pending-dns 1.2.5 → 1.4.0

package/SECURITY.txt

@@ -0,0 +1,27 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+Contact: https://github.com/postalsys/pending-dns/security/advisories/new
+Contact: mailto:andris@postalsys.com
+Expires: 2027-06-01T00:00:00.000Z
+Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/5D952A46E1D8C931F6364E01DC6C83F4D584D364
+Preferred-Languages: en, et
+Canonical: https://github.com/postalsys/pending-dns/blob/master/SECURITY.txt
+Policy: https://github.com/postalsys/pending-dns/blob/master/SECURITY.md
+-----BEGIN PGP SIGNATURE-----
+
+iQJPBAEBCAA5FiEEXZUqRuHYyTH2Nk4B3GyD9NWE02QFAmozqqUbFIAAAAAABAAO
+bWFudTIsMi41KzEuMTIsMCwzAAoJENxsg/TVhNNkUlUQAL8mZHOiH2ZVgsrJanW6
+58YQ5DTNfLL0CO5Qwo1j9XijmvF7dMwDsNTvQ2hDBV+Okz7mSfDBUaofgT6kIBQz
+Qk0yMyOp1Um+l4rF7/J2d/9ABBnsu4Le59Mu87qIgziLCu3YarheThiPCQvFzRfH
+A/vmGOu3/+gcHdF2GrlEk8xfFNdIqwdhuW8oTiR18WqUARe3S+wQdfumDX41gVRL
+y0Q8eGXb3j8jLXp9E21ePlPdxtIQC4fZSexd64IEKv7kuVp9vDpai0jdi5SQSmCA
+gOPp5f9jR0B6GCbRfCRYUHsrQlwOZPtCq46IGKCnrCd2wI7RHTeCUwtzOQsqod7n
+u+GE/YAZZuck9OI6oDZ3klGXUNAi5RO16ix80rybFfVA2MmNdCDHDwTmlysHli8E
+9FjakLcnF/5eH5NlH579IhQIx1exmE9Q+ZyCwaNQ2uGIujxy6bay3cxvXXeecrJM
+c0MMNgyh7CCfmHShoXfQ2JnFTlVycgqZetLySBxGzkgj5mczLKHviAjaoM3Hw2K6
+znct7z4aE0yY+tCItdIHTdPV5NxR319HZRE980h2yxt92aWmhZn/dW/4fAEwqzFU
+C6Ghu37qs9JwvyBZImH92fc9+27Xgx0Ahfb9RoXM/+TulXAdrQxcK+th9ye40GfJ
+otvIQGxzLN1kyCWhQCqusEJ4
+=QK6n
+-----END PGP SIGNATURE-----

package/bin/pending-dns.js

@@ -36,7 +36,7 @@ function run() {
 
         case 'version':
             // Show version
-            console.log(`EmailEngine v${packageData.version} (${packageData.license})`);
+            console.log(`PendingDNS v${packageData.version} (${packageData.license})`);
             return process.exit();
 
         default:

package/config/default.toml

@@ -2,6 +2,11 @@
 [log]
 level = "trace"
 
+[sentry]
+# Error reporting DSN for the self-hosted Sentry server. Leave empty to disable.
+# The production value is set via the SENTRY_DSN environment variable.
+dsn = ""
+
 [dbs]
 
 # By default all redis commands are sent against the same instance
@@ -138,6 +143,44 @@ ciphers = "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES25
 A = ["127.0.0.1", "127.0.0.2"]
 AAAA = []
 
+[dnssec]
+# Master switch. Per-zone signing is additionally gated on a generated key:
+# a zone is only signed once DNSSEC has been enabled for it over the API.
+enabled = false
+
+# Default algorithm for newly generated zone keys.
+#   13 = ECDSA P-256 / SHA-256 (recommended)
+#   15 = Ed25519
+#    8 = RSASHA256
+algorithm = 13
+
+# RRSIG validity window (seconds) and how far inception is backdated to absorb
+# validator clock skew.
+signatureValidity = 604800 # 7 days
+inceptionSkew = 3600       # backdate inception 1h
+
+# TTL for the DNSKEY RRset. (Synthesized NSEC records use the SOA minimum so the
+# denial proof and the negative answer expire together, per RFC 2308.)
+dnskeyTtl = 3600
+
+# How long (seconds) a per-zone signer (and the "unsigned" verdict for a zone) is
+# cached in memory on the DNS workers, to avoid re-reading and re-parsing zone
+# keys on every DO query. The API and DNS subsystems run as separate workers, so
+# a key change made over the API takes effect on the DNS side after at most this
+# long. Set to 0 to disable the cache. Keep small - DNSSEC key changes are rare.
+signerCacheTtl = 5
+
+# Denial of existence: nonexistent or empty names are answered NODATA (NOERROR)
+# with a signed compact NSEC ("black lies"). True NXDOMAIN is not used because the
+# server synthesizes CAA/NS/SOA for any name, so to a validator no name is truly
+# absent.
+
+# Advertised EDNS UDP payload size, and the cap on outgoing UDP responses: a
+# response larger than the smaller of this and the requestor's advertised size is
+# truncated with TC=1 so the client retries over TCP. 1232 avoids IP fragmentation
+# on most paths.
+udpPayloadSize = 1232
+
 [process]
 # Change user for child processes once privileged ports have been bound
 #user="www-data"

