pending-dns 1.3.0 → 1.4.0

package/.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-    ".": "1.3.0"
+    ".": "1.4.0"
 }

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## [1.4.0](https://github.com/postalsys/pending-dns/compare/v1.3.0...v1.4.0) (2026-06-20)
+
+
+### Features
+
+* add DNSSEC online signing, TLSA records, and EDNS UDP truncation ([414beb7](https://github.com/postalsys/pending-dns/commit/414beb7114d56f35e2d02e945abfb4125ee51404))
+* replace Bugsnag with self-hosted Sentry error reporting ([3b374c7](https://github.com/postalsys/pending-dns/commit/3b374c737ff0a22509f79976bee18ab9d425f8bd))
+
 ## [1.3.0](https://github.com/postalsys/pending-dns/compare/pending-dns-v1.2.5...pending-dns-v1.3.0) (2026-06-18)
 
 

package/CLAUDE.md

@@ -57,7 +57,7 @@ Config is loaded by `wild-config` from `config/default.toml` merged with `config
 This is the heart of the system and is non-obvious:
 
 - **Domain names are stored label-reversed**: `www.example.com` → `com.example.www` (`domainToName`/`nameToDomain`). This lets `resolveZone` walk *up* from a name to its registered zone by progressively dropping the most-specific label. A "zone" is any name with a `d:<name>:z` set; the shortest possible zone is the 2-label boundary (e.g. `example.com`).
-- Keys: `d:<name>:z` is a **set of record keys** belonging to that zone; `d:<name>:r:<TYPE>` is a **hash** of `hid → JSON.stringify(valueArray)`. Each record's value is a positional array whose meaning depends on type (e.g. A = `[address, healthCheckUri]`, MX = `[exchange, priority]`, CAA = `[value, tag, flags]`, URL = `[url, code, proxy]`).
+- Keys: `d:<name>:z` is a **set of record keys** belonging to that zone; `d:<name>:r:<TYPE>` is a **hash** of `hid → JSON.stringify(valueArray)`. Each record's value is a positional array whose meaning depends on type (e.g. A = `[address, healthCheckUri]`, MX = `[exchange, priority]`, CAA = `[value, tag, flags]`, TLSA = `[usage, selector, matchingType, certificate]`, URL = `[url, code, proxy]`).
 - A record's public **ID is `base64url(name \x01 TYPE \x01 hid)`** (`getFullId`/`parseFullId`); `hid` is a `nanoid()`. IDs are opaque and stable only while domain+type are unchanged (an `update` that changes either deletes and re-adds, producing a new ID).
 - **Wildcards** are single-label: a record stored under subdomain `*.foo` matches `anything.foo.<zone>` only (`resolve` retries with the last label replaced by `*`).
 - **Read/write split**: reads go to `db.redisRead`, writes to `db.redisWrite` (configurable as separate master/replica URLs). The health-check Lua script `lib/lua/health.lua` is registered as a custom command `nextHealth` on the write client.
@@ -70,13 +70,25 @@ This is the heart of the system and is non-obvious:
 
 Two pseudo-record types: **ANAME** (apex alias) is resolved to real A/AAAA at query time via `lib/cached-resolver.js` (a Redis-cached wrapper over Node's `dns.Resolver`, with soft/hard TTLs for both hits and errors). **URL** records answer A/AAAA with the redirect server IPs from `config.public.hosts`; the actual redirect/proxy happens in `lib/public-server.js`.
 
