pending-dns 1.2.5 → 1.3.0

package/lib/api-server.js

@@ -8,7 +8,7 @@ const Inert = require('@hapi/inert');
 const Vision = require('@hapi/vision');
 const HapiSwagger = require('hapi-swagger');
 const packageData = require('../package.json');
-const Joi = require('@hapi/joi');
+const Joi = require('joi');
 const logger = require('./logger').child({ component: 'api-server' });
 const { zoneStore, allowedTypes, allowedTags } = require('./zone-store');
 const { getCertificate } = require('./certs');
@@ -192,7 +192,7 @@ const recordScheme = Joi.object({
         .description('Certificate authority domain for CAA')
         .label('CADomain'),
 
-    tags: Joi.any()
+    tag: Joi.any()
         .example('issue')
         .when('type', {
             is: 'CAA',
@@ -207,7 +207,7 @@ const recordScheme = Joi.object({
         .example(0)
         .when('type', {
             is: 'CAA',
-            then: Joi.string().valid(0).default(0)
+            then: Joi.number().integer().min(0).max(255).default(0)
         })
         .description('Certificate authority flags for CAA')
         .label('Flags'),
@@ -273,7 +273,7 @@ const failAction = async (request, h, err) => {
     throw error;
 };
 
-const init = async () => {
+const createServer = async () => {
     const server = Hapi.server({
         port: (process.env.API_PORT && Number(process.env.API_PORT)) || config.api.port,
         host: process.env.API_HOST || config.api.host
@@ -478,8 +478,8 @@ const init = async () => {
                         throw new Error('Unknown type');
                 }
 
-                let updated = await zoneStore.update(request.params.zone, request.params.record, request.payload.subdomain, request.payload.type, value);
-                return { zone: request.params.zone, updated };
+                let record = await zoneStore.update(request.params.zone, request.params.record, request.payload.subdomain, request.payload.type, value);
+                return { zone: request.params.zone, record };
             } catch (err) {
                 if (Boom.isBoom(err)) {
                     throw err;
@@ -639,7 +639,14 @@ const init = async () => {
         }
     });
 
+    return server;
+};
+
+const init = async () => {
+    const server = await createServer();
     await server.start();
+    return server;
 };
 
 module.exports = init;
+module.exports.createServer = createServer;

package/lib/cached-resolver.js

@@ -32,12 +32,13 @@ function formatResult(record) {
  * @param {Object} [options]
  * @param {Number} [options.minTtl=10min] Cache timeout for successful resolving operations. If cached response is older than this value then resolving is retried. If resolving fails then cached value is used.
  * @param {Number} [options.maxTtl=8h] Time after cached data of a successful resolving is permanently deleted
- * @param {Number} [options.errorTtl=1min] Cache timeout for errored resolving operations. If cached response is older than this value then resolving is retried
+ * @param {Number} [options.errorMinTtl=1min] Cache timeout for errored resolving operations. If cached response is older than this value then resolving is retried
+ * @param {Number} [options.errorMaxTtl=1h] Time after cached error data is permanently deleted
  * @returns {Array|Boolean} Resolve response or `false` if query failed for whatever reason
  */
 const cachedResolver = async (target, type, options) => {
     try {
-        target = punycode.toASCII(target.trim().toLowerCase().trim().toLowerCase());
+        target = punycode.toASCII(target.trim().toLowerCase());
     } catch (err) {
         return false;
     }
@@ -120,12 +121,13 @@ const cachedResolver = async (target, type, options) => {
             .set(
                 cacheKey,
                 JSON.stringify({
+                    expires: Date.now() + options.errorMinTtl,
                     data: false,
                     error: err.message,
                     code: err.code || err.errno
                 })
             )
-            .expire(cacheKey, Math.round(options.errorTtl / 1000))
+            .expire(cacheKey, Math.round(options.errorMaxTtl / 1000))
             .exec();
         throw err;
     }

package/lib/certs.js

@@ -9,7 +9,6 @@ const crypto = require('crypto');
 const { checkNSStatus, normalizeDomain } = require('./tools');
 const ACME = require('@root/acme');
 const { pem2jwk } = require('pem-jwk');
-const NodeRSA = require('node-rsa');
 const logger = require('./logger').child({ component: 'certs' });
 const CSR = require('@root/csr');
 const { Certificate } = require('@fidm/x509');
@@ -17,6 +16,8 @@ const { Resolver } = require('dns').promises;
 const Lock = require('ioredfour');
 const util = require('util');
 