package/config/test.toml

@@ -0,0 +1,35 @@
+# Configuration used by the automated test suite (NODE_ENV=test).
+# It is never loaded in production/development and keeps tests isolated
+# from real data by pointing Redis at a dedicated database that the test
+# setup is free to flush.
+
+[log]
+level = "silent"
+
+[dbs]
+# Dedicated Redis database for tests. The test bootstrap flushes this DB,
+# so it must not be shared with development (db 2) or production data.
+redis = "redis://127.0.0.1:6379/15"
+
+[acme]
+# A syntactically valid address is required for the server bootstrap check.
+email = "test@example.com"
+
+[dns]
+# Avoid clashing with a locally running instance if the DNS server is started.
+port = 15353
+host = "127.0.0.1"
+
+[api]
+port = 15080
+host = "127.0.0.1"
+
+[dnssec]
+# Enable the global DNSSEC master switch so the signing tests exercise the
+# query-time signing path (per-zone signing is still gated on a generated key).
+enabled = true
+
+# Disable the in-memory signer cache in tests so each case reads fresh state from
+# Redis (db 15 is flushed between cases); the cache itself is covered by a
+# dedicated test that sets a positive TTL.
+signerCacheTtl = 0

package/eslint.config.js

@@ -0,0 +1,38 @@
+'use strict';
+
+const { FlatCompat } = require('@eslint/eslintrc');
+const js = require('@eslint/js');
+const prettier = require('eslint-config-prettier');
+
+const compat = new FlatCompat({
+    baseDirectory: __dirname,
+    recommendedConfig: js.configs.recommended,
+    allConfig: js.configs.all
+});
+
+module.exports = [
+    {
+        ignores: ['node_modules/', 'ee-dist/', 'coverage/', 'views/', '.prettierrc.js']
+    },
+
+    // Shared Nodemailer ESLint rules (eslintrc format, wrapped for flat config)
+    ...compat.extends('eslint-config-nodemailer'),
+
+    // Disable stylistic rules that conflict with Prettier
+    prettier,
+
+    {
+        languageOptions: {
+            ecmaVersion: 2023,
+            sourceType: 'commonjs'
+        },
+        rules: {
+            indent: 'off',
+            'no-await-in-loop': 'off',
+            'require-atomic-updates': 'off',
+            // Preserve the long-standing project convention of `catch (err) { /* ignore */ }`.
+            // ESLint 9 changed the no-unused-vars `caughtErrors` default to 'all'.
+            'no-unused-vars': ['error', { caughtErrors: 'none' }]
+        }
+    }
+];

package/lib/api-server.js

@@ -8,10 +8,15 @@ const Inert = require('@hapi/inert');
 const Vision = require('@hapi/vision');
 const HapiSwagger = require('hapi-swagger');
 const packageData = require('../package.json');
-const Joi = require('@hapi/joi');
+const Joi = require('joi');
 const logger = require('./logger').child({ component: 'api-server' });
-const { zoneStore, allowedTypes, allowedTags } = require('./zone-store');
+const { zoneStore, allowedTypes, allowedTags, tlsaToValue, isEvenHex } = require('./zone-store');
 const { getCertificate } = require('./certs');
+const dnssec = require('./dnssec');
+
+// Normalize a thrown error into a Boom response: pass Boom errors through,
+// otherwise wrap while preserving any statusCode and decorating with err.code.
+const toBoom = err => (Boom.isBoom(err) ? err : Boom.boomify(err, { statusCode: err.statusCode || 500, decorate: { code: err.code } }));
 
 const hostnameSchema = Joi.string().hostname({
     allowUnicode: true,
@@ -40,6 +45,20 @@ const subdomainValidator = opts => (value, helpers) => {
     return value;
 };
 