+### DNSSEC online signing (`lib/dnssec.js`, `lib/dnssec-wire.js`)
+
+DNSSEC is **online (query-time) signing**, gated on `[dnssec] enabled` AND a per-zone key AND the client's EDNS **DO** bit. `lib/dnssec-wire.js` is a pure, dependency-free (only `crypto` + `ipaddr.js`) wire/crypto layer: canonical RDATA/name encoding (RFC 4034 6.2), the `ALGS` table for algorithms 8/13/15, key-tag + DS-digest computation, NSEC bitmaps, and RRSIG encoding. **Invariant:** signatures are computed over the canonical uncompressed lowercased wire form produced here, never over dns2's serialization (validators decompress + downcase before verifying, so the two agree).
+
+`lib/dnssec.js` owns per-zone keys and signing orchestration. Keys live in Redis: `d:dnssec:<revname>` is the state hash (`enabled`, `algorithm`, `activeKeyTag`) and `d:dnssec:<revname>:keys` is a hash of `hid → JSON` (private key PEM + public material). A zone has one **CSK** per algorithm; an algorithm rollover keeps both and signs with every algorithm (RFC 6840 5.11) until `removeKey`. `getSigner` assembles + caches the signer per process (short `signerCacheTtl`, since API and DNS run as separate workers); `enableZone`/`removeKey`/`disableZone` mutate under a shared Redis lock (`lib/lock.js`) and invalidate the cache.
+
+The query-time path is `lib/dns-handler.js#signResponse` (DO queries only): it serves+self-signs DNSKEY at the apex, signs each in-zone RRset (`signSection`, but never a below-apex delegation NS — RFC 4035 2.2), and proves denial-of-existence as **NODATA (NOERROR) "black lies"** — a signed SOA + a compact NSEC at the queried name (`bitmapTypeNums`/`nsecRecord`), never NXDOMAIN or NSEC3, because the server synthesizes CAA/SOA for any name. The NSEC bitmap lists only **answerable** types and must exclude the queried-absent type (e.g. a `URL` record only advertises the `config.public.hosts` families) or a validator SERVFAILs. The API (`lib/api-server.js`) exposes `GET/POST/DELETE /v1/zone/{zone}/dnssec` and `DELETE .../dnssec/key/{keyTag}`.
+
+**TLSA** records are stored as `[usage, selector, matchingType, certificate]` (even-length hex, guarded in the API Joi schema, the store's `add`/`update`, and `encodeTLSARdata`). dns2 has no TLSA/RRSIG/NSEC/DS encoder, so those are emitted as `{ type:<num>, data:<Buffer> }` and routed through dns2's raw-RDATA (RFC 3597) fallback; `dns-handler.js` merges `wire.EXTRA_TYPES` into its type maps to recognize them.
+
+**EDNS / truncation** (`lib/dns-server.js`): `parseEdns` reads the OPT (DO bit + advertised payload size); `finalizeResponse` replaces the additional section with our own OPT and, for UDP, truncates with TC=1 above the smaller of the requestor's advertised size and our configured `udpPayloadSize` (anti-fragmentation), so the client retries over TCP.
+
 ### Certificates & the public server
 
-`lib/certs.js` issues Let's Encrypt certs via the **dns-01** challenge, using the zone store itself as the ACME DNS provider (it writes/reads the `_acme-challenge` TXT records). Concurrent issuance is guarded with an `ioredfour` Redis lock; results and a per-domain renewal lock are cached in Redis. `lib/public-server.js` uses an SNI callback to load the right cert per hostname (falling back to a bundled self-signed cert in `config/`), then serves URL-record redirects or reverse-proxies (`proxy=true`), with TLS session tickets stored in Redis.
+`lib/certs.js` issues Let's Encrypt certs via the **dns-01** challenge, using the zone store itself as the ACME DNS provider (it writes/reads the `_acme-challenge` TXT records). Concurrent issuance is guarded with an `ioredfour` Redis lock (the shared `lib/lock.js`, also used by DNSSEC key management; callers namespace their own lock keys); results and a per-domain renewal lock are cached in Redis. `lib/public-server.js` uses an SNI callback to load the right cert per hostname (falling back to a bundled self-signed cert in `config/`), then serves URL-record redirects or reverse-proxies (`proxy=true`), with TLS session tickets stored in Redis.
 
 ### Testability seams
 
-Production code exposes hooks used only by tests: `lib/api-server.js` exports `createServer()` (build the Hapi server without `start()`, for `server.inject()`); `lib/dns-server.js`'s `init()` awaits binding and returns `{ udpServer, tcpServer }`; `lib/dns-handler.js` and `lib/certs.js` attach a `.testables` object to their exported function.
+Production code exposes hooks used only by tests: `lib/api-server.js` exports `createServer()` (build the Hapi server without `start()`, for `server.inject()`); `lib/dns-server.js`'s `init()` awaits binding and returns `{ udpServer, tcpServer }`, and also attaches `.testables` (`parseEdns`, `finalizeResponse`); `lib/dns-handler.js` (`signResponse`, `bitmapTypeNums`, `processQuestion`, ...), `lib/certs.js`, and `lib/dnssec.js` attach a `.testables` object. `lib/dnssec-wire.js` is pure and is tested directly.
 
