pending-dns 1.2.5 → 1.4.0

package/lib/zone-store.js

@@ -1,15 +1,35 @@
 'use strict';
 
 const punycode = require('punycode/');
-const shortid = require('shortid');
+const { nanoid } = require('nanoid');
 const db = require('./db');
 const logger = require('./logger').child({ component: 'zone-store' });
 const { normalizeDomain } = require('./tools');
 
-const orderList = ['A', 'AAAA', 'ANAME', 'CNAME', 'MX', 'TXT', 'CAA', 'URL', 'NS'];
+const orderList = ['A', 'AAAA', 'ANAME', 'CNAME', 'MX', 'TXT', 'CAA', 'TLSA', 'URL', 'NS'];
 const allowedTypes = new Set(orderList);
 const allowedTags = new Set(['issue', 'issuewild', 'iodef']);
 
+// TLSA records are stored as a positional value array
+// [usage, selector, matchingType, certificate]. These keep that ordering in one
+// place so the API, the store, and the DNS handler cannot drift apart.
+const tlsaToValue = data => [data.usage, data.selector, data.matchingType, data.certificate];
+// TLSA certificate association data must be even-length hex. The API enforces
+// this in Joi, but guard the store boundary too so a direct caller cannot store
+// a value that Buffer.from(..,'hex') would silently truncate into a corrupt DANE
+// association.
+const isEvenHex = value => typeof value === 'string' && value.length > 0 && value.length % 2 === 0 && /^[0-9a-fA-F]+$/.test(value);
+const tlsaFromValue = value => ({
+    usage: Number(value[0]) || 0,
+    selector: Number(value[1]) || 0,
+    matchingType: Number(value[2]) || 0,
+    certificate: value[3]
+});
+
+// Single-label wildcard key for a label-reversed name: replace the most-specific
+// (trailing) label with '*'. resolve() and existingTypes() both probe this key.
+const toWildcardName = name => name.replace(/\.[^.]+$/, '.*');
+
 class ZoneStore {
     constructor(db, options) {
         this.db = db;
@@ -70,8 +90,8 @@ class ZoneStore {
         let recordKey = `d:${name}:r:${type}`;
         let res = await this.db.redisWrite.multi().hdel(recordKey, hid).exists(recordKey).exec();
 
-        if (res[res.length - 1] && !res[res.length - 1][0] && !res[res.length - 1][0]) {
-            // key was deleted, update zone
+        if (res[res.length - 1] && !res[res.length - 1][0] && !res[res.length - 1][1]) {
+            // the record key no longer exists (no entries left), remove it from the zone
             await this.db.redisWrite.srem(`d:${zone}:z`, recordKey);
         }
 
@@ -168,6 +188,10 @@ class ZoneStore {
                 result.ns = entry.value[0];
                 break;
 
+            case 'TLSA':
+                Object.assign(result, tlsaFromValue(entry.value));
+                break;
+
             case 'TXT':
                 result.data = entry.value[0];
                 break;
@@ -322,6 +346,49 @@ class ZoneStore {
         return list;
     }
 
+    /**
+     * List record types that exist at an exact name, optionally also folding in
+     * the types a single-level wildcard could answer at that name (probed in the
+     * same pipeline). Used to build DNSSEC NSEC type bitmaps: listing the
+     * wildcard-answerable types keeps an RFC 8198 aggressive-NSEC resolver from
+     * synthesizing a NODATA that suppresses the wildcard answer.
+     * @param {String} domain Exact domain name
+     * @param {Boolean} includeWildcard Also probe the single-level wildcard key
+     * @returns {Array} Array of record type strings present at the name
+     */
+    async existingTypes(domain, includeWildcard) {
+        let name = this.domainToName(domain);
+        if (!name) {
+            return [];
+        }
+
+        // Same single-level wildcard key construction resolve() uses: replace the
+        // most-specific label with '*'.
+        let wildcardName = includeWildcard && name.includes('.') ? toWildcardName(name) : null;
+        let names = wildcardName && wildcardName !== name ? [name, wildcardName] : [name];
+
+        let req = this.db.redisRead.multi();
+        for (let probe of names) {
+            for (let type of orderList) {
+                req = req.exists(`d:${probe}:r:${type}`);
+            }
+        }
+        let res = await req.exec();
+
+        let types = new Set();
+        names.forEach((probe, n) => {
+            // Each probe contributed one EXISTS per orderList type, in order; take
+            // that probe's contiguous slice of the flat pipeline result.
+            let probeRes = res.slice(n * orderList.length, (n + 1) * orderList.length);
+            orderList.forEach((type, i) => {
+                if (probeRes[i] && probeRes[i][1]) {
+                    types.add(type);
+                }
+            });
+        });
+        return [...types];
+    }
+
     /**
      * Add new resource record to Zone
      * @param {String} zone Zone domain
@@ -355,8 +422,14 @@ class ZoneStore {
             return false;
         }
 
