pending-dns 1.2.5 → 1.4.0

package/test/certs.test.js

@@ -0,0 +1,34 @@
+'use strict';
+
+const test = require('node:test');
+const assert = require('node:assert/strict');
+const crypto = require('node:crypto');
+
+const { pem2jwk } = require('pem-jwk');
+const certs = require('../lib/certs');
+const { closeDb } = require('./helpers');
+
+const { generateKey } = certs.testables;
+
+test.after(async () => {
+    await closeDb();
+});
+
+test('generateKey returns a PKCS#1 RSA private key PEM', async () => {
+    const pem = await generateKey(2048);
+    assert.match(pem, /^-----BEGIN RSA PRIVATE KEY-----/);
+    assert.match(pem, /-----END RSA PRIVATE KEY-----\s*$/);
+
+    // the key must be loadable by Node's crypto
+    const keyObject = crypto.createPrivateKey(pem);
+    assert.equal(keyObject.asymmetricKeyType, 'rsa');
+    assert.equal(keyObject.asymmetricKeyDetails.modulusLength, 2048);
+});
+
+test('generated key converts to a JWK via pem-jwk (as the ACME flow needs)', async () => {
+    const pem = await generateKey(2048);
+    const jwk = pem2jwk(pem);
+    assert.equal(jwk.kty, 'RSA');
+    assert.ok(jwk.n, 'modulus present');
+    assert.ok(jwk.d, 'private exponent present');
+});

package/test/dns-handler.test.js

@@ -0,0 +1,171 @@
+'use strict';
+
+const test = require('node:test');
+const assert = require('node:assert/strict');
+
+const dns2 = require('dns2');
+const Packet = dns2.Packet;
+
+const dnsHandler = require('../lib/dns-handler');
+const { zoneStore } = require('../lib/zone-store');
+const { db, flushTestDb, closeDb } = require('./helpers');
+
+const { formatTXTData, shuffle, filterUnhealthy, reversedTypes } = dnsHandler.testables;
+
+test.after(async () => {
+    await closeDb();
+});
+
+// ---------------------------------------------------------------------------
+// Pure helpers
+// ---------------------------------------------------------------------------
+
+test('formatTXTData always returns an array of chunks', () => {
+    const short = formatTXTData('hello');
+    assert.ok(Array.isArray(short));
+    assert.deepEqual(short, ['hello']);
+});
+
+test('formatTXTData splits long values into <=255 byte chunks that recombine', () => {
+    const long = 'x'.repeat(600);
+    const chunks = formatTXTData(long);
+    assert.ok(Array.isArray(chunks));
+    assert.ok(chunks.length > 1);
+    for (const chunk of chunks) {
+        assert.ok(chunk.length <= 255);
+    }
+    assert.equal(chunks.join(''), long);
+});
+
+test('formatTXTData coerces non-strings', () => {
+    assert.deepEqual(formatTXTData(undefined), ['']);
+    assert.deepEqual(formatTXTData(null), ['']);
+});
+
+test('shuffle returns the same elements (a permutation)', () => {
+    const input = [1, 2, 3, 4, 5, 6, 7, 8];
+    const out = shuffle(input.slice());
+    assert.equal(out.length, input.length);
+    assert.deepEqual(
+        out.slice().sort((a, b) => a - b),
+        input
+    );
+});
+
+test('filterUnhealthy drops unhealthy entries when at least one is healthy', () => {
+    const list = [
+        { address: '1.1.1.1', health: { status: true } },
+        { address: '2.2.2.2', health: { status: false } },
+        { address: '3.3.3.3' } // no health info -> treated as healthy
+    ];
+    const out = filterUnhealthy(list);
+    assert.deepEqual(
+        out.map(e => e.address),
+        ['1.1.1.1', '3.3.3.3']
+    );
+});
+
+test('filterUnhealthy returns all entries when none are healthy', () => {
+    const list = [
+        { address: '1.1.1.1', health: { status: false } },
+        { address: '2.2.2.2', health: { status: false } }
+    ];
+    const out = filterUnhealthy(list);
+    assert.equal(out.length, 2);
+});
+
+test('reversedTypes maps numeric DNS types back to strings', () => {
