opts, recs, findMatch);
+      if (ce) {
+        var nc = _nextCloser(opts.qname, ce);
+        var cov = findCover(nc);
+        if (cov && (cov.p.flags & 1) === 1) return { ok: true, proof: "nodata", mechanism: "nsec3", matched: false, optOut: true };
+      }
+    }
+    // RFC 5155 §8.7 — wildcard NODATA: closest encloser proof + a matching
+    // wildcard NSEC3 with the type absent.
+    var ce2 = _nsec3ClosestEncloser(opts, recs, findMatch);
+    if (ce2) {
+      var wc = findMatch("*." + ce2);
+      if (wc && !wc.p.types.has(qtypeNum) && !wc.p.types.has(TYPE_CNAME)) {
+        return { ok: true, proof: "nodata", mechanism: "nsec3", matched: false, wildcard: true, closestEncloser: ce2 };
+      }
+    }
+    throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: no matching NSEC3 proves NODATA for the queried type");
+  }
+
+  // NXDOMAIN (RFC 5155 §8.4): matching closest encloser + covered next
+  // closer + covered wildcard. Opt-Out on the next-closer cover only
+  // proves "no signed records", so it is refused unless allowOptOut.
+  var ceName = _nsec3ClosestEncloser(opts, recs, findMatch);
+  if (!ceName) throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: no NSEC3 matches any closest-encloser candidate");
+  var nextCloser = _nextCloser(opts.qname, ceName);
+  var ncCover = findCover(nextCloser);
+  if (!ncCover) throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: the next-closer name is not covered by any NSEC3");
+  var optOut = (ncCover.p.flags & 1) === 1;
+  if (optOut && !opts.allowOptOut) throw new DnssecError("dnssec/denial-opt-out", "dnssec.verifyDenial: NXDOMAIN relies on an Opt-Out NSEC3 (set allowOptOut to accept it as 'no signed records')");
+  // The wildcard at the closest encloser must be proven NON-EXISTENT
+  // (covered). A MATCHING wildcard means it exists, so the name should
+  // have been wildcard-synthesised and NXDOMAIN would be a forgery.
+  if (!findCover("*." + ceName)) {
+    throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: the wildcard at the closest encloser is not covered (a matching wildcard would mean the name should have been synthesised)");
+  }
+  return { ok: true, proof: "nxdomain", mechanism: "nsec3", closestEncloser: ceName, optOut: optOut };
+}
+
+function _nsec3ClosestEncloser(opts, recs, findMatch) {
+  var cands = _closestEncloserCandidates(opts.qname, opts.zone);
+  for (var i = 0; i < cands.length; i++) if (findMatch(cands[i])) return cands[i];
+  return null;
+}
+
+function _verifyNsecDenial(opts, qtypeNum) {
+  var recs = opts.nsec.map(function (r, i) {
+    if (!r || typeof r.owner !== "string") throw new DnssecError("dnssec/bad-nsec", "dnssec.verifyDenial: nsec[" + i + "].owner must be a string");
+    return { owner: r.owner, p: _parseNsecRdata(_bytes(r.rdata, "nsec[" + i + "].rdata")) };
+  });
+  function findMatch(name) {
+    for (var i = 0; i < recs.length; i++) if (_canonicalNameCompare(recs[i].owner, name) === 0) return recs[i];
+    return null;
+  }
+  function findCover(name) {
+    for (var i = 0; i < recs.length; i++) {
+      var owner = recs[i].owner, next = recs[i].p.nextName;
+      var oc = _canonicalNameCompare(owner, next);
+      var afterOwner = _canonicalNameCompare(owner, name) < 0;
+      var covered = oc < 0
+        ? (afterOwner && _canonicalNameCompare(name, next) < 0)
+        : afterOwner;   // last NSEC (next wraps to apex): any name after owner
+      if (covered) return recs[i];
+    }
+    return null;
+  }
+
+  if (opts.proof === "nodata") {
+    var m = findMatch(opts.qname);
+    if (!m) throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: no NSEC matches the queried name");
+    if (m.p.types.has(qtypeNum)) throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: type " + qtypeNum + " is present in the matching NSEC bitmap");
+    if (qtypeNum !== TYPE_CNAME && m.p.types.has(TYPE_CNAME)) throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: name is a CNAME (query should have been redirected)");
+    return { ok: true, proof: "nodata", mechanism: "nsec", matched: true };
+  }
+
+  // NXDOMAIN (RFC 4035 §5.4): an NSEC covering qname AND an NSEC proving
+  // the source-of-synthesis wildcard does not exist.