+const generateKeyPairAsync = util.promisify(crypto.generateKeyPair);
+
 const certLock = new Lock({
     redis: db.redisWrite,
     namespace: 'd:lock:'
@@ -78,9 +79,12 @@ const ensureAcme = async () => {
 };
 
 const generateKey = async bits => {
-    const key = new NodeRSA({ b: bits || 2048, e: 65537 });
-    const pem = key.exportKey('pkcs1-private-pem');
-    return pem;
+    const { privateKey } = await generateKeyPairAsync('rsa', {
+        modulusLength: bits || 2048,
+        publicExponent: 65537,
+        privateKeyEncoding: { type: 'pkcs1', format: 'pem' }
+    });
+    return privateKey;
 };
 
 class AcmeDNSPlugin {
@@ -472,3 +476,6 @@ module.exports = {
     getCertificate,
     loadCertificate
 };
+
+// Exposed for unit testing
+module.exports.testables = { generateKey };

package/lib/dns-handler.js

@@ -8,15 +8,16 @@ const cachedResolver = require('./cached-resolver');
 const ipaddr = require('ipaddr.js');
 const logger = require('./logger').child({ component: 'dns-handler' });
 const { normalizeDomain } = require('./tools');
-const { v4: uuidv4 } = require('uuid');
+const { randomUUID } = require('crypto');
 
-// Split long string values into character chunks
+// Split a TXT value into DNS character-strings (max 255 bytes each).
+// Always returns an array, which is what the dns2 packet builder expects.
 const formatTXTData = data => {
     data = (data || '').toString();
-    if (data.length < 128) {
-        return data;
+    if (!data.length) {
+        return [''];
     }
-    return Array.from(data.match(/.{1,84}/g));
+    return Array.from(data.match(/.{1,255}/g));
 };
 
 // Helps to convert DNS type integer into a string (0x01 -> 'A')
@@ -91,7 +92,7 @@ const processQuestion = async (response, question, domain, depth) => {
                 if (records && records.length > 1) {
                     switch (type) {
                         case 'A':
-                        case 'AAAAA':
+                        case 'AAAA':
                             // randomize A/AAAA records
                             records = shuffle(filterUnhealthy(records));
                             break;
@@ -275,7 +276,8 @@ const processQuestion = async (response, question, domain, depth) => {
                 try {
                     entry.address = ipaddr.parse(value[0]).toNormalizedString();
                 } catch (err) {
-                    return;
+                    // skip just this malformed record, keep processing the rest
+                    continue;
                 }
                 break;
 
@@ -360,7 +362,7 @@ const processQuestion = async (response, question, domain, depth) => {
 const dnsHandler = async request => {
     let startTime = Date.now();
     const response = new dns2.Packet(request);
-    request._id = response._id = uuidv4();
+    request._id = response._id = randomUUID();
 
     response.header.qr = 1;
     response.header.aa = 1;
@@ -404,3 +406,6 @@ const dnsHandler = async request => {
 };
 
 module.exports = dnsHandler;
+
+// Exposed for unit testing
+module.exports.testables = { formatTXTData, shuffle, filterUnhealthy, reversedTypes, processQuestion };

package/lib/dns-server.js

@@ -19,7 +19,7 @@ const SUPPORTED_TYPES = new Set(
 
 const init = async () => {
     // create UDP server
-    createDNSUdpServer((request, send) => {
+    const udpServer = createDNSUdpServer((request, send) => {
         // filter out unsupported requests (eg. EDNS)
         if (request.additionals && request.additionals.length) {
             request.additionals = request.additionals.filter(additional => SUPPORTED_TYPES.has(additional.type));
@@ -38,16 +38,14 @@ const init = async () => {
                 }
                 logger.error({ msg: 'Failed to send DNS response', protocol: 'udp', err });
             });
-    })
-        .listen(config.dns.port, config.dns.host, () => {
-            logger.info({ msg: 'DNS server listening', protocol: 'udp', host: config.dns.host, port: config.dns.port });
-        })
-        .on('error', err => {
-            logger.error({ msg: 'DNS server error', protocol: 'udp', err });
-        });
+    });
+
+    udpServer.on('error', err => {
+        logger.error({ msg: 'DNS server error', protocol: 'udp', err });
+    });
 
