tangerine 2.1.0 → 2.1.2

package/README.md

@@ -237,6 +237,26 @@ tangerine.resolve('forwardemail.net').then(console.log);
 
 ### `tangerine.resolve(hostname[, rrtype, options, abortController])`
 
+Tangerine supports the following additional properties in the `options` Object argument:
+
+* `ecsSubnet` (String) - EDNS Client Subnet (ECS) option for geolocation-aware DNS responses.
+* `purgeCache` (Boolean) - If `true`, bypass and refresh the cached result.
+* `dnssecSecure` (Boolean) - If `true`, set the EDNS0 DO (DNSSEC OK) flag in the outgoing DoH query and return a `{ secure, answers }` object instead of the normal result array. The `secure` property is `true` when the upstream resolver (Cloudflare/Google) has validated the response via DNSSEC (i.e. the AD flag is set). This is useful for [RFC 7672 Section 2.2.2](https://datatracker.ietf.org/doc/html/rfc7672#section-2.2.2) DANE implementations that need to check whether an MX host's zone is DNSSEC-signed before attempting TLSA lookups.
+
+```js
+const tangerine = new Tangerine();
+
+// Check if a domain's zone is DNSSEC-signed
+const result = await tangerine.resolve('cloudflare.com', 'A', { dnssecSecure: true });
+console.log(result);
+// { secure: true, answers: [{ name: 'cloudflare.com', type: 'A', ... }] }
+
+// Non-DNSSEC zone
+const result2 = await tangerine.resolve('google.com', 'A', { dnssecSecure: true });
+console.log(result2);
+// { secure: false, answers: [{ name: 'google.com', type: 'A', ... }] }
+```
+
 ### `tangerine.resolve4(hostname[, options, abortController])`
 
 Tangerine supports a new `ecsSubnet` property in the `options` Object argument.
@@ -534,25 +554,27 @@ We have written extensive benchmarks to show that :tangerine: Tangerine is as fa
 
 #### Latest Automated Benchmark Results
 
-**Last Updated:** 2026-02-26
+**Last Updated:** 2026-03-07
 
 | Node Version | Platform | Arch | Timestamp    |
 | ------------ | -------- | ---- | ------------ |
 | v18.20.8     | linux    | x64  | Dec 21, 2025 |
-| v20.19.6     | linux    | x64  | Jan 22, 2026 |
-| v20.20.0     | linux    | x64  | Feb 25, 2026 |
+| v20.19.6     | linux    | x64  | Jan 21, 2026 |
+| v20.20.0     | linux    | x64  | Feb 24, 2026 |
 | v22.21.1     | linux    | x64  | Dec 21, 2025 |
-| v22.22.0     | linux    | x64  | Jan 23, 2026 |
+| v22.22.0     | linux    | x64  | Jan 22, 2026 |
 | v24.12.0     | linux    | x64  | Dec 21, 2025 |
-| v24.13.0     | linux    | x64  | Feb 19, 2026 |
-| v24.13.1     | linux    | x64  | Feb 26, 2026 |
+| v24.13.0     | linux    | x64  | Feb 18, 2026 |
+| v24.13.1     | linux    | x64  | Mar 3, 2026  |
+| v24.14.0     | linux    | x64  | Mar 6, 2026  |
 | v25.2.1      | linux    | x64  | Dec 21, 2025 |
-| v25.3.0      | linux    | x64  | Jan 14, 2026 |
-| v25.4.0      | linux    | x64  | Jan 20, 2026 |
-| v25.5.0      | linux    | x64  | Jan 27, 2026 |
-| v25.6.0      | linux    | x64  | Feb 4, 2026  |
-| v25.6.1      | linux    | x64  | Feb 11, 2026 |
-| v25.7.0      | linux    | x64  | Feb 25, 2026 |
+| v25.3.0      | linux    | x64  | Jan 13, 2026 |
+| v25.4.0      | linux    | x64  | Jan 19, 2026 |
+| v25.5.0      | linux    | x64  | Jan 26, 2026 |
+| v25.6.0      | linux    | x64  | Feb 3, 2026  |
+| v25.6.1      | linux    | x64  | Feb 10, 2026 |
+| v25.7.0      | linux    | x64  | Feb 24, 2026 |
+| v25.8.0      | linux    | x64  | Mar 3, 2026  |
 
