Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DNS] add AD Flag support for DNSSEC to allow DANE usage #57159

Open
abwesend890 opened this issue Feb 21, 2025 · 0 comments
Open

[DNS] add AD Flag support for DNSSEC to allow DANE usage #57159

abwesend890 opened this issue Feb 21, 2025 · 0 comments
Labels
feature request Issues that request new features to be added to Node.js.

Comments

@abwesend890
Copy link

What is the problem this feature will solve?

With ef91595 in PR #52983 related to issue #39569 you added support for TLSA resource records via dns.resolve .
This was done with the intention to support DANE.
However, to correctly make use of DANE, the records need to be DNSSEC validated.

Currently there is no possibility to validate DNSSEC via the given API.

As example, the following code (currently a nightly build)

dns.resolveTlsa("_443._tcp.fedoraproject.org", (error, result) => {
	console.log(result)
})

generates the following response

[
  {
    certUsage: 3,
    selector: 1,
    match: 1,
    data: ArrayBuffer {
      [Uint8Contents]: <09 ca 10 dd 09 f1 24 a2 26 3a a8 cc 49 12 fd a8 59 2f 40 cc ab 90 b6 10 ae 84 01 01 a9 1a eb c0>,
      byteLength: 32
    }
  }
]

Thus, as next step for the DANE implementation, this feature request aims to add information to above response of dns.resolve, about if the records have been validated by the resolver.
This allows to use technology relying on DNSSEC, such as TLSA records for DANE.

What is the feature you are proposing to solve the problem?

As DNSSEC does not protect the path between client and resolver by design, we can make use of the AD bit: RFC 6840 Section 5.7 and RFC 6840 Section 5.8

According to above mentioned RFC6840, the AD bit should be set in the query to indicate that node is going to honor the AD bit in the response. Then, the AD bit in the reply should be propagated to the returned contents of dns.resolve

If this request is included we can get to the next step of checking TLSA records within TLS certificate verification.

What alternatives have you considered?

In #39569 @bradh352 mentioned the DO bit (RFC 6840 Section 5.6) and RFC 3225 Section 3, however as I read it, the setting the DO bit indicates that the client can understand DNSSEC related records. Thus, the resolver is going to attach RRSIG, etc. for validation on the client side.
In contrast, the DO bit should be set to 0 to indicate that node is unprepared to handle DNSSEC RR.
@abwesend890 abwesend890 added the feature request Issues that request new features to be added to Node.js. label Feb 21, 2025
@github-project-automation github-project-automation bot moved this to Awaiting Triage in Node.js feature requests Feb 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request Issues that request new features to be added to Node.js.
Projects
Node.js feature requests
Status: Awaiting Triage
Milestone
No milestone
Development

No branches or pull requests
1 participant
@abwesend890