pending-dns 1.3.0 → 1.4.0

package/test/dnssec-wire.test.js

@@ -0,0 +1,163 @@
+'use strict';
+
+// Pure unit tests for the DNSSEC wire layer. No Redis or network - safe to run
+// anywhere. The cross-checks against dns2's own DNSKEY encoder/decoder and the
+// RFC 4509 DS vector are what guarantee our bytes match what validators expect.
+
+const test = require('node:test');
+const assert = require('node:assert/strict');
+const crypto = require('crypto');
+const { promisify } = require('util');
+
+const dns2 = require('dns2');
+const Packet = dns2.Packet;
+
+const wire = require('../lib/dnssec-wire');
+
+const generateKeyPairAsync = promisify(crypto.generateKeyPair);
+
+test('encodeName produces canonical lowercased uncompressed labels', () => {
+    assert.equal(wire.encodeName('Example.COM').toString('hex'), '076578616d706c6503636f6d00');
+    assert.equal(wire.encodeName('').toString('hex'), '00');
+    assert.equal(wire.encodeName('example.com.').toString('hex'), wire.encodeName('example.com').toString('hex'));
+});
+
+test('nameLabelCount excludes root and leading wildcard', () => {
+    assert.equal(wire.nameLabelCount('example.com'), 2);
+    assert.equal(wire.nameLabelCount('www.example.com'), 3);
+    assert.equal(wire.nameLabelCount('*.example.com'), 2);
+    assert.equal(wire.nameLabelCount(''), 0);
+});
+
+test('nsecTypeBitmap encodes window blocks (RFC 4034 4.1.2)', () => {
+    // bits 1 (A), 46 (RRSIG), 47 (NSEC) in window 0
+    assert.equal(wire.nsecTypeBitmap([wire.TYPE.A, wire.TYPE.RRSIG, wire.TYPE.NSEC]).toString('hex'), '0006400000000003');
+    // CAA (257) lives in window 1, bit 1
+    assert.equal(wire.nsecTypeBitmap([wire.TYPE.CAA]).toString('hex'), '010140');
+});
+
+test('canonicalRdata matches dns2 wire RDATA for natively-encoded types', () => {
+    const cases = [
+        { type: wire.TYPE.A, rr: { address: '9.8.7.6' }, dns2: { name: 'x', type: Packet.TYPE.A, class: 1, ttl: 1, address: '9.8.7.6' } },
+        { type: wire.TYPE.AAAA, rr: { address: '2001:db8::1' }, dns2: { name: 'x', type: Packet.TYPE.AAAA, class: 1, ttl: 1, address: '2001:db8::1' } },
+        {
+            type: wire.TYPE.MX,
+            rr: { priority: 10, exchange: 'mx.example.com' },
+            dns2: { name: 'x', type: Packet.TYPE.MX, class: 1, ttl: 1, priority: 10, exchange: 'mx.example.com' }
+        },
+        {
+            type: wire.TYPE.TXT,
+            rr: { data: ['hello', 'world'] },
+            dns2: { name: 'x', type: Packet.TYPE.TXT, class: 1, ttl: 1, data: ['hello', 'world'] }
+        },
+        {
+            type: wire.TYPE.CAA,
+            rr: { flags: 0, tag: 'issue', value: 'letsencrypt.org' },
+            dns2: { name: 'x', type: Packet.TYPE.CAA, class: 1, ttl: 1, flags: 0, tag: 'issue', value: 'letsencrypt.org' }
+        }
+    ];
+
+    for (const c of cases) {
+        // Extract dns2's RDATA by encoding a full resource and reparsing it.
+        const buf = Packet.Resource.encode(c.dns2);
+        const reparsed = Packet.Resource.parse(new Packet.Reader(buf));
+        const reEncoded = Packet.Resource.encode(reparsed);
+        // RDATA is the tail after name(uncompressed for a standalone record)+type(2)+class(2)+ttl(4)+rdlen(2).