+    assert.equal(reversedTypes.get(Packet.TYPE.A), 'A');
+    assert.equal(reversedTypes.get(Packet.TYPE.AAAA), 'AAAA');
+    assert.equal(reversedTypes.get(Packet.TYPE.MX), 'MX');
+});
+
+// ---------------------------------------------------------------------------
+// Handler integration (Redis backed)
+// ---------------------------------------------------------------------------
+
+const buildRequest = (name, type) => {
+    const req = new Packet({});
+    req.questions = [{ name, type: Packet.TYPE[type], class: Packet.CLASS.IN }];
+    req.source = { type: 'udp', address: '127.0.0.1', port: 5353 };
+    return req;
+};
+
+test('dnsHandler answers an A query from stored records', async () => {
+    await flushTestDb();
+    await zoneStore.add('example.com', '', 'A', ['9.8.7.6']);
+
+    const response = await dnsHandler(buildRequest('example.com', 'A'));
+    const addresses = response.answers.filter(a => a.type === Packet.TYPE.A).map(a => a.address);
+    assert.ok(addresses.includes('9.8.7.6'));
+});
+
+test('dnsHandler returns configured NS records when none are stored', async () => {
+    await flushTestDb();
+    const response = await dnsHandler(buildRequest('example.com', 'NS'));
+    const nsAnswers = response.answers.filter(a => a.type === Packet.TYPE.NS);
+    assert.ok(nsAnswers.length >= 1, 'should fall back to configured name servers');
+});
+
+test('dnsHandler does not synthesise NS below the apex', async () => {
+    await flushTestDb();
+    // Adding any record registers the example.com zone.
+    await zoneStore.add('example.com', 'www', 'A', ['1.2.3.4']);
+    const response = await dnsHandler(buildRequest('sub.example.com', 'NS'));
+    assert.ok(!response.answers.some(a => a.type === Packet.TYPE.NS), 'a record-less below-apex name is not a delegation, so no NS is synthesised');
+});
+
+test('dnsHandler synthesises a SOA record', async () => {
+    await flushTestDb();
+    const response = await dnsHandler(buildRequest('example.com', 'SOA'));
+    const soa = response.answers.find(a => a.type === Packet.TYPE.SOA);
+    assert.ok(soa, 'a SOA record should be returned');
+});
+
+test('dnsHandler filters unhealthy AAAA records', async () => {
+    await flushTestDb();
+    // Two AAAA records with health checks; mark one unhealthy in the health store.
+    const healthyId = await zoneStore.add('example.com', '', 'AAAA', ['2001:db8::1', 'tcp://check:1']);
+    const unhealthyId = await zoneStore.add('example.com', '', 'AAAA', ['2001:db8::2', 'tcp://check:2']);
+    assert.ok(healthyId && unhealthyId);
+
+    // Health results are keyed by "<zone-name>:<record-id>"
+    const zoneName = zoneStore.domainToName('example.com');
+    await db.redisWrite.hset('d:health:r', `${zoneName}:${unhealthyId}`, JSON.stringify({ status: false }));
+
+    const response = await dnsHandler(buildRequest('example.com', 'AAAA'));
+    const aaaa = response.answers.filter(a => a.type === Packet.TYPE.AAAA);
+    assert.equal(aaaa.length, 1, 'the unhealthy AAAA record should be filtered out');
+});
+
+test('dnsHandler answers a TLSA query with raw RDATA that round-trips on the wire', async () => {
+    await flushTestDb();
+    const certHex = '92003ba34942dc74152e2f2c408d29eca5a520e7f2e06bb944f4dca346baf63c';
+    await zoneStore.add('example.com', '_443._tcp.www', 'TLSA', [3, 1, 1, certHex]);
+
+    const req = new Packet({});
+    req.questions = [{ name: '_443._tcp.www.example.com', type: 52, class: Packet.CLASS.IN }];
+    req.source = { type: 'udp', address: '127.0.0.1', port: 5353 };
+
+    const response = await dnsHandler(req);
+    const tlsa = response.answers.find(a => a.type === 52);
+    assert.ok(tlsa, 'a TLSA answer should be returned');
+
+    // Serialize then reparse to confirm dns2 carries the raw RDATA intact.