 ## CI / release
 

package/README.md

@@ -6,11 +6,12 @@ Lightweight API driven Authoritative DNS server.
 
 -   All records can be edited over **REST API**
 -   All **changes are effective immediatelly** (or as long as it takes for Redis - eg. the backend for storing data - to distribute changes from master to replica instances)
--   **Basic record types** (A, AAAA, CNAME, TXT, MX, CAA)
+-   **Basic record types** (A, AAAA, CNAME, TXT, MX, CAA, NS, TLSA)
 -   **ANAME pseudo-record** for apex domains
 -   **URL pseudo-record** for HTTP and HTTPS redirects. Valid HTTPS certificates are generated automatically, HTTPS host gets A+ rating from SSLabs.
 -   URL record can be turned into a **Cloudflare-like proxying** by using `proxy=true` flag. Though, while Cloudflare makes things faster then PendingDNS makes things slightly slower due to not caching anything.
 -   Periodic **health checks** to filter out unhealthy A/AAAA records
+-   **DNSSEC** with online (live) signing, enabled per zone over the API
 -   **Lightweight**
 -   Can be **geographically distributed**. All writes go to central Redis master, all reads are done from local Redis replica
 -   Request **certificates over API**
@@ -19,8 +20,9 @@ Lightweight API driven Authoritative DNS server.
 
 -   No support for zone files, all records must be managed over API
 -   Only the most basic and common record types
--   No support for DNSSEC
+-   DNSSEC uses online signing; denial of existence is NODATA (NOERROR) with compact NSEC "black lies" (no NSEC3, no true NXDOMAIN). Algorithm rollover is supported by re-enabling a zone with a new algorithm; there is no automated scheduled key rollover
 -   Only plain old DNS over UDP and TCP, no DoH, no DoT
+-   UDP responses are capped at the smaller of the requestor's advertised EDNS payload size and the server's configured `[dnssec] udpPayloadSize` (1232 by default; 512 when the requestor advertises no EDNS), and truncated with TC=1 above that limit, per RFC 1035; clients then retry over TCP
 -   Barely tested on [Project Pending](https://projectpending.com/). Do not use this for mission critical domains. PendingDNS is only good for leftover domains, ie. for development and testing.
 
 ## Requirements
@@ -151,7 +153,8 @@ $ curl -X GET "http://127.0.0.1:5080/v1/zone/mailtanker.com/records"
         {
             "id": "Y29tLm1haWx0YW5rZXIBQQEzc3lKWkkzbGo",
             "type": "A",
-            "address": "18.203.150.145"
+            "address": "18.203.150.145",
+            "healthCheck": false
         },
         {
             "id": "Y29tLm1haWx0YW5rZXIud3d3AUNOQU1FAXhhV1lnbnFaMA",
@@ -187,7 +190,7 @@ $ curl -X POST "http://127.0.0.1:5080/v1/zone/mailtanker.com/records" -H "Conten
 All record types have the following properties
 
 -   **subdomain** (optional) subdomain this record applies to. If blank, or "@" or missing then the record is created for zone domain.
--   **type** one of A, AAAA, CNAME, ANAME, URL, MX, TXT, CAA, NS
+-   **type** one of A, AAAA, CNAME, ANAME, URL, MX, TXT, CAA, NS, TLSA
 
 #### Type specific options
 
@@ -228,6 +231,14 @@ All record types have the following properties
 -   **tag** is the CAA tag, one of `issue`, `issuewild` or `iodef`
 -   **flags** (Number, default is `0`) is the CAA flags octet (0-255)
 
+**TLSA**
+
+-   **subdomain** typically uses the DANE form `_port._proto`, eg. `_443._tcp.www`
+-   **usage** (Number, 0-3) certificate usage: 0 PKIX-TA, 1 PKIX-EE, 2 DANE-TA, 3 DANE-EE
+-   **selector** (Number, 0-1) 0 for the full certificate, 1 for the SubjectPublicKeyInfo
+-   **matchingType** (Number, 0-2) 0 full, 1 SHA-256, 2 SHA-512
+-   **certificate** (String) the certificate association data as a hex string
+
 **URL**
 