+// All TLSA-specific fields share the same conditional shape: required when the
+// record type is TLSA, forbidden otherwise. Keep the wrapper in one place so the
+// four fields cannot drift apart.
+const tlsaField = (inner, { example, description, label }) =>
+    Joi.any()
+        .example(example)
+        .when('type', {
+            is: 'TLSA',
+            then: inner.required(),
+            otherwise: Joi.any().forbidden()
+        })
+        .description(description)
+        .label(label);
+
 const recordScheme = Joi.object({
     subdomain: Joi.string()
         .replace(/[\s.@]+$/gi, '')
@@ -66,6 +85,16 @@ const recordScheme = Joi.object({
                         }),
                         'subdomain validation'
                     )
+                },
+                {
+                    is: 'TLSA',
+                    then: Joi.custom(
+                        subdomainValidator({
+                            allowUnderscore: true,
+                            allowWildcard: false
+                        }),
+                        'subdomain validation'
+                    )
                 }
             ],
             otherwise: Joi.custom(
@@ -192,7 +221,7 @@ const recordScheme = Joi.object({
         .description('Certificate authority domain for CAA')
         .label('CADomain'),
 
-    tags: Joi.any()
+    tag: Joi.any()
         .example('issue')
         .when('type', {
             is: 'CAA',
@@ -207,7 +236,7 @@ const recordScheme = Joi.object({
         .example(0)
         .when('type', {
             is: 'CAA',
-            then: Joi.string().valid(0).default(0)
+            then: Joi.number().integer().min(0).max(255).default(0)
         })
         .description('Certificate authority flags for CAA')
         .label('Flags'),
@@ -230,6 +259,36 @@ const recordScheme = Joi.object({
         .description('Data for TXT record')
         .label('TXTData'),
 
+    usage: tlsaField(Joi.number().integer().min(0).max(3), {
+        example: 3,
+        description: 'Certificate usage for TLSA (0 PKIX-TA, 1 PKIX-EE, 2 DANE-TA, 3 DANE-EE)',
+        label: 'TLSAUsage'
+    }),
+
+    selector: tlsaField(Joi.number().integer().min(0).max(1), {
+        example: 1,
+        description: 'Selector for TLSA (0 full certificate, 1 SubjectPublicKeyInfo)',
+        label: 'TLSASelector'
+    }),
+
+    matchingType: tlsaField(Joi.number().integer().min(0).max(2), {
+        example: 1,
+        description: 'Matching type for TLSA (0 full, 1 SHA-256, 2 SHA-512)',
+        label: 'TLSAMatchingType'
+    }),
+
+    certificate: tlsaField(
+        Joi.string()
+            .hex()
+            .lowercase()
+            .custom((value, helpers) => (isEvenHex(value) ? value : helpers.error('any.invalid')), 'even-length hex'),
+        {
+            example: '92003ba34942dc74152e2f2c408d29eca5a520e7f2e06bb944f4dca346baf63c',
+            description: 'Certificate association data for TLSA (hex)',
+            label: 'TLSACertificate'
+        }
+    ),
+
     url: Joi.any()
         .example('https://postalsys.com/')
         .when('type', {
@@ -273,7 +332,7 @@ const failAction = async (request, h, err) => {
     throw error;
 };
 
-const init = async () => {
+const createServer = async () => {
     const server = Hapi.server({
         port: (process.env.API_PORT && Number(process.env.API_PORT)) || config.api.port,
         host: process.env.API_HOST || config.api.host
@@ -346,10 +405,7 @@ const init = async () => {
                 }
                 return { zone: request.params.zone, records };
             } catch (err) {
-                if (Boom.isBoom(err)) {
-                    throw err;
-                }
-                throw Boom.boomify(err, { statusCode: err.statusCode || 500, decorate: { code: err.code } });
+                throw toBoom(err);
             }
         },
 
@@ -401,6 +457,9 @@ const init = async () => {
                     case 'TXT':
                         value = [request.payload.data];
                         break;
+                    case 'TLSA':
+                        value = tlsaToValue(request.payload);
+                        break;
                     case 'URL':
                         value = [request.payload.url, request.payload.code, request.payload.proxy];
                         break;
@@ -414,10 +473,7 @@ const init = async () => {
                     record
                 };
             } catch (err) {
-                if (Boom.isBoom(err)) {
-                    throw err;
-                }
-                throw Boom.boomify(err, { statusCode: err.statusCode || 500, decorate: { code: err.code } });
+                throw toBoom(err);
             }
         },
 
