Security News
Input Validation Vulnerabilities Dominate MITRE's 2024 CWE Top 25 List
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
@relaycorp/dnssec
Advanced tools
@relaycorp/dnssec
This is a resolver-agnostic DNSSEC verification library for Node.js that allows you to use any transport you want: UDP, DNS-over-TLS (DoT), DNS-over-HTTPS (DoH), etc.
The latest version can be installed from NPM:
npm install @relaycorp/dnssec
You need to write a thin integration with your preferred resolver, keeping the following in mind:
RRSIG
records).Buffer
using DNS wire format (as defined in RFC 1035), or else you'll have to initialise a Message
that contains all the relevant parts of the response (see below).For example, this is how you could use dohdec's DNS-over-HTTPS resolver with Cloudflare to retrieve A
records for a particular domain name:
// main.js
import { dnssecLookUp, Question, SecurityStatus } from '@relaycorp/dnssec';
import { DNSoverHTTPS } from 'dohdec';
const doh = new DNSoverHTTPS({ url: 'https://cloudflare-dns.com/dns-query' });
async function getARecord(domain) {
return await dnssecLookUp(new Question(domain, 'A'), async (question) =>
doh.lookup(question.name, {
rrtype: question.getTypeName(),
json: false, // Request DNS message in wire format
decode: false, // Don't parse the DNS message
dnssec: true, // Retrieve RRSIG records
dnssecCheckingDisabled: true, // Disable server-side DNSSEC validation
}),
);
}
const [domainName] = process.argv.slice(2);
const result = await getARecord(domainName);
if (result.status === SecurityStatus.SECURE) {
console.log(`${domainName}/A =`, result.result);
} else {
const reason = result.reasonChain.join(', ');
console.error(`DNSSEC verification for ${domain}/A failed: ${reason}`);
}
And here's what requesting a valid A
record would look like with the script above:
$ node main.js example.com
example.com/A = RrSet {
name: 'example.com.',
classId: 1,
type: 1,
ttl: 83076,
records: [
DnsRecord {
ttl: 83076,
name: 'example.com.',
typeId: 1,
classId: 1,
dataSerialised: <Buffer 5d b8 d8 22>,
dataFields: '93.184.216.34'
}
]
}
When DNSSEC validation succeeds, you get a VerifiedRrSet
object with the following properties:
status
: Set to SecurityStatus.SECURE
.result
: An RRset containing one or more records (DnsRecord
instances). Each record exposes its data in both serialised and deserialised forms in the dataSerialised
and dataFields
properties, respectively. dataFields
is an object whose structure is determined by dns-packet
.As this is primarily a DNSSEC library, we treat DNS and DNSSEC errors differently:
However, errors are thrown upon attempting to parse malformed RDATA values for DNSSEC records -- we use a third-party library that parses the DNS message eagerly.
By default, DNSSEC signatures MUST be valid at the time the dnssecLookUp()
function is called, but this can be customised by passing a Date
or IDatePeriod
object.
An IDatePeriod
object is useful when you just want signatures to be valid at any point within a given time period. For example, if you want to tolerate clock drift, you could accept signatures valid in the past hour:
import { IDatePeriod, dnssecLookUp } from '@relaycorp/dnssec';
import { subHours } from 'date-fns';
const now = new Date();
const datePeriod: IDatePeriod = { start: subHours(now, 1), end: now };
dnssecLookUp(QUESTION, RESOLVER, { dateOrPeriod: datePeriod });
By default, the root DNSKEY
(s) are verified against a local copy of IANA's trust anchors. This can be customised with the trustAnchors
option; e.g.:
import {
dnssecLookUp,
DnssecAlgorithm,
DigestType,
TrustAnchor,
} from '@relaycorp/dnssec';
const customTrustAnchor: TrustAnchor = {
algorithm: DnssecAlgorithm.RSASHA256,
digest: Buffer.from('the digest'),
digestType: DigestType.SHA256,
keyTag: 42,
};
dnssecLookUp(QUESTION, RESOLVER, { trustAnchors: [customTrustAnchor] });
If your DNS lookup library parses responses eagerly and doesn't give you access to the original response in wire format, you will have to convert their messages to Message
instances. Refer to our API docs to learn how to initialise Message
s.
To facilitate the simulation of the various outcomes of DNSSEC validation, we provide the MockChain
utility so that you can pass a custom resolver and trust anchor to dnssecLookUp()
. This is particularly useful in unit tests where you aren't able to mock this module (e.g., Jest doesn't support mocking our ESM as of this writing).
The following example shows how to generate a verified RRset:
import {
dnssecLookUp,
DnsRecord,
MockChain,
RrSet,
SecurityStatus,
} from '@relaycorp/dnssec';
const RECORD = new DnsRecord(
`example.com.`,
'TXT',
DnsClass.IN,
42,
'The data',
);
const QUESTION = RECORD.makeQuestion();
const RRSET = RrSet.init(QUESTION, [RECORD]);
test('Generating a SECURE result', async () => {
const mockChain = await MockChain.generate(RECORD.name);
const { resolver, trustAnchors } = mockChain.generateFixture(
RRSET,
SecurityStatus.SECURE,
);
const result = await dnssecLookUp(QUESTION, resolver, { trustAnchors });
expect(result).toStrictEqual({
status: SecurityStatus.SECURE,
result: RRSET,
});
});
The API documentation is available on docs.relaycorp.tech.
This library implements all the relevant RFCs defining DNSSEC, except for the following functionality that we didn't need, but for which you're welcome to propose PRs:
NSEC
and NSEC3
records).3
) because it's too insecure and hardly used.The following DNSSEC algorithms are unsupported, and we probably won't accept PRs for them:
12
) due to lack of support in Node.js, and its lack of popularity and security doesn't seem to justify integrating a third party NPM package supporting it (assuming a suitable one exists).253
and 254
).As surprising as it may sound, there's no (reliable) way to do DNSSEC verification in Node.js in 2022, so when you see a JS app or library that claims DNSSEC support, chances are they're just blindly trusting a resolver like Cloudflare or Google -- which, admittedly, is sufficient in many cases and even desirable for performance reasons.
The Node.js team considered adding DNSSEC support but ruled it out due to lack of support in their upstream DNS library. As a consequence, two libraries have tried to fill the vacuum:
This library requires Node.js 16 or newer, but going forward we will follow the Node.js release schedule.
We love contributions! If you haven't contributed to a Relaycorp project before, please take a minute to read our guidelines first.
FAQs
Resolver-agnostic DNSSEC library
The npm package @relaycorp/dnssec receives a total of 64 weekly downloads. As such, @relaycorp/dnssec popularity was classified as not popular.
We found that @relaycorp/dnssec demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.