 <details>
 <summary>Click to expand detailed benchmark results</summary>
@@ -857,12 +879,12 @@ Fastest without caching is: tangerine.reverse GET without caching
 
 ```text
 Started: lookup
-tangerine.lookup POST with caching using Cloudflare x 328,178 ops/sec ±1.46% (90 runs sampled)
-tangerine.lookup POST without caching using Cloudflare x 263 ops/sec ±1.89% (78 runs sampled)
-tangerine.lookup GET with caching using Cloudflare x 315,952 ops/sec ±0.27% (90 runs sampled)
-tangerine.lookup GET without caching using Cloudflare x 227 ops/sec ±3.20% (78 runs sampled)
-dns.promises.lookup with caching using Cloudflare x 1,047 ops/sec ±195.98% (80 runs sampled)
-dns.promises.lookup without caching using Cloudflare x 2,273 ops/sec ±0.36% (86 runs sampled)
+tangerine.lookup POST with caching using Cloudflare x 333,315 ops/sec ±1.61% (85 runs sampled)
+tangerine.lookup POST without caching using Cloudflare x 227 ops/sec ±1.93% (82 runs sampled)
+tangerine.lookup GET with caching using Cloudflare x 320,901 ops/sec ±0.68% (90 runs sampled)
+tangerine.lookup GET without caching using Cloudflare x 262 ops/sec ±2.60% (81 runs sampled)
+dns.promises.lookup with caching using Cloudflare x 10,104,926 ops/sec ±1.20% (84 runs sampled)
+dns.promises.lookup without caching using Cloudflare x 2,172 ops/sec ±0.39% (86 runs sampled)
 Fastest without caching is: dns.promises.lookup without caching using Cloudflare
 ```
 
@@ -870,32 +892,77 @@ Fastest without caching is: dns.promises.lookup without caching using Cloudflare
 
 ```text
 Started: resolve
-tangerine.resolve POST with caching using Cloudflare x 1,146,234 ops/sec ±0.38% (88 runs sampled)
-tangerine.resolve POST without caching using Cloudflare x 228 ops/sec ±1.86% (83 runs sampled)
-tangerine.resolve GET with caching using Cloudflare x 1,121,526 ops/sec ±0.51% (87 runs sampled)
-tangerine.resolve GET without caching using Cloudflare x 293 ops/sec ±1.77% (77 runs sampled)
-tangerine.resolve POST with caching using Google x 1,116,293 ops/sec ±0.94% (87 runs sampled)
-tangerine.resolve POST without caching using Google x 262 ops/sec ±4.45% (83 runs sampled)
-tangerine.resolve GET with caching using Google x 1,127,465 ops/sec ±0.31% (90 runs sampled)
-tangerine.resolve GET without caching using Google x 265 ops/sec ±1.09% (83 runs sampled)
-resolver.resolve with caching using Cloudflare x 8,518,907 ops/sec ±1.01% (86 runs sampled)
-resolver.resolve without caching using Cloudflare x 82.99 ops/sec ±142.66% (36 runs sampled)
-Fastest without caching is: tangerine.resolve GET without caching using Cloudflare
+tangerine.resolve POST with caching using Cloudflare x 1,155,993 ops/sec ±0.68% (89 runs sampled)
+tangerine.resolve POST without caching using Cloudflare x 238 ops/sec ±1.44% (82 runs sampled)
+tangerine.resolve GET with caching using Cloudflare x 1,130,246 ops/sec ±0.43% (89 runs sampled)
+tangerine.resolve GET without caching using Cloudflare x 271 ops/sec ±1.13% (85 runs sampled)
+tangerine.resolve POST with caching using Google x 534 ops/sec ±195.91% (89 runs sampled)
+tangerine.resolve POST without caching using Google x 180 ops/sec ±23.75% (71 runs sampled)
+tangerine.resolve GET with caching using Google x 1,127,220 ops/sec ±0.26% (91 runs sampled)
+tangerine.resolve GET without caching using Google x 194 ops/sec ±16.84% (63 runs sampled)
+resolver.resolve with caching using Cloudflare x 8,475,317 ops/sec ±0.93% (83 runs sampled)
+resolver.resolve without caching using Cloudflare x 345 ops/sec ±1.00% (78 runs sampled)
+Fastest without caching is: resolver.resolve without caching using Cloudflare
 ```
 