+        const nameLen = wire.encodeName(c.dns2.name).length;
+        const dns2Rdata = reEncoded.slice(nameLen + 10);
+        assert.equal(wire.canonicalRdata(c.type, c.rr).toString('hex'), dns2Rdata.toString('hex'), `type ${c.type}`);
+    }
+});
+
+test('encodeDNSKEYRdata matches dns2 DNSKEY encoder byte-for-byte', async () => {
+    const { publicKey } = await generateKeyPairAsync('ec', { namedCurve: 'prime256v1' });
+    const jwk = publicKey.export({ format: 'jwk' });
+    const pubkey = wire.ALGS[13].pubkeyFromJwk(jwk);
+
+    const flags = wire.DNSKEY_FLAGS_CSK;
+    const mine = wire.encodeDNSKEYRdata({ flags, protocol: wire.DNSKEY_PROTOCOL, algorithm: 13, pubkey });
+
+    const writer = new Packet.Writer();
+    Packet.Resource.DNSKEY.encode({ flags, protocol: wire.DNSKEY_PROTOCOL, algorithm: 13, key: pubkey.toString('base64') }, writer);
+    const dns2Rdata = writer.toBuffer();
+
+    assert.ok(mine.equals(dns2Rdata), 'DNSKEY RDATA must match dns2 output');
+});
+
+test('dnskeyKeyTag agrees with dns2 decoder', async () => {
+    const { publicKey } = await generateKeyPairAsync('ed25519');
+    const jwk = publicKey.export({ format: 'jwk' });
+    const pubkey = wire.ALGS[15].pubkeyFromJwk(jwk);
+    const rdata = wire.encodeDNSKEYRdata({ flags: 257, protocol: 3, algorithm: 15, pubkey });
+
+    const decoded = Packet.Resource.DNSKEY.decode.call({}, new Packet.Reader(rdata), rdata.length);
+    assert.equal(wire.dnskeyKeyTag(rdata), decoded.keyTag);
+});
+
+test('dsDigest and dnskeyKeyTag match the RFC 4509 example', () => {
+    // dskey.example.com. DNSKEY 256 3 5 (...)  ->  DS 60485 5 2 D4B7...
+    const pubkey = Buffer.from(
+        'AQOeiiR0GOMYkDshWoSKz9XzfwJr1AYtsmx3TGkJaNXVbfi/2pHm822aJ5iI9BMzNXxeYCmZDRD99WYwYqUSdjMmmAphXdvxegXd/M5+X7OrzKBaMbCVdFLUUh6DhweJBjEVv5f2wwjM9XzcnOf+EPbtG9DMBmADjFDc2w/rljwvFw==',
+        'base64'
+    );
+    const rdata = wire.encodeDNSKEYRdata({ flags: 256, protocol: 3, algorithm: 5, pubkey });
+
+    assert.equal(wire.dnskeyKeyTag(rdata), 60485);
+    assert.equal(
+        wire.dsDigest('dskey.example.com', rdata, 2).toString('hex').toUpperCase(),
+        'D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A'
+    );
+});
+
+test('encodeTLSARdata lays out usage/selector/matchingType/cert', () => {
+    const rdata = wire.encodeTLSARdata({ usage: 3, selector: 1, matchingType: 1, certificate: 'abcd' });
+    assert.equal(rdata.toString('hex'), '030101abcd');
+});
+
+test('encodeTLSARdata rejects empty, odd-length, and out-of-range input', () => {
+    // empty certificate would otherwise emit a TLSA with no association data
+    assert.throws(() => wire.encodeTLSARdata({ usage: 3, selector: 1, matchingType: 1, certificate: '' }), /non-empty even-length hex/);
+    assert.throws(() => wire.encodeTLSARdata({ usage: 3, selector: 1, matchingType: 1, certificate: 'abc' }), /even-length hex/);
+    // u8() would otherwise wrap these silently (256 -> 0)
+    assert.throws(() => wire.encodeTLSARdata({ usage: 256, selector: 1, matchingType: 1, certificate: 'abcd' }), /0-255/);
+    assert.throws(() => wire.encodeTLSARdata({ usage: 3, selector: -1, matchingType: 1, certificate: 'abcd' }), /0-255/);
+});
+
+// RRSIG signing round-trips: prove the canonical signing input + per-algorithm
+// crypto calls are internally consistent (the CI-grade DNSSEC guarantee).