 -   **url** (string) is the URL to redirect to. If it only has the root path set (eg. http://example.com/) then URLs are redirected with source paths (http://host/path -> http://example.com/path). Otherwise all source URLs are redirected exatly to destination URL (if url is http://example.com/some/path then http://host/path -> http://example.com/some/path)
@@ -299,6 +310,74 @@ $ curl -X POST "http://127.0.0.1:5080/v1/acme" -H "Content-Type: application/jso
 }
 ```
 
+### DNSSEC
+
+PendingDNS signs answers **online** (at query time) for zones that have DNSSEC enabled. DNSSEC must be turned on globally (`[dnssec] enabled = true`) and then enabled per zone over the API; enabling a zone generates a signing key (a CSK) that is stored in Redis and used to sign every RRset on the fly. Signing only happens for clients that set the EDNS DO bit. Denial of existence is always **NODATA (NOERROR)** with a signed compact NSEC ("black lies"): because the server can synthesize CAA/NS/SOA for any name, no name is treated as truly nonexistent, so there is no NXDOMAIN and no NSEC3.
+
+After enabling a zone you must copy the returned **DS** record to the parent zone at your registrar to complete the chain of trust.
+
+**Enable DNSSEC for a zone**
+
+**POST /v1/zone/{zone}/dnssec**
+
+The optional `algorithm` selects the signing algorithm: `13` ECDSA P-256/SHA-256 (default), `15` Ed25519, or `8` RSASHA256.
+
+```
+$ curl -X POST "http://127.0.0.1:5080/v1/zone/mailtanker.com/dnssec" -H "Content-Type: application/json" -d '{
+    "algorithm": 13
+}'
+```
+
+```json
+{
+    "zone": "mailtanker.com",
+    "enabled": true,
+    "algorithm": 13,
+    "keyTag": 48234,
+    "ds": [{ "keyTag": 48234, "algorithm": 13, "digestType": 2, "digest": "a4f5...", "presentation": "48234 13 2 a4f5..." }],
+    "dnskey": [{ "flags": 257, "protocol": 3, "algorithm": 13, "publicKey": "GjL2...", "keyTag": 48234, "presentation": "257 3 13 GjL2..." }]
+}
+```
+
+**Get DNSSEC status (DS and DNSKEY records)**
+
+**GET /v1/zone/{zone}/dnssec**
+
+```
+$ curl -X GET "http://127.0.0.1:5080/v1/zone/mailtanker.com/dnssec"
+```
+
+Returns the same `enabled`, `algorithm`, `keyTag`, `ds` and `dnskey` shape as the enable response. For a zone that has never had DNSSEC enabled, `enabled` is `false` and the `ds`/`dnskey` arrays are empty.
+
+**Disable DNSSEC for a zone**
+
+**DELETE /v1/zone/{zone}/dnssec**
+
+```
+$ curl -X DELETE "http://127.0.0.1:5080/v1/zone/mailtanker.com/dnssec"
+```
+
+```json
+{
+    "zone": "mailtanker.com",
+    "disabled": true
+}
+```
+
+**Roll the signing key to a new algorithm**
+
+Re-POST to the enable endpoint with a different `algorithm`. A new key is generated and kept alongside the old one, and the zone is signed with **both** algorithms (every RRset gets an RRSIG per algorithm) so validation keeps working during the rollover. The response lists every key in `ds`/`dnskey`. Publish the new **DS** at the registrar, wait for the old DS TTL to expire, then remove the old key.
+
+**Remove a signing key (finish a rollover)**
+
+**DELETE /v1/zone/{zone}/dnssec/key/{keyTag}**
+
+Removes a non-active key. Removing the active key or the last remaining key is refused.
+
+```
+$ curl -X DELETE "http://127.0.0.1:5080/v1/zone/mailtanker.com/dnssec/key/48234"
+```
+
 ## Acknowledgments
 
 -   All DNS parsing / compiling is done using [dns2](https://www.npmjs.com/package/dns2) module by [Liu Song](https://github.com/song940)

package/config/default.toml

@@ -143,6 +143,44 @@ ciphers = "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES25
 A = ["127.0.0.1", "127.0.0.2"]
 AAAA = []
 
+[dnssec]
+# Master switch. Per-zone signing is additionally gated on a generated key:
+# a zone is only signed once DNSSEC has been enabled for it over the API.
+enabled = false
+
+# Default algorithm for newly generated zone keys.
+#   13 = ECDSA P-256 / SHA-256 (recommended)
+#   15 = Ed25519
+#    8 = RSASHA256
+algorithm = 13
+
+# RRSIG validity window (seconds) and how far inception is backdated to absorb
+# validator clock skew.
+signatureValidity = 604800 # 7 days
+inceptionSkew = 3600       # backdate inception 1h
+
+# TTL for the DNSKEY RRset. (Synthesized NSEC records use the SOA minimum so the
+# denial proof and the negative answer expire together, per RFC 2308.)
+dnskeyTtl = 3600
+
+# How long (seconds) a per-zone signer (and the "unsigned" verdict for a zone) is
+# cached in memory on the DNS workers, to avoid re-reading and re-parsing zone