 **reverse:**
 
 ```text
 Started: reverse
-tangerine.reverse GET with caching x 337,325 ops/sec ±0.52% (89 runs sampled)
-tangerine.reverse GET without caching x 233 ops/sec ±2.59% (79 runs sampled)
-resolver.reverse with caching x 17.19 ops/sec ±196.00% (86 runs sampled)
-resolver.reverse without caching x 6.84 ops/sec ±154.89% (71 runs sampled)
-dns.promises.reverse with caching x 8,315,699 ops/sec ±1.33% (78 runs sampled)
-dns.promises.reverse without caching x 0.77 ops/sec ±164.54% (37 runs sampled)
+tangerine.reverse GET with caching x 331,840 ops/sec ±0.57% (89 runs sampled)
+tangerine.reverse GET without caching x 241 ops/sec ±1.30% (80 runs sampled)
+resolver.reverse with caching x 8,769,670 ops/sec ±0.60% (87 runs sampled)
+resolver.reverse without caching x 24.95 ops/sec ±193.07% (22 runs sampled)
+dns.promises.reverse with caching x 8,895,968 ops/sec ±0.71% (88 runs sampled)
+dns.promises.reverse without caching x 0.05 ops/sec ±112.55% (5 runs sampled)
 Fastest without caching is: tangerine.reverse GET without caching
 ```
 
+##### Node.js v24.14.0
+
+**lookup:**
+
+```text
+Started: lookup
+tangerine.lookup POST with caching using Cloudflare x 1,326 ops/sec ±195.20% (85 runs sampled)
+tangerine.lookup POST without caching using Cloudflare x 59.26 ops/sec ±6.44% (74 runs sampled)
+tangerine.lookup GET with caching using Cloudflare x 314,095 ops/sec ±0.32% (90 runs sampled)
+tangerine.lookup GET without caching using Cloudflare x 63.80 ops/sec ±2.69% (77 runs sampled)
+dns.promises.lookup with caching using Cloudflare x 10,223,830 ops/sec ±0.86% (85 runs sampled)
+dns.promises.lookup without caching using Cloudflare x 2,175 ops/sec ±0.84% (87 runs sampled)
+Fastest without caching is: dns.promises.lookup without caching using Cloudflare
+```
+
+**resolve:**
+
+```text
+Started: resolve
+tangerine.resolve POST with caching using Cloudflare x 1,293 ops/sec ±195.78% (88 runs sampled)
+tangerine.resolve POST without caching using Cloudflare x 70.18 ops/sec ±3.02% (84 runs sampled)
+tangerine.resolve GET with caching using Cloudflare x 1,118,050 ops/sec ±0.39% (90 runs sampled)
+tangerine.resolve GET without caching using Cloudflare x 62.96 ops/sec ±2.78% (76 runs sampled)
+tangerine.resolve POST with caching using Google x 1,652 ops/sec ±195.71% (90 runs sampled)
+tangerine.resolve POST without caching using Google x 58.58 ops/sec ±8.14% (78 runs sampled)
+tangerine.resolve GET with caching using Google x 1,103,516 ops/sec ±1.21% (87 runs sampled)
+tangerine.resolve GET without caching using Google x 61.12 ops/sec ±3.21% (75 runs sampled)
+resolver.resolve with caching using Cloudflare x 8,524,784 ops/sec ±0.95% (87 runs sampled)
+resolver.resolve without caching using Cloudflare x 70.34 ops/sec ±1.22% (68 runs sampled)
+Fastest without caching is: resolver.resolve without caching using Cloudflare
+```
+
+**reverse:**
+
+```text
+Started: reverse
+tangerine.reverse GET with caching x 1,298 ops/sec ±195.25% (90 runs sampled)
+tangerine.reverse GET without caching x 70.67 ops/sec ±2.91% (84 runs sampled)
+resolver.reverse with caching x 8,799,672 ops/sec ±0.94% (85 runs sampled)
+resolver.reverse without caching x 71.99 ops/sec ±1.45% (70 runs sampled)
+dns.promises.reverse with caching x 8,834,313 ops/sec ±0.77% (85 runs sampled)
+dns.promises.reverse without caching x 70.74 ops/sec ±1.11% (70 runs sampled)
+Fastest without caching is: resolver.reverse without caching, dns.promises.reverse without caching, tangerine.reverse GET without caching
+```
+
 ##### Node.js v25.2.1
 