     // create TCP server
-    createDNSTcpServer((request, send) => {
+    const tcpServer = createDNSTcpServer((request, send) => {
         // filter out unsupported requests (eg. EDNS)
         if (request.additionals && request.additionals.length) {
             request.additionals = request.additionals.filter(additional => SUPPORTED_TYPES.has(additional.type));
@@ -58,17 +56,31 @@ const init = async () => {
             .catch(err => {
                 logger.error({ msg: 'Failed to send DNS response', protocol: 'tcp', err });
             });
-    })
-        .listen(config.dns.port, config.dns.host, () => {
+    });
+
+    tcpServer.on('error', err => {
+        let method = 'error';
+        if (err && ['ECONNRESET'].includes(err.code)) {
+            method = 'trace';
+        }
+        logger[method]({ msg: 'DNS server error', protocol: 'tcp', err });
+    });
+
+    await new Promise(resolve => {
+        udpServer.listen(config.dns.port, config.dns.host, () => {
+            logger.info({ msg: 'DNS server listening', protocol: 'udp', host: config.dns.host, port: config.dns.port });
+            resolve();
+        });
+    });
+
+    await new Promise(resolve => {
+        tcpServer.listen(config.dns.port, config.dns.host, () => {
             logger.info({ msg: 'DNS server listening', protocol: 'tcp', host: config.dns.host, port: config.dns.port });
-        })
-        .on('error', err => {
-            let method = 'error';
-            if (err && ['ECONNRESET'].includes(err.code)) {
-                method = 'trace';
-            }
-            logger[method]({ msg: 'DNS server error', protocol: 'tcp', err });
+            resolve();
         });
+    });
+
+    return { udpServer, tcpServer };
 };
 
 module.exports = init;

package/lib/dns-tcp-server.js

@@ -2,7 +2,7 @@
 
 const net = require('net');
 const EventEmitter = require('events');
-const Packet = require('dns2/packet');
+const { Packet } = require('dns2');
 const logger = require('./logger').child({ component: 'dns-tcp-server' });
 
 class DNSTcpServer extends EventEmitter {

package/lib/dns-udp-server.js

@@ -2,7 +2,7 @@
 
 const udp = require('dgram');
 const EventEmitter = require('events');
-const Packet = require('dns2/packet');
+const { Packet } = require('dns2');
 const logger = require('./logger').child({ component: 'dns-udp-server' });
 
 /**

package/lib/logger.js

@@ -11,6 +11,9 @@ if (threadId) {
     logger = logger.child({ tid: threadId });
 }
 
+// No-op by default; lib/sentry.js overrides this with a real reporter when a DSN is configured
+logger.notifyError = () => false;
+
 process.on('uncaughtException', err => {
     logger.fatal({
         msg: 'uncaughtException',

package/lib/public-server.js

@@ -254,7 +254,16 @@ const setupHttps = () =>
             },
             (req, res) => {
                 req.proto = 'https';
-                middleware(req, res);
+
+                try {
+                    middleware(req, res);
+                } catch (err) {
+                    logger.error({ msg: 'Failed to process request', err });
+                    res.statusCode = 500;
+                    res.setHeader('Content-Type', 'text/html');
+                    return res.end(errors.error500({}));
+                }
+
                 handler(req, res).catch(err => {
                     res.statusCode = 500;
                     res.setHeader('Content-Type', 'text/html');
@@ -334,7 +343,16 @@ const setupHttp = () =>
     new Promise((resolve, reject) => {
         const server = http.createServer((req, res) => {
             req.proto = 'http';
-            middleware(req, res);
+
+            try {
+                middleware(req, res);
+            } catch (err) {
+                logger.error({ msg: 'Failed to process request', err });
+                res.statusCode = 500;
+                res.setHeader('Content-Type', 'text/html');
+                return res.end(errors.error500({}));
+            }
+
             handler(req, res).catch(err => {
                 res.statusCode = 500;
                 res.setHeader('Content-Type', 'text/html');