+for (const [algId, keygen] of [
+    [13, ['ec', { namedCurve: 'prime256v1' }]],
+    [15, ['ed25519', {}]],
+    [8, ['rsa', { modulusLength: 2048, publicExponent: 65537 }]]
+]) {
+    test(`RRSIG over an A RRset verifies for algorithm ${algId} (${wire.ALGS[algId].name})`, async () => {
+        const { publicKey, privateKey } = await generateKeyPairAsync(keygen[0], keygen[1]);
+
+        const rrset = [
+            { name: 'example.com', address: '1.2.3.4' },
+            { name: 'example.com', address: '5.6.7.8' }
+        ]
+            .map(rr => wire.canonicalRdata(wire.TYPE.A, rr))
+            .sort(wire.compareCanonicalRdata)
+            .map(rdata => wire.canonicalRR('example.com', wire.TYPE.A, 1, 300, rdata));
+
+        const preimage = wire.encodeRRSIGSigningPreimage({
+            typeCovered: wire.TYPE.A,
+            algorithm: algId,
+            labels: wire.nameLabelCount('example.com'),
+            originalTtl: 300,
+            expiration: 2000000000,
+            inception: 1000000000,
+            keyTag: 12345,
+            signerName: 'example.com'
+        });
+
+        const tbs = Buffer.concat([preimage, ...rrset]);
+        const signature = wire.ALGS[algId].sign(tbs, privateKey);
+        assert.ok(wire.ALGS[algId].verify(tbs, publicKey, signature), 'signature must verify');
+
+        // A tampered RRset must fail.
+        const tampered = Buffer.concat([preimage, ...rrset.slice(0, 1)]);
+        assert.equal(wire.ALGS[algId].verify(tampered, publicKey, signature), false);
+    });
+}

package/test/dnssec.test.js

@@ -0,0 +1,213 @@
+'use strict';
+
+// Key-management and signing tests for lib/dnssec.js. Backed by Redis (db 15).
+
+const test = require('node:test');
+const assert = require('node:assert/strict');
+const crypto = require('crypto');
+
+const dnssec = require('../lib/dnssec');
+const wire = require('../lib/dnssec-wire');
+const db = require('../lib/db');
+const { config, flushTestDb, closeDb } = require('./helpers');
+
+test.after(async () => {
+    await closeDb();
+});
+
+// Parse an RRSIG RDATA buffer back into its fields + signature.
+const parseRRSIG = data => {
+    let off = 18;
+    while (data[off] !== 0) {
+        off += 1 + data[off];
+    }
+    off += 1; // include the root label
+    return {
+        typeCovered: data.readUInt16BE(0),
+        algorithm: data.readUInt8(2),
+        labels: data.readUInt8(3),
+        originalTtl: data.readUInt32BE(4),
+        expiration: data.readUInt32BE(8),
+        inception: data.readUInt32BE(12),
+        keyTag: data.readUInt16BE(16),
+        preimage: data.slice(0, off),
+        signature: data.slice(off)
+    };
+};
+
+test('enableZone generates a CSK and reports consistent DS/DNSKEY', async () => {
+    await flushTestDb();
+    const status = await dnssec.enableZone('example.com', { algorithm: 13 });
+
+    assert.equal(status.enabled, true);
+    assert.equal(status.algorithm, 13);
+    assert.equal(status.ds.length, 1);
+    assert.equal(status.dnskey.length, 1);
+    assert.equal(status.ds[0].keyTag, status.dnskey[0].keyTag);
+
+    // The DS digest must recompute from the published DNSKEY.