 **lookup:**
@@ -1211,6 +1278,51 @@ dns.promises.reverse without caching x 67.14 ops/sec ±0.80% (79 runs sampled)
 Fastest without caching is: dns.promises.reverse without caching, resolver.reverse without caching
 ```
 
+##### Node.js v25.8.0
+
+**lookup:**
+
+```text
+Started: lookup
+tangerine.lookup POST with caching using Cloudflare x 348,234 ops/sec ±1.43% (89 runs sampled)
+tangerine.lookup POST without caching using Cloudflare x 245 ops/sec ±1.75% (83 runs sampled)
+tangerine.lookup GET with caching using Cloudflare x 340,115 ops/sec ±0.72% (89 runs sampled)
+tangerine.lookup GET without caching using Cloudflare x 223 ops/sec ±2.25% (81 runs sampled)
+dns.promises.lookup with caching using Cloudflare x 1,759 ops/sec ±195.97% (88 runs sampled)
+dns.promises.lookup without caching using Cloudflare x 2,223 ops/sec ±0.55% (87 runs sampled)
+Fastest without caching is: dns.promises.lookup without caching using Cloudflare
+```
+
+**resolve:**
+
+```text
+Started: resolve
+tangerine.resolve POST with caching using Cloudflare x 1,224,642 ops/sec ±0.58% (87 runs sampled)
+tangerine.resolve POST without caching using Cloudflare x 248 ops/sec ±1.54% (83 runs sampled)
+tangerine.resolve GET with caching using Cloudflare x 1,168,649 ops/sec ±0.55% (85 runs sampled)
+tangerine.resolve GET without caching using Cloudflare x 264 ops/sec ±1.04% (82 runs sampled)
+tangerine.resolve POST with caching using Google x 1,411 ops/sec ±195.76% (87 runs sampled)
+tangerine.resolve POST without caching using Google x 178 ops/sec ±24.83% (67 runs sampled)
+tangerine.resolve GET with caching using Google x 1,188,395 ops/sec ±0.40% (88 runs sampled)
+tangerine.resolve GET without caching using Google x 237 ops/sec ±14.93% (74 runs sampled)
+resolver.resolve with caching using Cloudflare x 8.39 ops/sec ±196.00% (84 runs sampled)
+resolver.resolve without caching using Cloudflare x 109 ops/sec ±113.88% (68 runs sampled)
+Fastest without caching is: tangerine.resolve GET without caching using Cloudflare, tangerine.resolve POST without caching using Google
+```
+
+**reverse:**
+
+```text
+Started: reverse
+tangerine.reverse GET with caching x 346,448 ops/sec ±4.35% (86 runs sampled)
+tangerine.reverse GET without caching x 259 ops/sec ±1.42% (83 runs sampled)
+resolver.reverse with caching x 9,199,217 ops/sec ±0.52% (88 runs sampled)
+resolver.reverse without caching x 13.67 ops/sec ±188.06% (45 runs sampled)
+dns.promises.reverse with caching x 9,227,637 ops/sec ±0.33% (89 runs sampled)
+dns.promises.reverse without caching x 0.07 ops/sec ±133.35% (5 runs sampled)
+Fastest without caching is: tangerine.reverse GET without caching
+```
+
 </details>
 
 <!-- BENCHMARK_RESULTS_END -->

package/index.d.ts

@@ -326,6 +326,35 @@ export type AnyRecord = {
 
 export type ResolveOptions = {
   ttl?: boolean;
+  /**
+   * If true, set the EDNS0 DO (DNSSEC OK) flag in the outgoing DoH query
+   * and return a `{ secure, answers }` object instead of the normal result.
+   * The `secure` property is true when the upstream resolver has validated
+   * the response via DNSSEC (i.e. the AD flag is set).
+   */
+  dnssecSecure?: boolean;
+  /**
+   * EDNS Client Subnet (ECS) option for geolocation-aware DNS responses.
+   */
+  ecsSubnet?: string;
+  /**
+   * If true, bypass and refresh the cached result.
+   */
+  purgeCache?: boolean;
+};
+
+export type DnssecResult = {
+  /** Whether the DNS response was DNSSEC-validated (AD flag set). */
+  secure: boolean;
+  /** The DNS answer records from the response. */
+  answers: Array<{
+    name: string;
+    type: string;
+    ttl: number;
+    class: string;
+    flush: boolean;
+    data: unknown;
+  }>;
 };
 
 export type RecordWithTtl = {
@@ -647,13 +676,14 @@ declare class Tangerine extends Resolver {
 
   /**
    * Resolve DNS records of a specific type.
+   * When `options.dnssecSecure` is true, returns `DnssecResult` instead.
    */
   resolve(
     name: string,
     rrtype?: DnsRecordType,
     options?: ResolveOptions,