+    const reparsed = Packet.parse(response.toBuffer());
+    const rr = reparsed.answers.find(a => a.type === 52);
+    assert.ok(rr, 'TLSA record survives wire serialization');
+    assert.equal(rr.data.toString('hex'), `030101${certHex}`);
+});
+
+test('dnsHandler resolves CNAME chains', async () => {
+    await flushTestDb();
+    await zoneStore.add('example.com', 'alias', 'CNAME', ['example.com']);
+    await zoneStore.add('example.com', '', 'A', ['4.4.4.4']);
+
+    const response = await dnsHandler(buildRequest('alias.example.com', 'A'));
+    const types = response.answers.map(a => a.type);
+    assert.ok(types.includes(Packet.TYPE.CNAME), 'should include the CNAME answer');
+    const addresses = response.answers.filter(a => a.type === Packet.TYPE.A).map(a => a.address);
+    assert.ok(addresses.includes('4.4.4.4'), 'should follow the CNAME to the A record');
+});

package/test/dns-server.test.js

@@ -0,0 +1,162 @@
+'use strict';
+
+const test = require('node:test');
+const assert = require('node:assert/strict');
+const { Resolver } = require('node:dns').promises;
+
+const dns2 = require('dns2');
+const Packet = dns2.Packet;
+
+const initDnsServer = require('../lib/dns-server');
+const { parseEdns, finalizeResponse } = initDnsServer.testables;
+const { zoneStore } = require('../lib/zone-store');
+const { config, flushTestDb, closeDb } = require('./helpers');
+
+const EDNS = Packet.TYPE.EDNS;
+
+let servers;
+let resolver;
+
+test.before(async () => {
+    await flushTestDb();
+
+    servers = await initDnsServer();
+
+    resolver = new Resolver();
+    resolver.setServers([`127.0.0.1:${config.dns.port}`]);
+
+    await zoneStore.add('example.com', '', 'A', ['9.8.7.6']);
+    await zoneStore.add('example.com', 'host', 'AAAA', ['2001:db8::1']);
+    await zoneStore.add('example.com', 'txt', 'TXT', ['hello world']);
+    // a value longer than a single 255-byte DNS character-string, but still
+    // small enough to fit in a 512-byte UDP response
+    await zoneStore.add('example.com', 'long', 'TXT', ['y'.repeat(300)]);
+    await zoneStore.add('example.com', 'mail', 'MX', ['mx.example.com', 10]);
+});
+
+test.after(async () => {
+    if (servers) {
+        servers.udpServer.close();
+        await new Promise(resolve => servers.tcpServer.close(resolve));
+    }
+    await closeDb();
+});
+
+test('resolves A records over the wire', async () => {
+    const addrs = await resolver.resolve4('example.com');
+    assert.deepEqual(addrs, ['9.8.7.6']);
+});
+
+test('resolves AAAA records over the wire', async () => {
+    const addrs = await resolver.resolve6('host.example.com');
+    assert.ok(addrs.includes('2001:db8::1'));
+});
+
+test('resolves a TXT record over the wire', async () => {
+    const txt = await resolver.resolveTxt('txt.example.com');
+    const flat = txt.map(chunks => chunks.join(''));
+    assert.ok(flat.includes('hello world'));
+});
+
+test('resolves a long, multi-chunk TXT record over the wire', async () => {
+    const txt = await resolver.resolveTxt('long.example.com');
+    const flat = txt.map(chunks => chunks.join(''));
+    assert.ok(flat.includes('y'.repeat(300)));
+});
+
+test('resolves MX records over the wire', async () => {
+    const mx = await resolver.resolveMx('mail.example.com');
+    assert.ok(mx.some(rec => rec.exchange === 'mx.example.com' && rec.priority === 10));
+});
+
+test('returns configured NS records over the wire', async () => {
+    const ns = await resolver.resolveNs('example.com');
+    assert.ok(Array.isArray(ns) && ns.length >= 1);
+});
+
+// ---------------------------------------------------------------------------
+// EDNS / OPT handling (pure, no network)
+// ---------------------------------------------------------------------------
+
+const mkResponse = answers => {
+    const p = new Packet({});
+    p.header = new Packet.Header({ id: 1, qr: 1, aa: 1 });
+    p.questions = [{ name: 'example.com', type: Packet.TYPE.A, class: Packet.CLASS.IN }];
+    p.answers = answers;