+        // Reject TLSA records whose certificate data is not even-length hex; the
+        // wire encoder would otherwise silently truncate it (RFC 6698 RDATA).
+        if (type === 'TLSA' && !isEvenHex(value[3])) {
+            return false;
+        }
+
         let recordKey = `d:${name}:r:${type}`;
-        let hid = shortid.generate();
+        let hid = nanoid();
 
         let id = this.getFullId(name, type, hid);
 
@@ -421,6 +494,13 @@ class ZoneStore {
             return await this.add(this.nameToDomain(zone), updatedSubdomain, updatedType, value);
         }
 
+        // Same TLSA even-length-hex guard add() applies: the changed-name/type path
+        // above routes through add(), but this unchanged path writes directly and
+        // would otherwise let a corrupt cert through that the wire encoder truncates.
+        if (type === 'TLSA' && !isEvenHex(Array.isArray(value) ? value[3] : null)) {
+            return false;
+        }
+
         let updatedId = this.getFullId(name, type, hid);
 
         let recordKey = `d:${name}:r:${type}`;
@@ -495,9 +575,9 @@ class ZoneStore {
             return await checkHealthStatus(exactRes);
         }
 
-        let wildcardName = name.replace(/\.[^.]+$/, '.*');
+        let wildcardName = toWildcardName(name);
         let wildcardDomain = this.nameToDomain(wildcardName);
-        let wildcardRecordKey = `d:${name.replace(/\.[^.]+$/, '.*')}:r:${type}`;
+        let wildcardRecordKey = `d:${wildcardName}:r:${type}`;
 
         let wildcardRecord = await this.db.redisRead.hgetall(wildcardRecordKey);
         let wildRes = this.parseHashRecord(zone, wildcardName, domain, type, short, wildcardRecord);
@@ -578,3 +658,6 @@ module.exports.ZoneStore = ZoneStore;
 module.exports.zoneStore = new ZoneStore(db);
 module.exports.allowedTypes = [...allowedTypes];
 module.exports.allowedTags = [...allowedTags];
+module.exports.tlsaToValue = tlsaToValue;
+module.exports.tlsaFromValue = tlsaFromValue;
+module.exports.isEvenHex = isEvenHex;

