tangerine 2.1.1 → 2.1.2

package/README.md

@@ -237,6 +237,26 @@ tangerine.resolve('forwardemail.net').then(console.log);
 
 ### `tangerine.resolve(hostname[, rrtype, options, abortController])`
 
+Tangerine supports the following additional properties in the `options` Object argument:
+
+* `ecsSubnet` (String) - EDNS Client Subnet (ECS) option for geolocation-aware DNS responses.
+* `purgeCache` (Boolean) - If `true`, bypass and refresh the cached result.
+* `dnssecSecure` (Boolean) - If `true`, set the EDNS0 DO (DNSSEC OK) flag in the outgoing DoH query and return a `{ secure, answers }` object instead of the normal result array. The `secure` property is `true` when the upstream resolver (Cloudflare/Google) has validated the response via DNSSEC (i.e. the AD flag is set). This is useful for [RFC 7672 Section 2.2.2](https://datatracker.ietf.org/doc/html/rfc7672#section-2.2.2) DANE implementations that need to check whether an MX host's zone is DNSSEC-signed before attempting TLSA lookups.
+
+```js
+const tangerine = new Tangerine();
+
+// Check if a domain's zone is DNSSEC-signed
+const result = await tangerine.resolve('cloudflare.com', 'A', { dnssecSecure: true });
+console.log(result);
+// { secure: true, answers: [{ name: 'cloudflare.com', type: 'A', ... }] }
+
+// Non-DNSSEC zone
+const result2 = await tangerine.resolve('google.com', 'A', { dnssecSecure: true });
+console.log(result2);
+// { secure: false, answers: [{ name: 'google.com', type: 'A', ... }] }
+```
+
 ### `tangerine.resolve4(hostname[, options, abortController])`
 
 Tangerine supports a new `ecsSubnet` property in the `options` Object argument.
@@ -534,27 +554,27 @@ We have written extensive benchmarks to show that :tangerine: Tangerine is as fa
 
 #### Latest Automated Benchmark Results
 
-**Last Updated:** 2026-03-05
+**Last Updated:** 2026-03-07
 
 | Node Version | Platform | Arch | Timestamp    |
 | ------------ | -------- | ---- | ------------ |
 | v18.20.8     | linux    | x64  | Dec 21, 2025 |
-| v20.19.6     | linux    | x64  | Jan 22, 2026 |
-| v20.20.0     | linux    | x64  | Feb 25, 2026 |
+| v20.19.6     | linux    | x64  | Jan 21, 2026 |
+| v20.20.0     | linux    | x64  | Feb 24, 2026 |
 | v22.21.1     | linux    | x64  | Dec 21, 2025 |
-| v22.22.0     | linux    | x64  | Jan 23, 2026 |
+| v22.22.0     | linux    | x64  | Jan 22, 2026 |
 | v24.12.0     | linux    | x64  | Dec 21, 2025 |
-| v24.13.0     | linux    | x64  | Feb 19, 2026 |
-| v24.13.1     | linux    | x64  | Mar 4, 2026  |
-| v24.14.0     | linux    | x64  | Mar 5, 2026  |
+| v24.13.0     | linux    | x64  | Feb 18, 2026 |
+| v24.13.1     | linux    | x64  | Mar 3, 2026  |
+| v24.14.0     | linux    | x64  | Mar 6, 2026  |
 | v25.2.1      | linux    | x64  | Dec 21, 2025 |
-| v25.3.0      | linux    | x64  | Jan 14, 2026 |
-| v25.4.0      | linux    | x64  | Jan 20, 2026 |
-| v25.5.0      | linux    | x64  | Jan 27, 2026 |
-| v25.6.0      | linux    | x64  | Feb 4, 2026  |
-| v25.6.1      | linux    | x64  | Feb 11, 2026 |
-| v25.7.0      | linux    | x64  | Feb 25, 2026 |
-| v25.8.0      | linux    | x64  | Mar 4, 2026  |
+| v25.3.0      | linux    | x64  | Jan 13, 2026 |
+| v25.4.0      | linux    | x64  | Jan 19, 2026 |
+| v25.5.0      | linux    | x64  | Jan 26, 2026 |
+| v25.6.0      | linux    | x64  | Feb 3, 2026  |
+| v25.6.1      | linux    | x64  | Feb 10, 2026 |
+| v25.7.0      | linux    | x64  | Feb 24, 2026 |
+| v25.8.0      | linux    | x64  | Mar 3, 2026  |
 