package/lib/sentry.js

@@ -0,0 +1,72 @@
+'use strict';
+
+/* eslint global-require: 0 */
+
+const config = require('wild-config');
+const packageData = require('../package.json');
+const logger = require('./logger');
+
+// Initialize Sentry error tracking. With no DSN configured, error reporting stays
+// disabled and logger.notifyError keeps its no-op default from lib/logger.js.
+function initSentry(worker) {
+    // The SENTRY_DSN environment variable overrides the configured value, otherwise
+    // fall back to the wild-config value. An empty DSN disables error reporting.
+    const dsn = (process.env.SENTRY_DSN || (config.sentry && config.sentry.dsn) || '').trim();
+    if (!dsn) {
+        return;
+    }
+
+    // require lazily, the SDK loads several hundred modules in every worker,
+    // so only pay that cost when error tracking is actually enabled
+    const Sentry = require('@sentry/node');
+
+    Sentry.init({
+        dsn,
+        release: packageData.version,
+        environment: process.env.NODE_ENV || 'development',
+        // Error capture only: skip the OpenTelemetry setup and the default
+        // integrations that patch http/fetch/console on hot paths. The uncaught
+        // exception / unhandled rejection integrations are added back explicitly
+        // so crashes are still reported (Bugsnag's autoDetectErrors did this).
+        skipOpenTelemetrySetup: true,
+        defaultIntegrations: false,
+        integrations: [
+            Sentry.eventFiltersIntegration(),
+            Sentry.functionToStringIntegration(),
+            Sentry.linkedErrorsIntegration(),
+            Sentry.contextLinesIntegration(),
+            Sentry.nodeContextIntegration(),
+            Sentry.modulesIntegration(),
+            // captures, flushes and exits the worker so the supervisor restarts it
+            Sentry.onUncaughtExceptionIntegration(),
+            // captures and warns, but does not exit (matches the previous behaviour)
+            Sentry.onUnhandledRejectionIntegration({ mode: 'warn' })
+        ],
+        initialScope: {
+            tags: { worker, app: packageData.name }
+        }
+    });
+
+    // Signals to the worker bootstraps that an error reporter with its own
+    // crash handler is active, so closeProcess() should let Sentry flush and
+    // exit instead of exiting immediately (which would drop the in-flight event).
+    logger.errorReportingEnabled = true;
+
+    logger.notifyError = (err, opts) => {
+        let captureContext = {};
+        if (opts && opts.level) {
+            captureContext.level = opts.level;
+        }
+        if (opts && opts.context) {
+            captureContext.tags = { context: opts.context };
+        }
+        if (opts && opts.meta && Object.keys(opts.meta).length) {
+            captureContext.contexts = { error: opts.meta };
+        }
+        Sentry.captureException(err, captureContext);
+    };
+
+    logger.info({ msg: 'Enabled Sentry error reporting', worker });
+}
+
+module.exports = { initSentry };

package/lib/tools.js

@@ -2,7 +2,7 @@
 
 const cachedResolver = require('./cached-resolver');
 const punycode = require('punycode/');
-const Joi = require('@hapi/joi');
+const Joi = require('joi');
 
 const emailSchema = Joi.string().email({}).required();
 

package/lib/zone-store.js

@@ -1,7 +1,7 @@
 'use strict';
 
 const punycode = require('punycode/');
-const shortid = require('shortid');
+const { nanoid } = require('nanoid');
 const db = require('./db');
 const logger = require('./logger').child({ component: 'zone-store' });
 const { normalizeDomain } = require('./tools');
@@ -70,8 +70,8 @@ class ZoneStore {
         let recordKey = `d:${name}:r:${type}`;
         let res = await this.db.redisWrite.multi().hdel(recordKey, hid).exists(recordKey).exec();
 
-        if (res[res.length - 1] && !res[res.length - 1][0] && !res[res.length - 1][0]) {
-            // key was deleted, update zone
+        if (res[res.length - 1] && !res[res.length - 1][0] && !res[res.length - 1][1]) {
+            // the record key no longer exists (no entries left), remove it from the zone
             await this.db.redisWrite.srem(`d:${zone}:z`, recordKey);
         }
 