package/package.json

@@ -1,15 +1,24 @@
 {
     "name": "pending-dns",
-    "version": "1.2.5",
+    "version": "1.4.0",
     "description": "Lightweight API driven DNS server",
+    "productTitle": "PendingDNS",
     "main": "index.js",
+    "private": false,
+    "engines": {
+        "node": ">=18"
+    },
     "scripts": {
         "start": "node server.js",
-        "test": "grunt",
-        "build-source": "rm -rf node_modules package-lock.json && npm install && npm run licenses && rm -rf node_modules package-lock.json && npm install --production && rm -rf package-lock.json",
-        "build-dist-fast": "npx pkg --debug package.json && rm -rf package-lock.json && npm install",
-        "build-dist": "npx pkg --compress Brotli package.json && rm -rf package-lock.json && npm install",
-        "licenses": "license-report --only=prod --output=table --config license-report-config.json > licenses.txt"
+        "lint": "eslint .",
+        "format": "prettier --write 'lib/**/*.js' 'workers/**/*.js' 'test/**/*.js' '*.js'",
+        "format:check": "prettier --check 'lib/**/*.js' 'workers/**/*.js' 'test/**/*.js' '*.js'",
+        "test": "NODE_ENV=test node --test --test-force-exit --test-concurrency=1 test/*.test.js",
+        "build-source": "rm -rf node_modules && npm install && npm run licenses && rm -rf node_modules && npm ci --omit=dev",
+        "build-dist-fast": "pkg --debug package.json && npm install",
+        "build-dist": "pkg --compress Brotli package.json && npm install",
+        "licenses": "license-report --only=prod --output=table --config license-report-config.json > licenses.txt",
+        "update": "rm -rf node_modules package-lock.json && ncu -u && npm install"
     },
     "repository": {
         "type": "git",
@@ -28,55 +37,59 @@
     },
     "homepage": "https://github.com/postalsys/pending-dns#readme",
     "devDependencies": {
-        "eslint": "8.47.0",
+        "@eslint/eslintrc": "3.3.5",
+        "@eslint/js": "9.39.4",
+        "eslint": "9.39.4",
         "eslint-config-nodemailer": "1.2.0",
-        "eslint-config-prettier": "9.0.0",
-        "grunt": "1.6.1",
-        "grunt-cli": "1.4.3",
-        "grunt-eslint": "24.3.0",
-        "license-report": "6.4.0"
+        "eslint-config-prettier": "10.1.8",
+        "license-report": "6.8.5",
+        "prettier": "3.8.4"
     },
     "dependencies": {
-        "@bugsnag/js": "7.21.0",
         "@fidm/x509": "1.2.1",
         "@hapi/boom": "10.0.1",
-        "@hapi/hapi": "21.3.2",
-        "@hapi/inert": "7.1.0",
-        "@hapi/joi": "17.1.1",
+        "@hapi/hapi": "21.4.9",
+        "@hapi/inert": "7.1.2",
         "@hapi/vision": "7.0.3",
         "@root/acme": "3.1.0",
         "@root/csr": "0.8.1",
-        "dns2": "2.1.0",
-        "handlebars": "4.7.8",
-        "hapi-pino": "12.1.0",
-        "hapi-swagger": "17.1.0",
+        "@sentry/node": "10.57.0",
+        "dns2": "3.0.0",
+        "handlebars": "4.7.9",
+        "hapi-pino": "13.0.0",
+        "hapi-swagger": "17.3.2",
         "http-proxy": "1.18.1",
-        "ioredfour": "1.2.0-ioredis-07",
-        "ioredis": "5.3.2",
-        "ipaddr.js": "2.1.0",
+        "ioredfour": "1.4.1",
+        "ioredis": "5.11.1",
+        "ipaddr.js": "2.4.0",
+        "joi": "17.13.4",
         "minimist": "1.2.8",
-        "node-rsa": "1.1.1",
+        "nanoid": "3.3.12",
         "pem-jwk": "2.0.0",
-        "pino": "8.15.0",
-        "punycode": "2.3.0",
-        "shortid": "2.2.16",
-        "uuid": "9.0.0",
-        "wild-config": "1.7.0"
+        "pino": "10.3.1",
+        "punycode": "2.3.1",
+        "wild-config": "1.7.1"
     },
     "bin": {
         "pending-dns": "bin/pending-dns.js"
     },
     "pkg": {
+        "scripts": [
+            "lib/**/*.js",
+            "workers/**/*.js"
+        ],
         "assets": [
+            "lib/lua/**/*",
+            "config/*.pem",
             "licenses.txt",
             "LICENSE.txt",
             "help.txt"
         ],
         "targets": [
-            "node18-linux-x64",
-            "node18-macos-x64",
-            "node18-macos-arm64",
-            "node18-win-x64"
+            "node24-linux-x64",
+            "node24-macos-x64",
+            "node24-macos-arm64",
+            "node24-win-x64"
         ],
         "outputPath": "ee-dist"
     }