+    const dnskeyRdata = wire.encodeDNSKEYRdata({
+        flags: status.dnskey[0].flags,
+        protocol: status.dnskey[0].protocol,
+        algorithm: status.dnskey[0].algorithm,
+        pubkey: Buffer.from(status.dnskey[0].publicKey, 'base64')
+    });
+    assert.equal(wire.dnskeyKeyTag(dnskeyRdata), status.ds[0].keyTag);
+    assert.equal(wire.dsDigest('example.com', dnskeyRdata, status.ds[0].digestType).toString('hex'), status.ds[0].digest);
+});
+
+test('enableZone is idempotent and keeps the same key', async () => {
+    await flushTestDb();
+    const first = await dnssec.enableZone('example.com', { algorithm: 13 });
+    const second = await dnssec.enableZone('example.com', { algorithm: 13 });
+    assert.equal(first.dnskey[0].keyTag, second.dnskey[0].keyTag);
+    assert.equal(first.dnskey[0].publicKey, second.dnskey[0].publicKey);
+});
+
+test('isZoneSigned reflects enable/disable', async () => {
+    await flushTestDb();
+    assert.equal(await dnssec.isZoneSigned('example.com'), false);
+    await dnssec.enableZone('example.com', { algorithm: 13 });
+    assert.equal(await dnssec.isZoneSigned('example.com'), true);
+    await dnssec.disableZone('example.com');
+    assert.equal(await dnssec.isZoneSigned('example.com'), false);
+});
+
+for (const algorithm of [13, 15, 8]) {
+    test(`signRRset produces a verifiable RRSIG for algorithm ${algorithm}`, async () => {
+        await flushTestDb();
+        await dnssec.enableZone('example.com', { algorithm });
+        const signer = await dnssec.getSigner('example.com');
+        assert.ok(signer, 'signer should be available');
+        assert.equal(signer.keys.length, 1, 'a single-algorithm zone has one signing key');
+        const key = signer.keys[0];
+
+        const rrs = [
+            { name: 'example.com', type: wire.TYPE.A, class: 1, ttl: 300, address: '1.2.3.4' },
+            { name: 'example.com', type: wire.TYPE.A, class: 1, ttl: 300, address: '5.6.7.8' }
+        ];
+        // signRRset returns one RRSIG per signing key (one per algorithm).
+        const rrsigs = dnssec.signRRset(signer, 'example.com', 'example.com', wire.TYPE.A, 300, rrs);
+        assert.equal(rrsigs.length, 1, 'one RRSIG per signing key');
+        const rrsig = rrsigs[0];
+
+        assert.equal(rrsig.type, wire.TYPE.RRSIG);
+        const parsed = parseRRSIG(rrsig.data);
+        assert.equal(parsed.typeCovered, wire.TYPE.A);
+        assert.equal(parsed.algorithm, algorithm);
+        assert.equal(parsed.keyTag, key.keyTag);
+        assert.ok(parsed.inception < parsed.expiration);
+
+        // Rebuild the signed bytes and verify with the public half of the key.
+        const canonical = rrs
+            .map(rr => wire.canonicalRdata(wire.TYPE.A, rr))
+            .sort(wire.compareCanonicalRdata)
+            .map(rdata => wire.canonicalRR('example.com', wire.TYPE.A, 1, 300, rdata));
+        const tbs = Buffer.concat([parsed.preimage, ...canonical]);
+        const publicKey = crypto.createPublicKey(key.privateKeyObj);
+        assert.ok(wire.ALGS[algorithm].verify(tbs, publicKey, parsed.signature), 'RRSIG must verify');
+    });
+}
+
+test('enableZone rolls to a new algorithm and removeKey finishes the rollover', async () => {
+    await flushTestDb();
+    const first = await dnssec.enableZone('example.com', { algorithm: 13 });
+    assert.equal(first.dnskey.length, 1);
+    const oldKeyTag = first.keyTag;
+
+    // Re-enable with a different algorithm -> rollover: both keys are kept and
+    // the zone is signed with both algorithms (RFC 6840 5.11).
+    const rolled = await dnssec.enableZone('example.com', { algorithm: 15 });
+    assert.equal(rolled.algorithm, 15, 'active algorithm switches to the new one');
+    assert.equal(rolled.dnskey.length, 2, 'both keys are published during overlap');
+    assert.notEqual(rolled.keyTag, oldKeyTag, 'a new active key is generated');
+    const newKeyTag = rolled.keyTag;
+
+    const signer = await dnssec.getSigner('example.com');
+    assert.deepEqual(
+        signer.keys.map(k => k.algorithm).sort((a, b) => a - b),
+        [13, 15],
+        'signs with both algorithms during the rollover'
+    );
+
+    // The active key cannot be removed - roll away from it first.