@@ -356,7 +356,7 @@ class ZoneStore {
         }
 
         let recordKey = `d:${name}:r:${type}`;
-        let hid = shortid.generate();
+        let hid = nanoid();
 
         let id = this.getFullId(name, type, hid);
 

package/package.json

@@ -1,15 +1,22 @@
 {
     "name": "pending-dns",
-    "version": "1.2.5",
+    "version": "1.3.0",
     "description": "Lightweight API driven DNS server",
+    "productTitle": "PendingDNS",
     "main": "index.js",
+    "private": false,
+    "engines": {
+        "node": ">=18"
+    },
     "scripts": {
         "start": "node server.js",
-        "test": "grunt",
-        "build-source": "rm -rf node_modules package-lock.json && npm install && npm run licenses && rm -rf node_modules package-lock.json && npm install --production && rm -rf package-lock.json",
-        "build-dist-fast": "npx pkg --debug package.json && rm -rf package-lock.json && npm install",
-        "build-dist": "npx pkg --compress Brotli package.json && rm -rf package-lock.json && npm install",
-        "licenses": "license-report --only=prod --output=table --config license-report-config.json > licenses.txt"
+        "lint": "eslint .",
+        "test": "NODE_ENV=test node --test --test-force-exit --test-concurrency=1 test/*.test.js",
+        "build-source": "rm -rf node_modules && npm install && npm run licenses && rm -rf node_modules && npm ci --omit=dev",
+        "build-dist-fast": "pkg --debug package.json && npm install",
+        "build-dist": "pkg --compress Brotli package.json && npm install",
+        "licenses": "license-report --only=prod --output=table --config license-report-config.json > licenses.txt",
+        "update": "rm -rf node_modules package-lock.json && ncu -u && npm install"
     },
     "repository": {
         "type": "git",
@@ -28,55 +35,58 @@
     },
     "homepage": "https://github.com/postalsys/pending-dns#readme",
     "devDependencies": {
-        "eslint": "8.47.0",
+        "@eslint/eslintrc": "3.3.5",
+        "@eslint/js": "9.39.4",
+        "eslint": "9.39.4",
         "eslint-config-nodemailer": "1.2.0",
-        "eslint-config-prettier": "9.0.0",
-        "grunt": "1.6.1",
-        "grunt-cli": "1.4.3",
-        "grunt-eslint": "24.3.0",
-        "license-report": "6.4.0"
+        "eslint-config-prettier": "10.1.8",
+        "license-report": "6.8.5"
     },
     "dependencies": {
-        "@bugsnag/js": "7.21.0",
         "@fidm/x509": "1.2.1",
         "@hapi/boom": "10.0.1",
-        "@hapi/hapi": "21.3.2",
-        "@hapi/inert": "7.1.0",
-        "@hapi/joi": "17.1.1",
+        "@hapi/hapi": "21.4.9",
+        "@hapi/inert": "7.1.2",
         "@hapi/vision": "7.0.3",
         "@root/acme": "3.1.0",
         "@root/csr": "0.8.1",
-        "dns2": "2.1.0",
-        "handlebars": "4.7.8",
-        "hapi-pino": "12.1.0",
-        "hapi-swagger": "17.1.0",
+        "@sentry/node": "10.57.0",
+        "dns2": "3.0.0",
+        "handlebars": "4.7.9",
+        "hapi-pino": "13.0.0",
+        "hapi-swagger": "17.3.2",
         "http-proxy": "1.18.1",
-        "ioredfour": "1.2.0-ioredis-07",
-        "ioredis": "5.3.2",
-        "ipaddr.js": "2.1.0",
+        "ioredfour": "1.4.1",
+        "ioredis": "5.11.1",
+        "ipaddr.js": "2.4.0",
+        "joi": "17.13.4",
         "minimist": "1.2.8",
-        "node-rsa": "1.1.1",
+        "nanoid": "3.3.12",
         "pem-jwk": "2.0.0",
-        "pino": "8.15.0",
-        "punycode": "2.3.0",
-        "shortid": "2.2.16",
-        "uuid": "9.0.0",
-        "wild-config": "1.7.0"
+        "pino": "10.3.1",
+        "punycode": "2.3.1",
+        "wild-config": "1.7.1"
     },
     "bin": {
         "pending-dns": "bin/pending-dns.js"
     },
     "pkg": {
+        "scripts": [
+            "lib/**/*.js",
+            "workers/**/*.js"
+        ],
         "assets": [
+            "lib/lua/**/*",
+            "config/*.pem",
             "licenses.txt",
             "LICENSE.txt",
             "help.txt"
         ],
         "targets": [
-            "node18-linux-x64",
-            "node18-macos-x64",
-            "node18-macos-arm64",
-            "node18-win-x64"
+            "node24-linux-x64",
+            "node24-macos-x64",
+            "node24-macos-arm64",
+            "node24-win-x64"
         ],
         "outputPath": "ee-dist"
     }