package/release-please-config.json

@@ -0,0 +1,14 @@
+{
+    "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
+    "include-component-in-tag": false,
+    "packages": {
+        ".": {
+            "release-type": "node",
+            "package-name": "pending-dns",
+            "changelog-path": "CHANGELOG.md",
+            "bump-minor-pre-major": false,
+            "draft": false,
+            "prerelease": false
+        }
+    }
+}

package/server.js

@@ -7,7 +7,6 @@ const argv = process.argv.slice(2);
 const config = require('wild-config');
 const logger = require('./lib/logger').child({ component: 'server' });
 const pathlib = require('path');
-const packageData = require('./package.json');
 const { Worker, SHARE_ENV } = require('worker_threads');
 const { isemail } = require('./lib/tools');
 
@@ -16,28 +15,7 @@ if (!config.acme || !isemail(config.acme.email)) {
     process.exit(51);
 }
 
-const Bugsnag = require('@bugsnag/js');
-if (process.env.BUGSNAG_API_KEY) {
-    Bugsnag.start({
-        apiKey: process.env.BUGSNAG_API_KEY,
-        appVersion: packageData.version,
-        logger: {
-            debug(...args) {
-                logger.debug({ msg: args.shift(), worker: 'main', source: 'bugsnag', args: args.length ? args : undefined });
-            },
-            info(...args) {
-                logger.debug({ msg: args.shift(), worker: 'main', source: 'bugsnag', args: args.length ? args : undefined });
-            },
-            warn(...args) {
-                logger.warn({ msg: args.shift(), worker: 'main', source: 'bugsnag', args: args.length ? args : undefined });
-            },
-            error(...args) {
-                logger.error({ msg: args.shift(), worker: 'main', source: 'bugsnag', args: args.length ? args : undefined });
-            }
-        }
-    });
-    logger.notifyError = Bugsnag.notify.bind(Bugsnag);
-}
+require('./lib/sentry').initSentry('main');
 
 let closing = false;
 
@@ -109,7 +87,10 @@ const closeProcess = (code, errType, err) => {
         err
     });
 
-    if (!logger.notifyError) {
+    if (!logger.errorReportingEnabled) {
+        // No external reporter is handling the crash, so exit here and let the
+        // supervisor restart us. When Sentry is enabled its crash integration
+        // captures, flushes and exits instead.
         setTimeout(() => process.exit(code), 10);
     }
 };

package/systemd/pending-dns.service

@@ -35,15 +35,15 @@ Environment="NODE_CONFIG_PATH=/etc/pending-dns.toml"
 
 # This is the folder where PendingDNS files reside.
 
-# Normally this folder would include a clean copy from the PendingDNS Github repository + `npm install --production`.
+# Normally this folder would include a clean copy from the PendingDNS Github repository + `npm install --omit=dev`.
 # To set up:
-#     git clone git://github.com/postalsys/pending-dns.git
+#     git clone https://github.com/postalsys/pending-dns.git
 #     cd pending-dns
-#     npm install --production
+#     npm install --omit=dev
 
 # If PendingDNS files are cloned from Github then an easy way to upgrade the application would look like this:
 #    git pull origin master
-#    npm install --production
+#    npm install --omit=dev
 # And then (as root or a user with sudo privileges):
 #    sudo systemctl restart pending-dns
 