 <details>
 <summary>Click to expand detailed benchmark results</summary>
@@ -904,12 +924,12 @@ Fastest without caching is: tangerine.reverse GET without caching
 
 ```text
 Started: lookup
-tangerine.lookup POST with caching using Cloudflare x 1,403 ops/sec ±195.16% (90 runs sampled)
-tangerine.lookup POST without caching using Cloudflare x 70.67 ops/sec ±3.34% (84 runs sampled)
-tangerine.lookup GET with caching using Cloudflare x 317,797 ops/sec ±0.25% (91 runs sampled)
-tangerine.lookup GET without caching using Cloudflare x 63.36 ops/sec ±6.51% (78 runs sampled)
-dns.promises.lookup with caching using Cloudflare x 9,932,885 ops/sec ±1.21% (87 runs sampled)
-dns.promises.lookup without caching using Cloudflare x 2,310 ops/sec ±0.39% (89 runs sampled)
+tangerine.lookup POST with caching using Cloudflare x 1,326 ops/sec ±195.20% (85 runs sampled)
+tangerine.lookup POST without caching using Cloudflare x 59.26 ops/sec ±6.44% (74 runs sampled)
+tangerine.lookup GET with caching using Cloudflare x 314,095 ops/sec ±0.32% (90 runs sampled)
+tangerine.lookup GET without caching using Cloudflare x 63.80 ops/sec ±2.69% (77 runs sampled)
+dns.promises.lookup with caching using Cloudflare x 10,223,830 ops/sec ±0.86% (85 runs sampled)
+dns.promises.lookup without caching using Cloudflare x 2,175 ops/sec ±0.84% (87 runs sampled)
 Fastest without caching is: dns.promises.lookup without caching using Cloudflare
 ```
 
@@ -917,30 +937,30 @@ Fastest without caching is: dns.promises.lookup without caching using Cloudflare
 
 ```text
 Started: resolve
-tangerine.resolve POST with caching using Cloudflare x 1,269 ops/sec ±195.78% (89 runs sampled)
-tangerine.resolve POST without caching using Cloudflare x 85.54 ops/sec ±0.68% (81 runs sampled)
-tangerine.resolve GET with caching using Cloudflare x 1,117,794 ops/sec ±0.40% (90 runs sampled)
-tangerine.resolve GET without caching using Cloudflare x 69.12 ops/sec ±5.91% (84 runs sampled)
-tangerine.resolve POST with caching using Google x 1,675 ops/sec ±195.71% (90 runs sampled)
-tangerine.resolve POST without caching using Google x 57.66 ops/sec ±13.41% (79 runs sampled)
-tangerine.resolve GET with caching using Google x 1,117,350 ops/sec ±0.62% (90 runs sampled)
-tangerine.resolve GET without caching using Google x 56.23 ops/sec ±5.75% (72 runs sampled)
-resolver.resolve with caching using Cloudflare x 8,740,674 ops/sec ±0.82% (83 runs sampled)
-resolver.resolve without caching using Cloudflare x 71.31 ops/sec ±1.31% (72 runs sampled)
-Fastest without caching is: tangerine.resolve POST without caching using Cloudflare
+tangerine.resolve POST with caching using Cloudflare x 1,293 ops/sec ±195.78% (88 runs sampled)
+tangerine.resolve POST without caching using Cloudflare x 70.18 ops/sec ±3.02% (84 runs sampled)
+tangerine.resolve GET with caching using Cloudflare x 1,118,050 ops/sec ±0.39% (90 runs sampled)
+tangerine.resolve GET without caching using Cloudflare x 62.96 ops/sec ±2.78% (76 runs sampled)
+tangerine.resolve POST with caching using Google x 1,652 ops/sec ±195.71% (90 runs sampled)
+tangerine.resolve POST without caching using Google x 58.58 ops/sec ±8.14% (78 runs sampled)
+tangerine.resolve GET with caching using Google x 1,103,516 ops/sec ±1.21% (87 runs sampled)
+tangerine.resolve GET without caching using Google x 61.12 ops/sec ±3.21% (75 runs sampled)
+resolver.resolve with caching using Cloudflare x 8,524,784 ops/sec ±0.95% (87 runs sampled)
+resolver.resolve without caching using Cloudflare x 70.34 ops/sec ±1.22% (68 runs sampled)
+Fastest without caching is: resolver.resolve without caching using Cloudflare
 ```
 