+    return p;
+};
+
+test('parseEdns reads the DO bit and payload size from an OPT record', () => {
+    // eslint-disable-next-line new-cap
+    const withOpt = { additionals: [Packet.Resource.EDNS([], { udpPayloadSize: 1232, doFlag: true })] };
+    const edns = parseEdns(withOpt);
+    assert.equal(edns.hasOpt, true);
+    assert.equal(edns.doFlag, true);
+    assert.equal(edns.udpPayloadSize, 1232);
+
+    const noOpt = parseEdns({ additionals: [] });
+    assert.equal(noOpt.hasOpt, false);
+    assert.equal(noOpt.doFlag, false);
+});
+
+test('finalizeResponse adds an OPT to EDNS replies and drops leaked additionals', () => {
+    const response = mkResponse([{ name: 'example.com', type: Packet.TYPE.A, class: Packet.CLASS.IN, ttl: 300, address: '1.2.3.4' }]);
+    // simulate a leaked inbound OPT plus stray additional
+    response.additionals = [
+        // eslint-disable-next-line new-cap
+        Packet.Resource.EDNS([], { udpPayloadSize: 4096, doFlag: true }),
+        { name: 'x', type: Packet.TYPE.A, class: 1, ttl: 1, address: '9.9.9.9' }
+    ];
+
+    const out = finalizeResponse(response, { hasOpt: true, doFlag: true, udpPayloadSize: 4096 }, 'tcp');
+    assert.equal(out.additionals.length, 1);
+    assert.equal(out.additionals[0].type, EDNS);
+    assert.equal(out.additionals[0].doFlag, true);
+});
+
+test('finalizeResponse omits OPT when the query had none', () => {
+    const response = mkResponse([{ name: 'example.com', type: Packet.TYPE.A, class: Packet.CLASS.IN, ttl: 300, address: '1.2.3.4' }]);
+    const out = finalizeResponse(response, { hasOpt: false, doFlag: false, udpPayloadSize: 512 }, 'tcp');
+    assert.deepEqual(out.additionals, []);
+});
+
+test('finalizeResponse truncates oversized UDP responses with TC set', () => {
+    // Many large TXT answers easily exceed the 512-byte floor.
+    const answers = [];
+    for (let i = 0; i < 20; i++) {
+        answers.push({ name: 'example.com', type: Packet.TYPE.TXT, class: Packet.CLASS.IN, ttl: 300, data: ['z'.repeat(200)] });
+    }
+    const response = mkResponse(answers);
+    const out = finalizeResponse(response, { hasOpt: true, doFlag: true, udpPayloadSize: 512 }, 'udp');
+    // truncated path returns a serialized Buffer (TC=1, empty body, our OPT)
+    assert.ok(Buffer.isBuffer(out));
+    const reparsed = Packet.parse(out);
+    assert.equal(reparsed.header.tc, 1);
+    assert.equal(reparsed.answers.length, 0);
+    assert.ok(reparsed.additionals.some(r => r.type === EDNS));
+});
+
+test('finalizeResponse caps UDP at our configured size, not the requestor advertised max', () => {
+    // A response between our 1232 cap and the 4096 ceiling: a resolver advertising
+    // 4096 must still get TC=1, because we never emit a datagram larger than our
+    // configured udpPayloadSize (anti-fragmentation), regardless of the advertised max.
+    const answers = [];
+    for (let i = 0; i < 10; i++) {
+        answers.push({ name: 'example.com', type: Packet.TYPE.TXT, class: Packet.CLASS.IN, ttl: 300, data: ['z'.repeat(200)] });
+    }
+    const response = mkResponse(answers);
+    const out = finalizeResponse(response, { hasOpt: true, doFlag: true, udpPayloadSize: 4096 }, 'udp');
+    assert.ok(Buffer.isBuffer(out));
+    const reparsed = Packet.parse(out);
+    assert.equal(reparsed.header.tc, 1, 'response above our configured cap is truncated even when 4096 is advertised');
+    assert.equal(reparsed.answers.length, 0);
+});
+
+test('finalizeResponse returns a serialized buffer for UDP responses that fit', () => {
+    const response = mkResponse([{ name: 'example.com', type: Packet.TYPE.A, class: Packet.CLASS.IN, ttl: 300, address: '1.2.3.4' }]);
+    const out = finalizeResponse(response, { hasOpt: true, doFlag: false, udpPayloadSize: 1232 }, 'udp');
+    assert.ok(Buffer.isBuffer(out));
+    // reparse to confirm the OPT made it onto the wire
+    const reparsed = Packet.parse(out);
+    assert.ok(reparsed.additionals.some(r => r.type === EDNS));
+});