package/release-please-config.json

@@ -0,0 +1,13 @@
+{
+    "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+    "packages": {
+        ".": {
+            "release-type": "node",
+            "package-name": "pending-dns",
+            "changelog-path": "CHANGELOG.md",
+            "bump-minor-pre-major": false,
+            "draft": false,
+            "prerelease": false
+        }
+    }
+}

package/server.js

@@ -7,7 +7,6 @@ const argv = process.argv.slice(2);
 const config = require('wild-config');
 const logger = require('./lib/logger').child({ component: 'server' });
 const pathlib = require('path');
-const packageData = require('./package.json');
 const { Worker, SHARE_ENV } = require('worker_threads');
 const { isemail } = require('./lib/tools');
 
@@ -16,28 +15,7 @@ if (!config.acme || !isemail(config.acme.email)) {
     process.exit(51);
 }
 
-const Bugsnag = require('@bugsnag/js');
-if (process.env.BUGSNAG_API_KEY) {
-    Bugsnag.start({
-        apiKey: process.env.BUGSNAG_API_KEY,
-        appVersion: packageData.version,
-        logger: {
-            debug(...args) {
-                logger.debug({ msg: args.shift(), worker: 'main', source: 'bugsnag', args: args.length ? args : undefined });
-            },
-            info(...args) {
-                logger.debug({ msg: args.shift(), worker: 'main', source: 'bugsnag', args: args.length ? args : undefined });
-            },
-            warn(...args) {
-                logger.warn({ msg: args.shift(), worker: 'main', source: 'bugsnag', args: args.length ? args : undefined });
-            },
-            error(...args) {
-                logger.error({ msg: args.shift(), worker: 'main', source: 'bugsnag', args: args.length ? args : undefined });
-            }
-        }
-    });
-    logger.notifyError = Bugsnag.notify.bind(Bugsnag);
-}
+require('./lib/sentry').initSentry('main');
 
 let closing = false;
 
@@ -109,7 +87,10 @@ const closeProcess = (code, errType, err) => {
         err
     });
 
-    if (!logger.notifyError) {
+    if (!logger.errorReportingEnabled) {
+        // No external reporter is handling the crash, so exit here and let the
+        // supervisor restart us. When Sentry is enabled its crash integration
+        // captures, flushes and exits instead.
         setTimeout(() => process.exit(code), 10);
     }
 };

package/systemd/pending-dns.service

@@ -35,15 +35,15 @@ Environment="NODE_CONFIG_PATH=/etc/pending-dns.toml"
 
 # This is the folder where PendingDNS files reside.
 
-# Normally this folder would include a clean copy from the PendingDNS Github repository + `npm install --production`.
+# Normally this folder would include a clean copy from the PendingDNS Github repository + `npm install --omit=dev`.
 # To set up:
-#     git clone git://github.com/postalsys/pending-dns.git
+#     git clone https://github.com/postalsys/pending-dns.git
 #     cd pending-dns
-#     npm install --production
+#     npm install --omit=dev
 
 # If PendingDNS files are cloned from Github then an easy way to upgrade the application would look like this:
 #    git pull origin master
-#    npm install --production
+#    npm install --omit=dev
 # And then (as root or a user with sudo privileges):
 #    sudo systemctl restart pending-dns