@rine-network/core 0.6.0 → 0.6.1

package/dist/index.js

@@ -2101,7 +2101,10 @@ async function issueCert(args) {
 		const setResult = await deps.dnsPost("set", order.dnsChallengeToken);
 		txtSet = true;
 		const fqdn = setResult.fqdn ?? `_acme-challenge.${delegationId}.hook.rine.network`;
-		await deps.waitForPropagation({ fqdn });
+		await deps.waitForPropagation({
+			fqdn,
+			expectedValue: order.dnsChallengeToken
+		});
 		await deps.acme.validate({ handle });
 		const { certPem } = await deps.acme.finalizeAndDownload({
 			handle,
@@ -2198,6 +2201,7 @@ function describe(err) {
 }
 //#endregion
 //#region src/funnel/propagation.ts
+const INITIAL_PROPAGATION_DELAY_MS = 45e3;
 const PROPAGATION_TIMEOUT_MS = 12e4;
 const PROPAGATION_INTERVAL_MS = 5e3;
 function sleep(ms) {
@@ -2210,12 +2214,13 @@ function sleep(ms) {
 * asking for NS until a parent answers (the apex — e.g. `rine.network`). A plain
 * `resolveSoa(fqdn)` returns ENODATA at a sub-apex name, which is why the prior
 * SOA->NS approach silently fell through to the host resolver every time.
+* Exported (with an injectable `nsResolve`) so the climb is unit-tested directly.
 */
-async function nsHostsForZoneOf(fqdn) {
+async function nsHostsForZoneOf(fqdn, nsResolve = resolveNs) {
 	let name = fqdn.replace(/\.$/, "");
 	while (name.includes(".")) {
 		try {
-			const ns = await resolveNs(name);
+			const ns = await nsResolve(name);
 			if (ns.length > 0) return ns;
 		} catch {}
 		name = name.slice(name.indexOf(".") + 1);
@@ -2224,34 +2229,54 @@ async function nsHostsForZoneOf(fqdn) {
 }
 /**
 * Build a resolver pinned to the AUTHORITATIVE nameservers of `fqdn`'s zone
-* (NS -> A, then `Resolver.setServers`). Falls back to the system resolver if NS
-* discovery fails (best-effort — the bounded poll still backstops).
+* (NS -> A, then `Resolver.setServers`). One flaky NS-host A lookup must NOT cost
+* us the others, so `Promise.allSettled` keeps every address that did resolve.
+* Falls back to the system resolver only if NS discovery fails or NO address
+* resolves (best-effort — the bounded poll still backstops). Exported (with
+* injectable resolvers) so the NS-walk path is unit-tested directly.
 */
-async function authoritativeResolver(fqdn) {
+async function authoritativeResolver(fqdn, nsResolve = resolveNs, a4Resolve = resolve4) {
 	const resolver = new Resolver();
 	try {
-		const nsHosts = await nsHostsForZoneOf(fqdn);
-		const addresses = (await Promise.all(nsHosts.map((ns) => resolve4(ns)))).flat().filter(Boolean);
+		const nsHosts = await nsHostsForZoneOf(fqdn, nsResolve);
+		const addresses = (await Promise.allSettled(nsHosts.map((ns) => a4Resolve(ns)))).flatMap((r) => r.status === "fulfilled" ? r.value : []).filter(Boolean);
 		if (addresses.length > 0) resolver.setServers(addresses);
 	} catch {}
 	return resolver;
 }
+/** A TXT answer satisfies the gate iff it carries THIS order's key-authorization. */
+function recordsMatch(records, expectedValue) {
+	if (records.length === 0) return false;
+	if (!expectedValue) return true;
+	return records.some((chunks) => chunks.join("").includes(expectedValue));
+}
 /**
 * Poll the authoritative DNS for the challenge TXT at the server-returned
-* `_acme-challenge.<cert-domain>.hook.rine.network` until it resolves (bounded,
-* ≤120s) before telling LE to validate, so a slow zone never burns a validation
-* attempt. The FQDN is the one the backend wrote the TXT under (the
-* dns-challenge `set` response's `fqdn`) — never derived from a relay-side guess.
+* `_acme-challenge.<cert-domain>.hook.rine.network` until the record carrying
+* `expectedValue` (this order's key-authorization) resolves (bounded) before
+* telling LE to validate, so a slow zone never burns a validation attempt. The
+* FQDN is the one the backend wrote the TXT under (the dns-challenge `set`
+* response's `fqdn`) — never derived from a relay-side guess.
+*
+* Order: build the authoritative resolver (NS-walk) -> hold the grace delay ->
+* poll TXT. The NS-walk overlaps the grace window and the grace delay keeps the
+* first TXT query from preceding propagation (avoids poisoning the negative
+* cache — see the module header).
 */
-async function waitForTxtPropagation(args) {
-	const { fqdn } = args;
-	const resolver = await authoritativeResolver(fqdn);
-	const deadline = Date.now() + PROPAGATION_TIMEOUT_MS;
+async function waitForTxtPropagation(args, opts = {}) {
+	const { fqdn, expectedValue } = args;
+	const initialDelayMs = opts.initialDelayMs ?? INITIAL_PROPAGATION_DELAY_MS;
+	const timeoutMs = opts.timeoutMs ?? PROPAGATION_TIMEOUT_MS;
+	const intervalMs = opts.intervalMs ?? PROPAGATION_INTERVAL_MS;
+	const doSleep = opts.sleep ?? sleep;
+	const resolver = await (opts.resolverFactory ?? ((name) => authoritativeResolver(name, opts.nsResolve, opts.a4Resolve)))(fqdn);
+	await doSleep(initialDelayMs);
+	const deadline = Date.now() + timeoutMs;
 	while (Date.now() < deadline) {
 		try {
-			if ((await resolver.resolveTxt(fqdn)).length > 0) return;
+			if (recordsMatch(await resolver.resolveTxt(fqdn), expectedValue)) return;
 		} catch {}
-		await sleep(PROPAGATION_INTERVAL_MS);
+		await doSleep(intervalMs);
 	}
 	throw new Error(`DNS propagation timeout for ${fqdn}`);
 }