package/test/api.test.js

@@ -0,0 +1,231 @@
+'use strict';
+
+const test = require('node:test');
+const assert = require('node:assert/strict');
+
+const { createServer } = require('../lib/api-server');
+const { config, flushTestDb, closeDb } = require('./helpers');
+
+let server;
+
+test.before(async () => {
+    server = await createServer();
+    await server.initialize();
+});
+
+test.after(async () => {
+    if (server) {
+        await server.stop();
+    }
+    await closeDb();
+});
+
+test.beforeEach(async () => {
+    await flushTestDb();
+});
+
+const inject = opts => server.inject(opts);
+
+test('GET records returns an empty list for an unknown zone', async () => {
+    const res = await inject({ method: 'GET', url: '/v1/zone/example.com/records' });
+    assert.equal(res.statusCode, 200);
+    const body = JSON.parse(res.payload);
+    assert.equal(body.zone, 'example.com');
+    assert.deepEqual(body.records, []);
+});
+
+test('unknown routes return 404', async () => {
+    const res = await inject({ method: 'GET', url: '/does/not/exist' });
+    assert.equal(res.statusCode, 404);
+});
+
+test('POST creates an A record and GET lists it alongside SOA/NS', async () => {
+    const create = await inject({
+        method: 'POST',
+        url: '/v1/zone/example.com/records',
+        payload: { subdomain: 'www', type: 'A', address: '1.2.3.4' }
+    });
+    assert.equal(create.statusCode, 200);
+    const created = JSON.parse(create.payload);
+    assert.ok(created.record, 'should return the new record id');
+
+    const res = await inject({ method: 'GET', url: '/v1/zone/example.com/records' });
+    const body = JSON.parse(res.payload);
+
+    const a = body.records.find(r => r.type === 'A');
+    assert.ok(a);
+    assert.equal(a.address, '1.2.3.4');
+    assert.equal(a.subdomain, 'www');
+
+    // system records are appended with id=null
+    assert.ok(body.records.some(r => r.type === 'SOA' && r.id === null));
+    assert.ok(body.records.some(r => r.type === 'NS' && r.id === null));
+});
+
+test('POST rejects an A record without an address', async () => {
+    const res = await inject({
+        method: 'POST',
+        url: '/v1/zone/example.com/records',
+        payload: { type: 'A' }
+    });
+    assert.equal(res.statusCode, 400);
+    const body = JSON.parse(res.payload);
+    assert.ok(Array.isArray(body.fields), 'validation errors are reported in the fields array');
+});
+
+test('POST creates a CAA record and stores its tag', async () => {
+    // Regression: the CAA "tag" field must be accepted and persisted.
+    const create = await inject({
+        method: 'POST',
+        url: '/v1/zone/example.com/records',
+        payload: { type: 'CAA', value: 'letsencrypt.org', tag: 'issue', flags: 0 }
+    });
+    assert.equal(create.statusCode, 200, `expected CAA create to succeed, got ${create.payload}`);
+
+    const res = await inject({ method: 'GET', url: '/v1/zone/example.com/records' });
+    const body = JSON.parse(res.payload);
+    const caa = body.records.find(r => r.type === 'CAA' && r.id);
+    assert.ok(caa, 'CAA record should be listed');
+    assert.equal(caa.value, 'letsencrypt.org');
+    assert.equal(caa.tag, 'issue');
+});
+
+test('POST creates a TLSA record with an underscore-labelled subdomain', async () => {
+    const certHex = '92003ba34942dc74152e2f2c408d29eca5a520e7f2e06bb944f4dca346baf63c';
+    const create = await inject({
+        method: 'POST',
+        url: '/v1/zone/example.com/records',
+        payload: { subdomain: '_443._tcp.www', type: 'TLSA', usage: 3, selector: 1, matchingType: 1, certificate: certHex }
+    });
+    assert.equal(create.statusCode, 200, `expected TLSA create to succeed, got ${create.payload}`);
+
+    const res = await inject({ method: 'GET', url: '/v1/zone/example.com/records' });
+    const body = JSON.parse(res.payload);
+    const tlsa = body.records.find(r => r.type === 'TLSA' && r.id);
+    assert.ok(tlsa, 'TLSA record should be listed');
+    assert.equal(tlsa.subdomain, '_443._tcp.www');
+    assert.equal(tlsa.usage, 3);
+    assert.equal(tlsa.selector, 1);
+    assert.equal(tlsa.matchingType, 1);
+    assert.equal(tlsa.certificate, certHex);
+});
+
+test('POST rejects a TLSA record with odd-length hex', async () => {
+    const res = await inject({
+        method: 'POST',
+        url: '/v1/zone/example.com/records',
+        payload: { subdomain: '_443._tcp.www', type: 'TLSA', usage: 3, selector: 1, matchingType: 1, certificate: 'abc' }
+    });
+    assert.equal(res.statusCode, 400);
+});
+
+test('POST rejects TLSA-only fields on a non-TLSA record type', async () => {
+    const res = await inject({
+        method: 'POST',
+        url: '/v1/zone/example.com/records',
+        payload: { subdomain: '', type: 'A', address: '1.2.3.4', usage: 3, certificate: 'abcd' }
+    });
+    assert.equal(res.statusCode, 400);