+# keys on every DO query. The API and DNS subsystems run as separate workers, so
+# a key change made over the API takes effect on the DNS side after at most this
+# long. Set to 0 to disable the cache. Keep small - DNSSEC key changes are rare.
+signerCacheTtl = 5
+
+# Denial of existence: nonexistent or empty names are answered NODATA (NOERROR)
+# with a signed compact NSEC ("black lies"). True NXDOMAIN is not used because the
+# server synthesizes CAA/NS/SOA for any name, so to a validator no name is truly
+# absent.
+
+# Advertised EDNS UDP payload size, and the cap on outgoing UDP responses: a
+# response larger than the smaller of this and the requestor's advertised size is
+# truncated with TC=1 so the client retries over TCP. 1232 avoids IP fragmentation
+# on most paths.
+udpPayloadSize = 1232
+
 [process]
 # Change user for child processes once privileged ports have been bound
 #user="www-data"

package/config/test.toml

@@ -23,3 +23,13 @@ host = "127.0.0.1"
 [api]
 port = 15080
 host = "127.0.0.1"
+
+[dnssec]
+# Enable the global DNSSEC master switch so the signing tests exercise the
+# query-time signing path (per-zone signing is still gated on a generated key).
+enabled = true
+
+# Disable the in-memory signer cache in tests so each case reads fresh state from
+# Redis (db 15 is flushed between cases); the cache itself is covered by a
+# dedicated test that sets a positive TTL.
+signerCacheTtl = 0

package/lib/api-server.js

@@ -10,8 +10,13 @@ const HapiSwagger = require('hapi-swagger');
 const packageData = require('../package.json');
 const Joi = require('joi');
 const logger = require('./logger').child({ component: 'api-server' });
-const { zoneStore, allowedTypes, allowedTags } = require('./zone-store');
+const { zoneStore, allowedTypes, allowedTags, tlsaToValue, isEvenHex } = require('./zone-store');
 const { getCertificate } = require('./certs');
+const dnssec = require('./dnssec');
+
+// Normalize a thrown error into a Boom response: pass Boom errors through,
+// otherwise wrap while preserving any statusCode and decorating with err.code.
+const toBoom = err => (Boom.isBoom(err) ? err : Boom.boomify(err, { statusCode: err.statusCode || 500, decorate: { code: err.code } }));
 
 const hostnameSchema = Joi.string().hostname({
     allowUnicode: true,
@@ -40,6 +45,20 @@ const subdomainValidator = opts => (value, helpers) => {
     return value;
 };
 
+// All TLSA-specific fields share the same conditional shape: required when the
+// record type is TLSA, forbidden otherwise. Keep the wrapper in one place so the
+// four fields cannot drift apart.
+const tlsaField = (inner, { example, description, label }) =>
+    Joi.any()
+        .example(example)
+        .when('type', {
+            is: 'TLSA',
+            then: inner.required(),
+            otherwise: Joi.any().forbidden()
+        })
+        .description(description)
+        .label(label);
+
 const recordScheme = Joi.object({
     subdomain: Joi.string()
         .replace(/[\s.@]+$/gi, '')
@@ -66,6 +85,16 @@ const recordScheme = Joi.object({
                         }),
                         'subdomain validation'
                     )
+                },
+                {
+                    is: 'TLSA',
+                    then: Joi.custom(
+                        subdomainValidator({
+                            allowUnderscore: true,
+                            allowWildcard: false
+                        }),
+                        'subdomain validation'
+                    )
                 }
             ],
             otherwise: Joi.custom(
@@ -230,6 +259,36 @@ const recordScheme = Joi.object({
         .description('Data for TXT record')
         .label('TXTData'),
 
+    usage: tlsaField(Joi.number().integer().min(0).max(3), {
+        example: 3,
+        description: 'Certificate usage for TLSA (0 PKIX-TA, 1 PKIX-EE, 2 DANE-TA, 3 DANE-EE)',
+        label: 'TLSAUsage'
+    }),
+
+    selector: tlsaField(Joi.number().integer().min(0).max(1), {
+        example: 1,
+        description: 'Selector for TLSA (0 full certificate, 1 SubjectPublicKeyInfo)',
+        label: 'TLSASelector'
+    }),
+
+    matchingType: tlsaField(Joi.number().integer().min(0).max(2), {
+        example: 1,
+        description: 'Matching type for TLSA (0 full, 1 SHA-256, 2 SHA-512)',
+        label: 'TLSAMatchingType'
+    }),
+
+    certificate: tlsaField(