@@ -471,6 +527,9 @@ const init = async () => {
                     case 'TXT':
                         value = [request.payload.data];
                         break;
+                    case 'TLSA':
+                        value = tlsaToValue(request.payload);
+                        break;
                     case 'URL':
                         value = [request.payload.url, request.payload.code, request.payload.proxy];
                         break;
@@ -478,13 +537,10 @@ const init = async () => {
                         throw new Error('Unknown type');
                 }
 
-                let updated = await zoneStore.update(request.params.zone, request.params.record, request.payload.subdomain, request.payload.type, value);
-                return { zone: request.params.zone, updated };
+                let record = await zoneStore.update(request.params.zone, request.params.record, request.payload.subdomain, request.payload.type, value);
+                return { zone: request.params.zone, record };
             } catch (err) {
-                if (Boom.isBoom(err)) {
-                    throw err;
-                }
-                throw Boom.boomify(err, { statusCode: err.statusCode || 500, decorate: { code: err.code } });
+                throw toBoom(err);
             }
         },
 
@@ -525,10 +581,7 @@ const init = async () => {
                 let deleted = await zoneStore.del(request.params.zone, request.params.record);
                 return { zone: request.params.zone, record: request.params.record, deleted };
             } catch (err) {
-                if (Boom.isBoom(err)) {
-                    throw err;
-                }
-                throw Boom.boomify(err, { statusCode: err.statusCode || 500, decorate: { code: err.code } });
+                throw toBoom(err);
             }
         },
         options: {
@@ -631,6 +684,121 @@ const init = async () => {
         }
     });
 
+    const zoneParam = Joi.object({
+        zone: Joi.string().hostname().required().example('example.com').description('Zone domain').label('ZoneDomain')
+    }).label('Zone');
+
+    server.route({
+        method: 'GET',
+        path: '/v1/zone/{zone}/dnssec',
+
+        async handler(request) {
+            try {
+                return await dnssec.getZoneStatus(request.params.zone);
+            } catch (err) {
+                throw toBoom(err);
+            }
+        },
+
+        options: {
+            description: 'Get DNSSEC status',
+            notes: 'Returns DNSSEC state, DS and DNSKEY records for a zone',
+            tags: ['api', 'dnssec'],
+            validate: {
+                options: { stripUnknown: true, abortEarly: false, convert: true },
+                failAction,
+                params: zoneParam
+            }
+        }
+    });
+
+    server.route({
+        method: 'POST',
+        path: '/v1/zone/{zone}/dnssec',
+
+        async handler(request) {
+            try {
+                return await dnssec.enableZone(request.params.zone, { algorithm: request.payload && request.payload.algorithm });
+            } catch (err) {
+                throw toBoom(err);
+            }
+        },
+
+        options: {
+            description: 'Enable DNSSEC',
+            notes: 'Enables DNSSEC for a zone, generating a signing key on first call. Returns DS records to set at the registrar.',
+            tags: ['api', 'dnssec'],
+            validate: {
+                options: { stripUnknown: true, abortEarly: false, convert: true },
+                failAction,
+                params: zoneParam,
+                payload: Joi.object({
+                    algorithm: Joi.number()
+                        .valid(8, 13, 15)
+                        .example(13)
+                        .description('DNSSEC algorithm (8 RSASHA256, 13 ECDSAP256SHA256, 15 ED25519)')
+                        .label('DnssecAlgorithm')
+                })
+                    .allow(null)
+                    .label('DnssecOptions')
+            }
+        }
+    });
+
+    server.route({
+        method: 'DELETE',
+        path: '/v1/zone/{zone}/dnssec',
+
+        async handler(request) {
+            try {
+                let disabled = await dnssec.disableZone(request.params.zone);
+                return { zone: request.params.zone, disabled };
+            } catch (err) {
+                throw toBoom(err);
+            }
+        },
+
+        options: {
+            description: 'Disable DNSSEC',
+            notes: 'Disables DNSSEC signing for a zone',
+            tags: ['api', 'dnssec'],
+            validate: {
+                options: { stripUnknown: true, abortEarly: false, convert: true },
+                failAction,
+                params: zoneParam
+            }
+        }
+    });
+
+    server.route({
+        method: 'DELETE',
+        path: '/v1/zone/{zone}/dnssec/key/{keyTag}',
+
+        async handler(request) {
+            try {
+                let removed = await dnssec.removeKey(request.params.zone, request.params.keyTag);
+                return { zone: request.params.zone, keyTag: request.params.keyTag, removed };
+            } catch (err) {
+                throw toBoom(err);
+            }
+        },
+
+        options: {
+            description: 'Remove a DNSSEC key',
+            notes: 'Removes a non-active signing key from a zone, e.g. to finish an algorithm rollover after publishing the new DS. Refuses to remove the active or last key.',
+            tags: ['api', 'dnssec'],
+            validate: {
+                options: { stripUnknown: true, abortEarly: false, convert: true },
+                failAction,
+                params: zoneParam
+                    .keys({
+                        keyTag: Joi.number().integer().min(0).max(65535).required().example(48234).description('Key tag of the key to remove').label('KeyTag')
+                    })
+                    .label('ZoneKey')
+            }
+        }
+    });
+
     server.route({
         method: '*',
         path: '/{any*}',
@@ -639,7 +807,14 @@ const init = async () => {
         }
     });
 