 **reverse:**
 
 ```text
 Started: reverse
-tangerine.reverse GET with caching x 1,286 ops/sec ±195.26% (90 runs sampled)
-tangerine.reverse GET without caching x 85.95 ops/sec ±0.80% (81 runs sampled)
-resolver.reverse with caching x 8,753,410 ops/sec ±0.98% (85 runs sampled)
-resolver.reverse without caching x 72.25 ops/sec ±1.42% (74 runs sampled)
-dns.promises.reverse with caching x 8,707,156 ops/sec ±0.92% (84 runs sampled)
-dns.promises.reverse without caching x 71.90 ops/sec ±1.46% (70 runs sampled)
-Fastest without caching is: tangerine.reverse GET without caching
+tangerine.reverse GET with caching x 1,298 ops/sec ±195.25% (90 runs sampled)
+tangerine.reverse GET without caching x 70.67 ops/sec ±2.91% (84 runs sampled)
+resolver.reverse with caching x 8,799,672 ops/sec ±0.94% (85 runs sampled)
+resolver.reverse without caching x 71.99 ops/sec ±1.45% (70 runs sampled)
+dns.promises.reverse with caching x 8,834,313 ops/sec ±0.77% (85 runs sampled)
+dns.promises.reverse without caching x 70.74 ops/sec ±1.11% (70 runs sampled)
+Fastest without caching is: resolver.reverse without caching, dns.promises.reverse without caching, tangerine.reverse GET without caching
 ```
 
 ##### Node.js v25.2.1

package/index.d.ts

@@ -326,6 +326,35 @@ export type AnyRecord = {
 
 export type ResolveOptions = {
   ttl?: boolean;
+  /**
+   * If true, set the EDNS0 DO (DNSSEC OK) flag in the outgoing DoH query
+   * and return a `{ secure, answers }` object instead of the normal result.
+   * The `secure` property is true when the upstream resolver has validated
+   * the response via DNSSEC (i.e. the AD flag is set).
+   */
+  dnssecSecure?: boolean;
+  /**
+   * EDNS Client Subnet (ECS) option for geolocation-aware DNS responses.
+   */
+  ecsSubnet?: string;
+  /**
+   * If true, bypass and refresh the cached result.
+   */
+  purgeCache?: boolean;
+};
+
+export type DnssecResult = {
+  /** Whether the DNS response was DNSSEC-validated (AD flag set). */
+  secure: boolean;
+  /** The DNS answer records from the response. */
+  answers: Array<{
+    name: string;
+    type: string;
+    ttl: number;
+    class: string;
+    flush: boolean;
+    data: unknown;
+  }>;
 };
 
 export type RecordWithTtl = {
@@ -647,13 +676,14 @@ declare class Tangerine extends Resolver {
 