+        Joi.string()
+            .hex()
+            .lowercase()
+            .custom((value, helpers) => (isEvenHex(value) ? value : helpers.error('any.invalid')), 'even-length hex'),
+        {
+            example: '92003ba34942dc74152e2f2c408d29eca5a520e7f2e06bb944f4dca346baf63c',
+            description: 'Certificate association data for TLSA (hex)',
+            label: 'TLSACertificate'
+        }
+    ),
+
     url: Joi.any()
         .example('https://postalsys.com/')
         .when('type', {
@@ -346,10 +405,7 @@ const createServer = async () => {
                 }
                 return { zone: request.params.zone, records };
             } catch (err) {
-                if (Boom.isBoom(err)) {
-                    throw err;
-                }
-                throw Boom.boomify(err, { statusCode: err.statusCode || 500, decorate: { code: err.code } });
+                throw toBoom(err);
             }
         },
 
@@ -401,6 +457,9 @@ const createServer = async () => {
                     case 'TXT':
                         value = [request.payload.data];
                         break;
+                    case 'TLSA':
+                        value = tlsaToValue(request.payload);
+                        break;
                     case 'URL':
                         value = [request.payload.url, request.payload.code, request.payload.proxy];
                         break;
@@ -414,10 +473,7 @@ const createServer = async () => {
                     record
                 };
             } catch (err) {
-                if (Boom.isBoom(err)) {
-                    throw err;
-                }
-                throw Boom.boomify(err, { statusCode: err.statusCode || 500, decorate: { code: err.code } });
+                throw toBoom(err);
             }
         },
 
@@ -471,6 +527,9 @@ const createServer = async () => {
                     case 'TXT':
                         value = [request.payload.data];
                         break;
+                    case 'TLSA':
+                        value = tlsaToValue(request.payload);
+                        break;
                     case 'URL':
                         value = [request.payload.url, request.payload.code, request.payload.proxy];
                         break;
@@ -481,10 +540,7 @@ const createServer = async () => {
                 let record = await zoneStore.update(request.params.zone, request.params.record, request.payload.subdomain, request.payload.type, value);
                 return { zone: request.params.zone, record };
             } catch (err) {
-                if (Boom.isBoom(err)) {
-                    throw err;
-                }
-                throw Boom.boomify(err, { statusCode: err.statusCode || 500, decorate: { code: err.code } });
+                throw toBoom(err);
             }
         },
 
@@ -525,10 +581,7 @@ const createServer = async () => {
                 let deleted = await zoneStore.del(request.params.zone, request.params.record);
                 return { zone: request.params.zone, record: request.params.record, deleted };
             } catch (err) {
-                if (Boom.isBoom(err)) {
-                    throw err;
-                }
-                throw Boom.boomify(err, { statusCode: err.statusCode || 500, decorate: { code: err.code } });
+                throw toBoom(err);
             }
         },
         options: {
@@ -631,6 +684,121 @@ const createServer = async () => {
         }
     });
 
+    const zoneParam = Joi.object({
+        zone: Joi.string().hostname().required().example('example.com').description('Zone domain').label('ZoneDomain')
+    }).label('Zone');
+
+    server.route({
+        method: 'GET',
+        path: '/v1/zone/{zone}/dnssec',
+
+        async handler(request) {
+            try {
+                return await dnssec.getZoneStatus(request.params.zone);
+            } catch (err) {
+                throw toBoom(err);
+            }
+        },
+
+        options: {
+            description: 'Get DNSSEC status',
+            notes: 'Returns DNSSEC state, DS and DNSKEY records for a zone',
+            tags: ['api', 'dnssec'],
+            validate: {
+                options: { stripUnknown: true, abortEarly: false, convert: true },
+                failAction,
+                params: zoneParam
+            }
+        }
+    });
+
+    server.route({
+        method: 'POST',