+    await assert.rejects(() => dnssec.removeKey('example.com', newKeyTag), /active key/);
+
+    // Remove the old key to finish the rollover.
+    assert.equal(await dnssec.removeKey('example.com', oldKeyTag), true);
+    const after = await dnssec.getZoneStatus('example.com');
+    assert.equal(after.dnskey.length, 1);
+    assert.equal(after.keyTag, newKeyTag);
+
+    const signerAfter = await dnssec.getSigner('example.com');
+    assert.deepEqual(
+        signerAfter.keys.map(k => k.algorithm),
+        [15]
+    );
+
+    // The last remaining key cannot be removed.
+    await assert.rejects(() => dnssec.removeKey('example.com', newKeyTag), /last remaining key/);
+});
+
+test('re-enabling with no algorithm preserves the rolled-to active key', async () => {
+    await flushTestDb();
+    await dnssec.enableZone('example.com', { algorithm: 13 });
+    const rolled = await dnssec.enableZone('example.com', { algorithm: 15 });
+    assert.equal(rolled.algorithm, 15);
+
+    // Empty body (no algorithm) must NOT revert the active key to the config default.
+    const reenabled = await dnssec.enableZone('example.com');
+    assert.equal(reenabled.algorithm, 15, 'active stays on the rolled-to algorithm');
+    assert.equal(reenabled.keyTag, rolled.keyTag, 'active key is unchanged');
+});
+
+test('enableZone refuses when the global switch is off', async () => {
+    await flushTestDb();
+    config.dnssec.enabled = false;
+    try {
+        await assert.rejects(() => dnssec.enableZone('example.com', { algorithm: 13 }), /disabled globally/);
+    } finally {
+        config.dnssec.enabled = true;
+    }
+});
+
+test('getSigner caches the signer for the configured TTL', async () => {
+    await flushTestDb();
+    await dnssec.enableZone('example.com', { algorithm: 13 });
+    config.dnssec.signerCacheTtl = 30;
+    try {
+        assert.ok(await dnssec.getSigner('example.com'), 'signer is built and cached');
+        // Disable via raw Redis, bypassing invalidateSigner: the cache must keep
+        // serving the signer until the TTL expires.
+        await db.redisWrite.hset(`d:dnssec:${dnssec.testables.zoneName('example.com')}`, 'enabled', '0');
+        assert.ok(await dnssec.getSigner('example.com'), 'still served from cache despite the raw disable');
+    } finally {
+        config.dnssec.signerCacheTtl = 0;
+    }
+});
+
+test('a configured inception skew and signature validity of 0 are honored', async () => {
+    await flushTestDb();
+    await dnssec.enableZone('example.com', { algorithm: 13 });
+    const signer = await dnssec.getSigner('example.com');
+
+    const origSkew = config.dnssec.inceptionSkew;
+    const origValidity = config.dnssec.signatureValidity;
+    config.dnssec.inceptionSkew = 0;
+    config.dnssec.signatureValidity = 0;
+    try {
+        const before = Math.floor(Date.now() / 1000);
+        const rrsigs = dnssec.signRRset(signer, 'example.com', 'example.com', wire.TYPE.A, 300, [
+            { name: 'example.com', type: wire.TYPE.A, class: 1, ttl: 300, address: '1.2.3.4' }
+        ]);
+        const after = Math.floor(Date.now() / 1000);
+        const parsed = parseRRSIG(rrsigs[0].data);
+        // inceptionSkew = 0 means no backdating: inception is "now", not now - 3600.
+        assert.ok(parsed.inception >= before && parsed.inception <= after, 'inception is now, not backdated');
+        // signatureValidity = 0 means expiration equals inception, not now + 604800.