   /**
    * Resolve DNS records of a specific type.
+   * When `options.dnssecSecure` is true, returns `DnssecResult` instead.
    */
   resolve(
     name: string,
     rrtype?: DnsRecordType,
     options?: ResolveOptions,
     abortController?: AbortController
-  ): Promise<unknown>;
+  ): Promise<unknown | DnssecResult>;
 }
 
 export default Tangerine;

package/index.js

@@ -1141,13 +1141,14 @@ class Tangerine extends dns.promises.Resolver {
 
   // <https://github.com/hildjj/dohdec/tree/main/pkg/dohdec>
 
-  async #query(name, rrtype = 'A', ecsSubnet, abortController) {
+  async #query(name, rrtype = 'A', ecsSubnet, abortController, dnssec) {
     if (!dohdec) await pWaitFor(() => Boolean(dohdec));
     debug('query', {
       name,
       nameToASCII: toASCII(name),
       rrtype,
       ecsSubnet,
+      dnssec,
       abortController
     });
     // <https://github.com/hildjj/dohdec/blob/43564118c40f2127af871bdb4d40f615409d4b9c/pkg/dohdec/lib/dnsUtils.js#L161>
@@ -1160,7 +1161,13 @@ class Tangerine extends dns.promises.Resolver {
       // mirrors dns module behavior
       name: toASCII(name),
       // <https://github.com/mafintosh/dns-packet/pull/47#issuecomment-1435818437>
-      ecsSubnet
+      ecsSubnet,
+      // When dnssec is true, set the AD flag in the query and the DO
+      // (DNSSEC OK) flag in the EDNS0 OPT record so the upstream resolver
+      // returns DNSSEC validation status via the AD flag in the response.
+      // <https://datatracker.ietf.org/doc/html/rfc3225>
+      // <https://datatracker.ietf.org/doc/html/rfc4035#section-3.2.1>
+      dnssec
     });
     try {
       // mirror the behavior as noted in built-in DNS
@@ -1824,6 +1831,12 @@ class Tangerine extends dns.promises.Resolver {
       delete options.ecsSubnet;
     }
 
+    // dnssecSecure support: set the EDNS0 DO (DNSSEC OK) flag in the
+    // outgoing DoH query so the upstream resolver returns the AD flag.
+    // NOTE: do not delete options.dnssecSecure here — it is checked
+    // after #query() to decide the return format.
+    const dnssec = Boolean(options?.dnssecSecure);
+
     const key = (
       ecsSubnet ? `${rrtype}:${ecsSubnet}:${name}` : `${rrtype}:${name}`
     ).toLowerCase();
@@ -1932,7 +1945,13 @@ class Tangerine extends dns.promises.Resolver {
 
       try {
         // setImmediate(() => this.cancel());
-        result = await this.#query(name, rrtype, ecsSubnet, abortController);
+        result = await this.#query(
+          name,
+          rrtype,
+          ecsSubnet,
+          abortController,
+          dnssec
+        );
       } finally {
         if (mustReleaseAbortController) {
           this.#releaseAbortController(abortController);
@@ -2032,6 +2051,8 @@ class Tangerine extends dns.promises.Resolver {
     // RFC 7672 Section 2.2.2: Expose DNSSEC validation status (AD flag)
     // When options.dnssecSecure is true, return an object with the answers
     // and a boolean indicating whether the response was DNSSEC-validated.
+    // The AD flag is set by the upstream DoH resolver (Cloudflare/Google)
+    // when the zone is DNSSEC-signed and validation succeeds.
     // This allows callers (e.g. mx-connect DANE) to check if the MX host's
     // zone is signed before attempting TLSA lookups.
     //

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "tangerine",
   "description": "Tangerine is the best Node.js drop-in replacement for dns.promises.Resolver using DNS over HTTPS (\"DoH\") via undici with built-in retries, timeouts, smart server rotation, AbortControllers, and caching support for multiple backends (with TTL and purge support).",
-  "version": "2.1.1",
+  "version": "2.1.2",
   "author": "Forward Email (https://forwardemail.net)",
   "bugs": {
     "url": "https://github.com/forwardemail/nodejs-dns-over-https-tangerine/issues"