+        path: '/v1/zone/{zone}/dnssec',
+
+        async handler(request) {
+            try {
+                return await dnssec.enableZone(request.params.zone, { algorithm: request.payload && request.payload.algorithm });
+            } catch (err) {
+                throw toBoom(err);
+            }
+        },
+
+        options: {
+            description: 'Enable DNSSEC',
+            notes: 'Enables DNSSEC for a zone, generating a signing key on first call. Returns DS records to set at the registrar.',
+            tags: ['api', 'dnssec'],
+            validate: {
+                options: { stripUnknown: true, abortEarly: false, convert: true },
+                failAction,
+                params: zoneParam,
+                payload: Joi.object({
+                    algorithm: Joi.number()
+                        .valid(8, 13, 15)
+                        .example(13)
+                        .description('DNSSEC algorithm (8 RSASHA256, 13 ECDSAP256SHA256, 15 ED25519)')
+                        .label('DnssecAlgorithm')
+                })
+                    .allow(null)
+                    .label('DnssecOptions')
+            }
+        }
+    });
+
+    server.route({
+        method: 'DELETE',
+        path: '/v1/zone/{zone}/dnssec',
+
+        async handler(request) {
+            try {
+                let disabled = await dnssec.disableZone(request.params.zone);
+                return { zone: request.params.zone, disabled };
+            } catch (err) {
+                throw toBoom(err);
+            }
+        },
+
+        options: {
+            description: 'Disable DNSSEC',
+            notes: 'Disables DNSSEC signing for a zone',
+            tags: ['api', 'dnssec'],
+            validate: {
+                options: { stripUnknown: true, abortEarly: false, convert: true },
+                failAction,
+                params: zoneParam
+            }
+        }
+    });
+
+    server.route({
+        method: 'DELETE',
+        path: '/v1/zone/{zone}/dnssec/key/{keyTag}',
+
+        async handler(request) {
+            try {
+                let removed = await dnssec.removeKey(request.params.zone, request.params.keyTag);
+                return { zone: request.params.zone, keyTag: request.params.keyTag, removed };
+            } catch (err) {
+                throw toBoom(err);
+            }
+        },
+
+        options: {
+            description: 'Remove a DNSSEC key',
+            notes: 'Removes a non-active signing key from a zone, e.g. to finish an algorithm rollover after publishing the new DS. Refuses to remove the active or last key.',
+            tags: ['api', 'dnssec'],
+            validate: {
+                options: { stripUnknown: true, abortEarly: false, convert: true },
+                failAction,
+                params: zoneParam
+                    .keys({
+                        keyTag: Joi.number().integer().min(0).max(65535).required().example(48234).description('Key tag of the key to remove').label('KeyTag')
+                    })
+                    .label('ZoneKey')
+            }
+        }
+    });
+
     server.route({
         method: '*',
         path: '/{any*}',

package/lib/certs.js

@@ -13,17 +13,11 @@ const logger = require('./logger').child({ component: 'certs' });
 const CSR = require('@root/csr');
 const { Certificate } = require('@fidm/x509');
 const { Resolver } = require('dns').promises;
-const Lock = require('ioredfour');
 const util = require('util');
+const { waitAcquireLock, releaseLock } = require('./lock');
 
 const generateKeyPairAsync = util.promisify(crypto.generateKeyPair);
 
-const certLock = new Lock({
-    redis: db.redisWrite,
-    namespace: 'd:lock:'
-});
-const waitAcquireLock = util.promisify(certLock.waitAcquireLock.bind(certLock));
-
 const localResolver = new Resolver();
 localResolver.setServers(config.ns.map(ns => ns.ip));
 
@@ -441,16 +435,7 @@ const getCertificate = async (domains, force) => {
 
         throw err;
     } finally {
-        if (lock.success) {
-            await new Promise(resolve => {
-                certLock.releaseLock(lock, err => {
-                    if (err) {
-                        logger.error({ msg: 'Failed releasing lock', lock: domainHash, domains, err });
-                    }
-                    resolve();
-                });
-            });
-        }
+        await releaseLock(lock, { lock: domainHash, domains });
     }
 };