pending-dns 1.3.0 → 1.4.0

package/test/api.test.js

@@ -4,7 +4,7 @@ const test = require('node:test');
 const assert = require('node:assert/strict');
 
 const { createServer } = require('../lib/api-server');
-const { flushTestDb, closeDb } = require('./helpers');
+const { config, flushTestDb, closeDb } = require('./helpers');
 
 let server;
 
@@ -90,6 +90,44 @@ test('POST creates a CAA record and stores its tag', async () => {
     assert.equal(caa.tag, 'issue');
 });
 
+test('POST creates a TLSA record with an underscore-labelled subdomain', async () => {
+    const certHex = '92003ba34942dc74152e2f2c408d29eca5a520e7f2e06bb944f4dca346baf63c';
+    const create = await inject({
+        method: 'POST',
+        url: '/v1/zone/example.com/records',
+        payload: { subdomain: '_443._tcp.www', type: 'TLSA', usage: 3, selector: 1, matchingType: 1, certificate: certHex }
+    });
+    assert.equal(create.statusCode, 200, `expected TLSA create to succeed, got ${create.payload}`);
+
+    const res = await inject({ method: 'GET', url: '/v1/zone/example.com/records' });
+    const body = JSON.parse(res.payload);
+    const tlsa = body.records.find(r => r.type === 'TLSA' && r.id);
+    assert.ok(tlsa, 'TLSA record should be listed');
+    assert.equal(tlsa.subdomain, '_443._tcp.www');
+    assert.equal(tlsa.usage, 3);
+    assert.equal(tlsa.selector, 1);
+    assert.equal(tlsa.matchingType, 1);
+    assert.equal(tlsa.certificate, certHex);
+});
+
+test('POST rejects a TLSA record with odd-length hex', async () => {
+    const res = await inject({
+        method: 'POST',
+        url: '/v1/zone/example.com/records',
+        payload: { subdomain: '_443._tcp.www', type: 'TLSA', usage: 3, selector: 1, matchingType: 1, certificate: 'abc' }
+    });
+    assert.equal(res.statusCode, 400);
+});
+
+test('POST rejects TLSA-only fields on a non-TLSA record type', async () => {
+    const res = await inject({
+        method: 'POST',
+        url: '/v1/zone/example.com/records',
+        payload: { subdomain: '', type: 'A', address: '1.2.3.4', usage: 3, certificate: 'abcd' }
+    });
+    assert.equal(res.statusCode, 400);
+});
+
 test('PUT updates a record and echoes back the record id', async () => {
     const create = await inject({
         method: 'POST',
@@ -126,6 +164,60 @@ test('DELETE removes a record', async () => {
     assert.deepEqual(JSON.parse(res.payload).records, []);
 });
 
+test('DNSSEC can be enabled, inspected and disabled over the API', async () => {
+    const enable = await inject({ method: 'POST', url: '/v1/zone/example.com/dnssec', payload: { algorithm: 13 } });
+    assert.equal(enable.statusCode, 200, `expected enable to succeed, got ${enable.payload}`);
+    const enabled = JSON.parse(enable.payload);
+    assert.equal(enabled.enabled, true);
+    assert.ok(enabled.ds.length >= 1 && enabled.ds[0].presentation, 'DS presentation should be returned');
+
+    const status = await inject({ method: 'GET', url: '/v1/zone/example.com/dnssec' });
+    assert.equal(status.statusCode, 200);
+    assert.equal(JSON.parse(status.payload).enabled, true);
+
+    const disable = await inject({ method: 'DELETE', url: '/v1/zone/example.com/dnssec' });
+    assert.equal(disable.statusCode, 200);
+    assert.equal(JSON.parse(disable.payload).disabled, true);
+
+    const after = await inject({ method: 'GET', url: '/v1/zone/example.com/dnssec' });
+    assert.equal(JSON.parse(after.payload).enabled, false);
+});
+
+test('DNSSEC algorithm rollover and key removal over the API', async () => {
+    const enable = JSON.parse((await inject({ method: 'POST', url: '/v1/zone/example.com/dnssec', payload: { algorithm: 13 } })).payload);
+    const oldKeyTag = enable.keyTag;
+
+    // Re-enable with a new algorithm -> rollover keeps both keys.
+    const rolled = await inject({ method: 'POST', url: '/v1/zone/example.com/dnssec', payload: { algorithm: 15 } });
+    const rolledBody = JSON.parse(rolled.payload);
+    assert.equal(rolledBody.algorithm, 15);
+    assert.equal(rolledBody.ds.length, 2, 'both keys are published during the rollover');
+    assert.notEqual(rolledBody.keyTag, oldKeyTag);
+
+    // The active key cannot be removed.
+    const refuse = await inject({ method: 'DELETE', url: `/v1/zone/example.com/dnssec/key/${rolledBody.keyTag}` });
+    assert.equal(refuse.statusCode, 400);
+
+    // Removing the old key finishes the rollover.
+    const remove = await inject({ method: 'DELETE', url: `/v1/zone/example.com/dnssec/key/${oldKeyTag}` });
+    assert.equal(remove.statusCode, 200);
+    assert.equal(JSON.parse(remove.payload).removed, true);
+
+    const final = JSON.parse((await inject({ method: 'GET', url: '/v1/zone/example.com/dnssec' })).payload);
+    assert.equal(final.ds.length, 1);
+    assert.equal(final.keyTag, rolledBody.keyTag);
+});
+
+test('POST /dnssec is refused (400) when DNSSEC is globally disabled', async () => {
+    config.dnssec.enabled = false;
+    try {
+        const res = await inject({ method: 'POST', url: '/v1/zone/example.com/dnssec', payload: { algorithm: 13 } });
+        assert.equal(res.statusCode, 400, `expected 400, got ${res.statusCode}: ${res.payload}`);
+    } finally {
+        config.dnssec.enabled = true;
+    }
+});
+
 test('POST /v1/acme requires at least one domain', async () => {
     // Fails Joi validation (min 1) before the handler runs, so no ACME/network work.
     const res = await inject({ method: 'POST', url: '/v1/acme', payload: { domains: [] } });