+    return server;
+};
+
+const init = async () => {
+    const server = await createServer();
     await server.start();
+    return server;
 };
 
 module.exports = init;
+module.exports.createServer = createServer;

package/lib/cached-resolver.js

@@ -32,12 +32,13 @@ function formatResult(record) {
  * @param {Object} [options]
  * @param {Number} [options.minTtl=10min] Cache timeout for successful resolving operations. If cached response is older than this value then resolving is retried. If resolving fails then cached value is used.
  * @param {Number} [options.maxTtl=8h] Time after cached data of a successful resolving is permanently deleted
- * @param {Number} [options.errorTtl=1min] Cache timeout for errored resolving operations. If cached response is older than this value then resolving is retried
+ * @param {Number} [options.errorMinTtl=1min] Cache timeout for errored resolving operations. If cached response is older than this value then resolving is retried
+ * @param {Number} [options.errorMaxTtl=1h] Time after cached error data is permanently deleted
  * @returns {Array|Boolean} Resolve response or `false` if query failed for whatever reason
  */
 const cachedResolver = async (target, type, options) => {
     try {
-        target = punycode.toASCII(target.trim().toLowerCase().trim().toLowerCase());
+        target = punycode.toASCII(target.trim().toLowerCase());
     } catch (err) {
         return false;
     }
@@ -120,12 +121,13 @@ const cachedResolver = async (target, type, options) => {
             .set(
                 cacheKey,
                 JSON.stringify({
+                    expires: Date.now() + options.errorMinTtl,
                     data: false,
                     error: err.message,
                     code: err.code || err.errno
                 })
             )
-            .expire(cacheKey, Math.round(options.errorTtl / 1000))
+            .expire(cacheKey, Math.round(options.errorMaxTtl / 1000))
             .exec();
         throw err;
     }

package/lib/certs.js

@@ -9,19 +9,14 @@ const crypto = require('crypto');
 const { checkNSStatus, normalizeDomain } = require('./tools');
 const ACME = require('@root/acme');
 const { pem2jwk } = require('pem-jwk');
-const NodeRSA = require('node-rsa');
 const logger = require('./logger').child({ component: 'certs' });
 const CSR = require('@root/csr');
 const { Certificate } = require('@fidm/x509');
 const { Resolver } = require('dns').promises;
-const Lock = require('ioredfour');
 const util = require('util');
+const { waitAcquireLock, releaseLock } = require('./lock');
 
-const certLock = new Lock({
-    redis: db.redisWrite,
-    namespace: 'd:lock:'
-});
-const waitAcquireLock = util.promisify(certLock.waitAcquireLock.bind(certLock));
+const generateKeyPairAsync = util.promisify(crypto.generateKeyPair);
 
 const localResolver = new Resolver();
 localResolver.setServers(config.ns.map(ns => ns.ip));
@@ -78,9 +73,12 @@ const ensureAcme = async () => {
 };
 
 const generateKey = async bits => {
-    const key = new NodeRSA({ b: bits || 2048, e: 65537 });
-    const pem = key.exportKey('pkcs1-private-pem');
-    return pem;
+    const { privateKey } = await generateKeyPairAsync('rsa', {
+        modulusLength: bits || 2048,
+        publicExponent: 65537,
+        privateKeyEncoding: { type: 'pkcs1', format: 'pem' }
+    });
+    return privateKey;
 };
 
 class AcmeDNSPlugin {
@@ -437,16 +435,7 @@ const getCertificate = async (domains, force) => {
 
         throw err;
     } finally {
-        if (lock.success) {
-            await new Promise(resolve => {
-                certLock.releaseLock(lock, err => {
-                    if (err) {
-                        logger.error({ msg: 'Failed releasing lock', lock: domainHash, domains, err });
-                    }
-                    resolve();
-                });
-            });
-        }
+        await releaseLock(lock, { lock: domainHash, domains });
     }
 };
 
@@ -472,3 +461,6 @@ module.exports = {
     getCertificate,
     loadCertificate
 };
+
+// Exposed for unit testing
+module.exports.testables = { generateKey };