     abortController?: AbortController
-  ): Promise<unknown>;
+  ): Promise<unknown | DnssecResult>;
 }
 
 export default Tangerine;

package/index.js

@@ -1141,13 +1141,14 @@ class Tangerine extends dns.promises.Resolver {
 
   // <https://github.com/hildjj/dohdec/tree/main/pkg/dohdec>
 
-  async #query(name, rrtype = 'A', ecsSubnet, abortController) {
+  async #query(name, rrtype = 'A', ecsSubnet, abortController, dnssec) {
     if (!dohdec) await pWaitFor(() => Boolean(dohdec));
     debug('query', {
       name,
       nameToASCII: toASCII(name),
       rrtype,
       ecsSubnet,
+      dnssec,
       abortController
     });
     // <https://github.com/hildjj/dohdec/blob/43564118c40f2127af871bdb4d40f615409d4b9c/pkg/dohdec/lib/dnsUtils.js#L161>
@@ -1160,7 +1161,13 @@ class Tangerine extends dns.promises.Resolver {
       // mirrors dns module behavior
       name: toASCII(name),
       // <https://github.com/mafintosh/dns-packet/pull/47#issuecomment-1435818437>
-      ecsSubnet
+      ecsSubnet,
+      // When dnssec is true, set the AD flag in the query and the DO
+      // (DNSSEC OK) flag in the EDNS0 OPT record so the upstream resolver
+      // returns DNSSEC validation status via the AD flag in the response.
+      // <https://datatracker.ietf.org/doc/html/rfc3225>
+      // <https://datatracker.ietf.org/doc/html/rfc4035#section-3.2.1>
+      dnssec
     });
     try {
       // mirror the behavior as noted in built-in DNS
@@ -1824,6 +1831,12 @@ class Tangerine extends dns.promises.Resolver {
       delete options.ecsSubnet;
     }
 
+    // dnssecSecure support: set the EDNS0 DO (DNSSEC OK) flag in the
+    // outgoing DoH query so the upstream resolver returns the AD flag.
+    // NOTE: do not delete options.dnssecSecure here — it is checked
+    // after #query() to decide the return format.
+    const dnssec = Boolean(options?.dnssecSecure);
+
     const key = (
       ecsSubnet ? `${rrtype}:${ecsSubnet}:${name}` : `${rrtype}:${name}`
     ).toLowerCase();
@@ -1932,7 +1945,13 @@ class Tangerine extends dns.promises.Resolver {
 
       try {
         // setImmediate(() => this.cancel());
-        result = await this.#query(name, rrtype, ecsSubnet, abortController);
+        result = await this.#query(
+          name,
+          rrtype,
+          ecsSubnet,
+          abortController,
+          dnssec
+        );
       } finally {
         if (mustReleaseAbortController) {
           this.#releaseAbortController(abortController);
@@ -2028,6 +2047,22 @@ class Tangerine extends dns.promises.Resolver {
     if (result.answers.length === 0 && !options.noThrowOnNODATA)
       throw this.constructor.createError(name, rrtype, dns.NODATA);
 
+    //
+    // RFC 7672 Section 2.2.2: Expose DNSSEC validation status (AD flag)
+    // When options.dnssecSecure is true, return an object with the answers
+    // and a boolean indicating whether the response was DNSSEC-validated.
+    // The AD flag is set by the upstream DoH resolver (Cloudflare/Google)
+    // when the zone is DNSSEC-signed and validation succeeds.
+    // This allows callers (e.g. mx-connect DANE) to check if the MX host's
+    // zone is signed before attempting TLSA lookups.
+    //
+    if (options?.dnssecSecure) {
+      return {
+        secure: Boolean(result.flag_ad),
+        answers: result.answers
+      };
+    }
+
     // filter the answers for the same type
     result.answers = result.answers.filter((answer) => answer.type === rrtype);
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "tangerine",
   "description": "Tangerine is the best Node.js drop-in replacement for dns.promises.Resolver using DNS over HTTPS (\"DoH\") via undici with built-in retries, timeouts, smart server rotation, AbortControllers, and caching support for multiple backends (with TTL and purge support).",
-  "version": "2.1.0",
+  "version": "2.1.2",
   "author": "Forward Email (https://forwardemail.net)",
   "bugs": {
     "url": "https://github.com/forwardemail/nodejs-dns-over-https-tangerine/issues"