package/test/dns-handler.test.js

@@ -46,7 +46,10 @@ test('shuffle returns the same elements (a permutation)', () => {
     const input = [1, 2, 3, 4, 5, 6, 7, 8];
     const out = shuffle(input.slice());
     assert.equal(out.length, input.length);
-    assert.deepEqual(out.slice().sort((a, b) => a - b), input);
+    assert.deepEqual(
+        out.slice().sort((a, b) => a - b),
+        input
+    );
 });
 
 test('filterUnhealthy drops unhealthy entries when at least one is healthy', () => {
@@ -104,6 +107,14 @@ test('dnsHandler returns configured NS records when none are stored', async () =
     assert.ok(nsAnswers.length >= 1, 'should fall back to configured name servers');
 });
 
+test('dnsHandler does not synthesise NS below the apex', async () => {
+    await flushTestDb();
+    // Adding any record registers the example.com zone.
+    await zoneStore.add('example.com', 'www', 'A', ['1.2.3.4']);
+    const response = await dnsHandler(buildRequest('sub.example.com', 'NS'));
+    assert.ok(!response.answers.some(a => a.type === Packet.TYPE.NS), 'a record-less below-apex name is not a delegation, so no NS is synthesised');
+});
+
 test('dnsHandler synthesises a SOA record', async () => {
     await flushTestDb();
     const response = await dnsHandler(buildRequest('example.com', 'SOA'));
@@ -127,6 +138,26 @@ test('dnsHandler filters unhealthy AAAA records', async () => {
     assert.equal(aaaa.length, 1, 'the unhealthy AAAA record should be filtered out');
 });
 
+test('dnsHandler answers a TLSA query with raw RDATA that round-trips on the wire', async () => {
+    await flushTestDb();
+    const certHex = '92003ba34942dc74152e2f2c408d29eca5a520e7f2e06bb944f4dca346baf63c';
+    await zoneStore.add('example.com', '_443._tcp.www', 'TLSA', [3, 1, 1, certHex]);
+
+    const req = new Packet({});
+    req.questions = [{ name: '_443._tcp.www.example.com', type: 52, class: Packet.CLASS.IN }];
+    req.source = { type: 'udp', address: '127.0.0.1', port: 5353 };
+
+    const response = await dnsHandler(req);
+    const tlsa = response.answers.find(a => a.type === 52);
+    assert.ok(tlsa, 'a TLSA answer should be returned');
+
+    // Serialize then reparse to confirm dns2 carries the raw RDATA intact.
+    const reparsed = Packet.parse(response.toBuffer());
+    const rr = reparsed.answers.find(a => a.type === 52);
+    assert.ok(rr, 'TLSA record survives wire serialization');
+    assert.equal(rr.data.toString('hex'), `030101${certHex}`);
+});
+
 test('dnsHandler resolves CNAME chains', async () => {
     await flushTestDb();
     await zoneStore.add('example.com', 'alias', 'CNAME', ['example.com']);

package/test/dns-server.test.js

@@ -4,10 +4,16 @@ const test = require('node:test');
 const assert = require('node:assert/strict');
 const { Resolver } = require('node:dns').promises;
 
+const dns2 = require('dns2');
+const Packet = dns2.Packet;
+
 const initDnsServer = require('../lib/dns-server');
+const { parseEdns, finalizeResponse } = initDnsServer.testables;
 const { zoneStore } = require('../lib/zone-store');
 const { config, flushTestDb, closeDb } = require('./helpers');
 
+const EDNS = Packet.TYPE.EDNS;
+
 let servers;
 let resolver;
 