+});
+
+test('PUT updates a record and echoes back the record id', async () => {
+    const create = await inject({
+        method: 'POST',
+        url: '/v1/zone/example.com/records',
+        payload: { subdomain: 'www', type: 'A', address: '1.2.3.4' }
+    });
+    const id = JSON.parse(create.payload).record;
+
+    const update = await inject({
+        method: 'PUT',
+        url: `/v1/zone/example.com/records/${id}`,
+        payload: { subdomain: 'www', type: 'A', address: '5.6.7.8' }
+    });
+    assert.equal(update.statusCode, 200);
+    const body = JSON.parse(update.payload);
+    assert.equal(body.zone, 'example.com');
+    assert.ok(body.record, 'PUT should return the (possibly new) record id under "record"');
+});
+
+test('DELETE removes a record', async () => {
+    const create = await inject({
+        method: 'POST',
+        url: '/v1/zone/example.com/records',
+        payload: { type: 'A', address: '1.2.3.4' }
+    });
+    const id = JSON.parse(create.payload).record;
+
+    const del = await inject({ method: 'DELETE', url: `/v1/zone/example.com/records/${id}` });
+    assert.equal(del.statusCode, 200);
+    const body = JSON.parse(del.payload);
+    assert.equal(body.deleted, true);
+
+    const res = await inject({ method: 'GET', url: '/v1/zone/example.com/records' });
+    assert.deepEqual(JSON.parse(res.payload).records, []);
+});
+
+test('DNSSEC can be enabled, inspected and disabled over the API', async () => {
+    const enable = await inject({ method: 'POST', url: '/v1/zone/example.com/dnssec', payload: { algorithm: 13 } });
+    assert.equal(enable.statusCode, 200, `expected enable to succeed, got ${enable.payload}`);
+    const enabled = JSON.parse(enable.payload);
+    assert.equal(enabled.enabled, true);
+    assert.ok(enabled.ds.length >= 1 && enabled.ds[0].presentation, 'DS presentation should be returned');
+
+    const status = await inject({ method: 'GET', url: '/v1/zone/example.com/dnssec' });
+    assert.equal(status.statusCode, 200);
+    assert.equal(JSON.parse(status.payload).enabled, true);
+
+    const disable = await inject({ method: 'DELETE', url: '/v1/zone/example.com/dnssec' });
+    assert.equal(disable.statusCode, 200);
+    assert.equal(JSON.parse(disable.payload).disabled, true);
+
+    const after = await inject({ method: 'GET', url: '/v1/zone/example.com/dnssec' });
+    assert.equal(JSON.parse(after.payload).enabled, false);
+});
+
+test('DNSSEC algorithm rollover and key removal over the API', async () => {
+    const enable = JSON.parse((await inject({ method: 'POST', url: '/v1/zone/example.com/dnssec', payload: { algorithm: 13 } })).payload);
+    const oldKeyTag = enable.keyTag;
+
+    // Re-enable with a new algorithm -> rollover keeps both keys.
+    const rolled = await inject({ method: 'POST', url: '/v1/zone/example.com/dnssec', payload: { algorithm: 15 } });
+    const rolledBody = JSON.parse(rolled.payload);
+    assert.equal(rolledBody.algorithm, 15);
+    assert.equal(rolledBody.ds.length, 2, 'both keys are published during the rollover');
+    assert.notEqual(rolledBody.keyTag, oldKeyTag);
+
+    // The active key cannot be removed.
+    const refuse = await inject({ method: 'DELETE', url: `/v1/zone/example.com/dnssec/key/${rolledBody.keyTag}` });
+    assert.equal(refuse.statusCode, 400);
+
+    // Removing the old key finishes the rollover.
+    const remove = await inject({ method: 'DELETE', url: `/v1/zone/example.com/dnssec/key/${oldKeyTag}` });
+    assert.equal(remove.statusCode, 200);
+    assert.equal(JSON.parse(remove.payload).removed, true);
+
+    const final = JSON.parse((await inject({ method: 'GET', url: '/v1/zone/example.com/dnssec' })).payload);
+    assert.equal(final.ds.length, 1);
+    assert.equal(final.keyTag, rolledBody.keyTag);
+});
+
+test('POST /dnssec is refused (400) when DNSSEC is globally disabled', async () => {
+    config.dnssec.enabled = false;
+    try {
+        const res = await inject({ method: 'POST', url: '/v1/zone/example.com/dnssec', payload: { algorithm: 13 } });
+        assert.equal(res.statusCode, 400, `expected 400, got ${res.statusCode}: ${res.payload}`);
+    } finally {
+        config.dnssec.enabled = true;
+    }
+});
+
+test('POST /v1/acme requires at least one domain', async () => {
+    // Fails Joi validation (min 1) before the handler runs, so no ACME/network work.
+    const res = await inject({ method: 'POST', url: '/v1/acme', payload: { domains: [] } });
+    assert.equal(res.statusCode, 400);
+});
+
+// NB: the "domain without a managed zone" rejection path is intentionally not
+// exercised here - the /v1/acme handler calls acme.init() (a live Let's Encrypt
+// directory fetch) before the zone check, which is slow and network-dependent.
+// The underlying behaviour is covered offline by the zone-store tests
+// (resolveDomainZone returns false for unknown domains).