+        assert.equal(parsed.expiration, parsed.inception, 'validity 0 yields expiration equal to inception');
+    } finally {
+        config.dnssec.inceptionSkew = origSkew;
+        config.dnssec.signatureValidity = origValidity;
+    }
+});

package/test/helpers.js

@@ -12,7 +12,9 @@ const isTestDatabase = () => /\/15(\?|$)/.test((config.dbs.redis || '').toString
 // db 15 to avoid wiping development (db 2) or production data by accident.
 const flushTestDb = async () => {
     if (!isTestDatabase()) {
-        throw new Error(`Refusing to flush Redis: expected the test database (db 15) but config points at "${config.dbs.redis}". Run tests with NODE_ENV=test.`);
+        throw new Error(
+            `Refusing to flush Redis: expected the test database (db 15) but config points at "${config.dbs.redis}". Run tests with NODE_ENV=test.`
+        );
     }
     await db.redisWrite.flushdb();
 };

package/test/zone-store.test.js

@@ -19,10 +19,46 @@ test.beforeEach(async () => {
 // ---------------------------------------------------------------------------
 
 test('module exports the allowed record types and CAA tags', () => {
-    assert.deepEqual(allowedTypes, ['A', 'AAAA', 'ANAME', 'CNAME', 'MX', 'TXT', 'CAA', 'URL', 'NS']);
+    assert.deepEqual(allowedTypes, ['A', 'AAAA', 'ANAME', 'CNAME', 'MX', 'TXT', 'CAA', 'TLSA', 'URL', 'NS']);
     assert.deepEqual(allowedTags, ['issue', 'issuewild', 'iodef']);
 });
 
+test('add rejects a TLSA record whose certificate is not even-length hex', async () => {
+    assert.equal(await zoneStore.add('example.com', '_25._tcp', 'TLSA', [3, 1, 1, 'abc']), false, 'odd-length hex');
+    assert.equal(await zoneStore.add('example.com', '_25._tcp', 'TLSA', [3, 1, 1, 'xyz0']), false, 'non-hex');
+});
+
+test('add stores a TLSA record with even-length hex', async () => {
+    assert.ok(await zoneStore.add('example.com', '_25._tcp', 'TLSA', [3, 1, 1, 'aabb']), 'even-length hex is accepted');
+});
+
+test('update rejects a non-even-length-hex TLSA on the unchanged name/type path', async () => {
+    const id = await zoneStore.add('example.com', '_25._tcp', 'TLSA', [3, 1, 1, 'aabb']);
+    assert.ok(id, 'baseline TLSA stored');
+
+    // Same subdomain + type (the direct-hset path, not the delete+add path) with an
+    // odd-length cert must be refused, mirroring the guard in add().
+    const res = await zoneStore.update('example.com', id, '_25._tcp', 'TLSA', [3, 1, 1, 'abc']);
+    assert.equal(res, false, 'odd-length hex is rejected on the update unchanged path');
+
+    const tlsa = (await zoneStore.list('example.com')).find(r => r.type === 'TLSA');
+    assert.ok(tlsa, 'the TLSA record still exists');
+    assert.equal(tlsa.value[3], 'aabb', 'the original certificate is preserved');
+});
+
+test('existingTypes folds in single-level wildcard types when asked', async () => {
+    await zoneStore.add('example.com', '*', 'A', ['1.2.3.4']);
+    await zoneStore.add('example.com', 'foo', 'TXT', ['hi']);
+
+    const union = await zoneStore.existingTypes('foo.example.com', true);
+    assert.ok(union.includes('A'), 'wildcard-supplied A is included');
+    assert.ok(union.includes('TXT'), 'exact TXT at the name is included');
+    assert.ok(!union.includes('AAAA'), 'AAAA is supplied by neither');
+
+    const exact = await zoneStore.existingTypes('foo.example.com');
+    assert.ok(exact.includes('TXT') && !exact.includes('A'), 'exact-only excludes the wildcard A');
+});
+
 test('getFullId / parseFullId round-trip', () => {
     const id = zoneStore.getFullId('com.example.www', 'CNAME', 'abc123');
     const parsed = zoneStore.parseFullId(id);