package/dist/src/funnel/issue.d.ts

@@ -36,9 +36,14 @@ export interface IssueCertDeps {
      * poll (the relay never derives it).
      */
     dnsPost(action: "set" | "clear", value?: string): Promise<DnsChallengeResult>;
-    /** Bounded poll of the authoritative DNS at `fqdn` until the TXT propagates. */
+    /**
+     * Bounded poll of the authoritative DNS at `fqdn` until the TXT carrying
+     * `expectedValue` (this order's key-authorization) propagates — matching the
+     * value, not mere presence, so a stale/converging record never satisfies it.
+     */
     waitForPropagation(args: {
         fqdn: string;
+        expectedValue?: string;
     }): Promise<void>;
     now(): number;
 }

package/dist/src/funnel/propagation.d.ts

@@ -1,11 +1,59 @@
+import { Resolver } from "node:dns/promises";
 export declare function sleep(ms: number): Promise<void>;
+/** Minimal TXT-resolving surface (node:dns `Resolver` satisfies this). */
+interface TxtResolver {
+    resolveTxt(hostname: string): Promise<string[][]>;
+}
+/**
+ * Test seams + tunables for `waitForTxtPropagation`. Production passes none — the
+ * defaults wire the real authoritative resolver and real timers. Tests inject a
+ * fake resolver + sleep so they assert ordering/timeout without touching the
+ * network or waiting the real 45s grace. `nsResolve`/`a4Resolve` let tests drive
+ * the REAL NS-walk (`authoritativeResolver`) without `resolverFactory`.
+ */
+export interface PropagationOptions {
+    initialDelayMs?: number;
+    timeoutMs?: number;
+    intervalMs?: number;
+    sleep?: (ms: number) => Promise<void>;
+    resolverFactory?: (fqdn: string) => Promise<TxtResolver>;
+    nsResolve?: (name: string) => Promise<string[]>;
+    a4Resolve?: (host: string) => Promise<string[]>;
+}
+/**
+ * The authoritative NS hostnames for the zone that contains `fqdn`. The
+ * challenge name (`_acme-challenge.<label>.hook.rine.network`) is BELOW the zone
+ * apex, where neither SOA nor NS records live, so we walk UP one label at a time
+ * asking for NS until a parent answers (the apex — e.g. `rine.network`). A plain
+ * `resolveSoa(fqdn)` returns ENODATA at a sub-apex name, which is why the prior
+ * SOA->NS approach silently fell through to the host resolver every time.
+ * Exported (with an injectable `nsResolve`) so the climb is unit-tested directly.
+ */
+export declare function nsHostsForZoneOf(fqdn: string, nsResolve?: (name: string) => Promise<string[]>): Promise<string[]>;
+/**
+ * Build a resolver pinned to the AUTHORITATIVE nameservers of `fqdn`'s zone
+ * (NS -> A, then `Resolver.setServers`). One flaky NS-host A lookup must NOT cost
+ * us the others, so `Promise.allSettled` keeps every address that did resolve.
+ * Falls back to the system resolver only if NS discovery fails or NO address
+ * resolves (best-effort — the bounded poll still backstops). Exported (with
+ * injectable resolvers) so the NS-walk path is unit-tested directly.
+ */
+export declare function authoritativeResolver(fqdn: string, nsResolve?: (name: string) => Promise<string[]>, a4Resolve?: (host: string) => Promise<string[]>): Promise<Resolver>;
 /**
  * Poll the authoritative DNS for the challenge TXT at the server-returned
- * `_acme-challenge.<cert-domain>.hook.rine.network` until it resolves (bounded,
- * ≤120s) before telling LE to validate, so a slow zone never burns a validation
- * attempt. The FQDN is the one the backend wrote the TXT under (the
- * dns-challenge `set` response's `fqdn`) — never derived from a relay-side guess.
+ * `_acme-challenge.<cert-domain>.hook.rine.network` until the record carrying
+ * `expectedValue` (this order's key-authorization) resolves (bounded) before
+ * telling LE to validate, so a slow zone never burns a validation attempt. The
+ * FQDN is the one the backend wrote the TXT under (the dns-challenge `set`
+ * response's `fqdn`) — never derived from a relay-side guess.
+ *
+ * Order: build the authoritative resolver (NS-walk) -> hold the grace delay ->
+ * poll TXT. The NS-walk overlaps the grace window and the grace delay keeps the
+ * first TXT query from preceding propagation (avoids poisoning the negative
+ * cache — see the module header).
  */
 export declare function waitForTxtPropagation(args: {
     fqdn: string;
-}): Promise<void>;
+    expectedValue?: string;
+}, opts?: PropagationOptions): Promise<void>;
+export {};

package/dist/test/funnel/propagation.test.d.ts

@@ -0,0 +1 @@
+export {};

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@rine-network/core",
-	"version": "0.6.0",
+	"version": "0.6.1",
 	"description": "Core library for rine.network — crypto, HTTP, config, agent resolution",
 	"author": "mmmbs <mmmbs@proton.me>",
 	"license": "EUPL-1.2",