@@ -67,3 +73,90 @@ test('returns configured NS records over the wire', async () => {
     const ns = await resolver.resolveNs('example.com');
     assert.ok(Array.isArray(ns) && ns.length >= 1);
 });
+
+// ---------------------------------------------------------------------------
+// EDNS / OPT handling (pure, no network)
+// ---------------------------------------------------------------------------
+
+const mkResponse = answers => {
+    const p = new Packet({});
+    p.header = new Packet.Header({ id: 1, qr: 1, aa: 1 });
+    p.questions = [{ name: 'example.com', type: Packet.TYPE.A, class: Packet.CLASS.IN }];
+    p.answers = answers;
+    return p;
+};
+
+test('parseEdns reads the DO bit and payload size from an OPT record', () => {
+    // eslint-disable-next-line new-cap
+    const withOpt = { additionals: [Packet.Resource.EDNS([], { udpPayloadSize: 1232, doFlag: true })] };
+    const edns = parseEdns(withOpt);
+    assert.equal(edns.hasOpt, true);
+    assert.equal(edns.doFlag, true);
+    assert.equal(edns.udpPayloadSize, 1232);
+
+    const noOpt = parseEdns({ additionals: [] });
+    assert.equal(noOpt.hasOpt, false);
+    assert.equal(noOpt.doFlag, false);
+});
+
+test('finalizeResponse adds an OPT to EDNS replies and drops leaked additionals', () => {
+    const response = mkResponse([{ name: 'example.com', type: Packet.TYPE.A, class: Packet.CLASS.IN, ttl: 300, address: '1.2.3.4' }]);
+    // simulate a leaked inbound OPT plus stray additional
+    response.additionals = [
+        // eslint-disable-next-line new-cap
+        Packet.Resource.EDNS([], { udpPayloadSize: 4096, doFlag: true }),
+        { name: 'x', type: Packet.TYPE.A, class: 1, ttl: 1, address: '9.9.9.9' }
+    ];
+
+    const out = finalizeResponse(response, { hasOpt: true, doFlag: true, udpPayloadSize: 4096 }, 'tcp');
+    assert.equal(out.additionals.length, 1);
+    assert.equal(out.additionals[0].type, EDNS);
+    assert.equal(out.additionals[0].doFlag, true);
+});
+
+test('finalizeResponse omits OPT when the query had none', () => {
+    const response = mkResponse([{ name: 'example.com', type: Packet.TYPE.A, class: Packet.CLASS.IN, ttl: 300, address: '1.2.3.4' }]);
+    const out = finalizeResponse(response, { hasOpt: false, doFlag: false, udpPayloadSize: 512 }, 'tcp');
+    assert.deepEqual(out.additionals, []);
+});
+
+test('finalizeResponse truncates oversized UDP responses with TC set', () => {
+    // Many large TXT answers easily exceed the 512-byte floor.
+    const answers = [];
+    for (let i = 0; i < 20; i++) {
+        answers.push({ name: 'example.com', type: Packet.TYPE.TXT, class: Packet.CLASS.IN, ttl: 300, data: ['z'.repeat(200)] });
+    }
+    const response = mkResponse(answers);
+    const out = finalizeResponse(response, { hasOpt: true, doFlag: true, udpPayloadSize: 512 }, 'udp');
+    // truncated path returns a serialized Buffer (TC=1, empty body, our OPT)
+    assert.ok(Buffer.isBuffer(out));
+    const reparsed = Packet.parse(out);
+    assert.equal(reparsed.header.tc, 1);
+    assert.equal(reparsed.answers.length, 0);
+    assert.ok(reparsed.additionals.some(r => r.type === EDNS));
+});
+
+test('finalizeResponse caps UDP at our configured size, not the requestor advertised max', () => {
+    // A response between our 1232 cap and the 4096 ceiling: a resolver advertising
+    // 4096 must still get TC=1, because we never emit a datagram larger than our
+    // configured udpPayloadSize (anti-fragmentation), regardless of the advertised max.
+    const answers = [];
+    for (let i = 0; i < 10; i++) {
+        answers.push({ name: 'example.com', type: Packet.TYPE.TXT, class: Packet.CLASS.IN, ttl: 300, data: ['z'.repeat(200)] });
+    }
+    const response = mkResponse(answers);
+    const out = finalizeResponse(response, { hasOpt: true, doFlag: true, udpPayloadSize: 4096 }, 'udp');
+    assert.ok(Buffer.isBuffer(out));
+    const reparsed = Packet.parse(out);
+    assert.equal(reparsed.header.tc, 1, 'response above our configured cap is truncated even when 4096 is advertised');
+    assert.equal(reparsed.answers.length, 0);
+});
+
+test('finalizeResponse returns a serialized buffer for UDP responses that fit', () => {
+    const response = mkResponse([{ name: 'example.com', type: Packet.TYPE.A, class: Packet.CLASS.IN, ttl: 300, address: '1.2.3.4' }]);
+    const out = finalizeResponse(response, { hasOpt: true, doFlag: false, udpPayloadSize: 1232 }, 'udp');
+    assert.ok(Buffer.isBuffer(out));
+    // reparse to confirm the OPT made it onto the wire
+    const reparsed = Packet.parse(out);
+    assert.ok(reparsed.additionals.some(r => r.type === EDNS));
+});