package/test/cached-resolver.test.js

@@ -0,0 +1,57 @@
+'use strict';
+
+const test = require('node:test');
+const assert = require('node:assert/strict');
+
+const cachedResolver = require('../lib/cached-resolver');
+const { db, flushTestDb, closeDb } = require('./helpers');
+
+test.after(async () => {
+    await closeDb();
+});
+
+test.beforeEach(async () => {
+    await flushTestDb();
+});
+
+const cacheKey = (target, type) => ['d', 'cache', target, type].join(':');
+
+test('successful lookups are cached in Redis with a TTL', async t => {
+    let resolved;
+    try {
+        resolved = await cachedResolver('one.one.one.one', 'A');
+    } catch (err) {
+        t.skip(`network unavailable: ${err.message}`);
+        return;
+    }
+
+    assert.ok(Array.isArray(resolved) && resolved.length, 'should resolve at least one address');
+
+    const ttl = await db.redisRead.ttl(cacheKey('one.one.one.one', 'A'));
+    assert.ok(ttl > 0, 'a positive TTL should be set on the cache entry');
+
+    // a second call returns the cached value
+    const again = await cachedResolver('one.one.one.one', 'A');
+    assert.deepEqual(again.slice().sort(), resolved.slice().sort());
+});
+
+test('failed lookups cache an error with a bounded TTL', async t => {
+    const bogus = 'does-not-exist-pendingdns-test.invalid';
+
+    let threw = false;
+    try {
+        await cachedResolver(bogus, 'A');
+    } catch (err) {
+        threw = true;
+    }
+
+    if (!threw) {
+        t.skip('resolver unexpectedly succeeded; cannot exercise the error path');
+        return;
+    }
+
+    const ttl = await db.redisRead.ttl(cacheKey(bogus, 'A'));
+    // Regression: the error entry must have a real, positive expiry (not NaN/-1).
+    assert.ok(ttl > 0, `error cache entry must expire (ttl was ${ttl})`);
+    assert.ok(ttl <= 60 * 60, 'error TTL should be bounded by errorMaxTtl (1h)');
+});