+  var cover = findCover(opts.qname);
+  if (!cover) throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: no NSEC covers the queried name");
+  // The closest encloser is the longest common ancestor of qname and the
+  // covering NSEC's owner/next; the wildcard sits one label below it.
+  var ce = _nsecClosestEncloser(opts.qname, cover);
+  // The source-of-synthesis wildcard must be proven NON-EXISTENT
+  // (covered). A MATCHING wildcard owner means it exists, so the query
+  // should have been answered by wildcard expansion, not NXDOMAIN.
+  var wildcard = "*." + ce;
+  if (!findCover(wildcard)) {
+    throw new DnssecError("dnssec/denial-not-proven", "dnssec.verifyDenial: the wildcard at the closest encloser is not covered (a matching wildcard would mean the name should have been synthesised)");
+  }
+  return { ok: true, proof: "nxdomain", mechanism: "nsec", closestEncloser: ce };
+}
+
+// The closest encloser for an NSEC NXDOMAIN proof is the longest name
+// that is a suffix of qname and an ancestor of both the covering NSEC's
+// owner and its next name (RFC 4035 §5.3.4 / §5.4).
+function _nsecClosestEncloser(qname, cover) {
+  var ql = _nameLabels(qname);
+  var a = _commonSuffixLen(qname, cover.owner);
+  var b = _commonSuffixLen(qname, cover.p.nextName);
+  var ceLen = Math.max(a, b);
+  return ql.slice(ql.length - ceLen).join(".") + ".";
+}
+
+function _commonSuffixLen(a, b) {
+  var la = _nameLabels(a).reverse(), lb = _nameLabels(b).reverse();
+  var n = 0, min = Math.min(la.length, lb.length);
+  while (n < min && la[n].toLowerCase() === lb[n].toLowerCase()) n++;
+  return n;
+}
+
+module.exports = {
+  verifyRrset:  verifyRrset,
+  verifyDs:     verifyDs,
+  verifyDenial: verifyDenial,
+  nsec3Hash:    nsec3Hash,
+  keyTag:       keyTag,
+  ALGORITHMS:   ALGS,
+  DnssecError:  DnssecError,
+};

package/lib/network.js

@@ -35,6 +35,7 @@ var ntpCheck = require("./ntp-check");
 var nts      = require("./network-nts");
 var networkDns = require("./network-dns");
 networkDns.resolver = require("./network-dns-resolver");
+networkDns.dnssec = require("./network-dnssec");
 var networkProxy = require("./network-proxy");
 var networkTls = require("./network-tls");
 var heartbeat = require("./network-heartbeat");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.12.47",
+  "version": "0.12.49",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:4b602bbd-c8e6-4e4a-8b26-b0c570144b86",
+  "serialNumber": "urn:uuid:abe5140c-7ec0-4872-8094-0863d2e0a821",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-25T11:11:40.479Z",
+    "timestamp": "2026-05-25T13:20:22.849Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.12.47",
+      "bom-ref": "@blamejs/core@0.12.49",
       "type": "application",
       "name": "blamejs",
-      "version": "0.12.47",
+      "version": "0.12.49",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.12.47",
+      "purl": "pkg:npm/%40blamejs/core@0.12.49",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.12.47",
+      "ref": "@blamejs/core@0.12.49",
       "dependsOn": []
     }
   ]