Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@relaycorp/dnssec
Advanced tools
@relaycorp/dnssec
Resolver-agnostic DNSSEC library for Node.js.
As surprising as it may sound, there's no (reliable) way to do DNSSEC verification in Node.js in 2022, so when you see a JS app or library that claims DNSSEC support, chances are they're just blindly trusting a resolver like Cloudflare or Google -- which, admittedly, is sufficient in many cases and even desirable for performance reasons.
The Node.js team considered adding DNSSEC support but ruled it out due to lack of support in their upstream DNS library. As a consequence, two libraries have tried to fill the vacuum:
Although this is a general-purpose DNSSEC library, some key design decisions stem from our need to build the library for the sole purpose of using it in Vera.
DNS resolution is a problem solved in Node.js -- there's just no shortage of reliable UDP-, TLS- or HTTPS-based resolvers on NPM. So we didn't want to create a new resolver or tie our DNSSEC implementation to any particular resolver.
We decided to write a partial implementation of the DNS wire format (as specified in RFC 1035, Section 4) because the existing third-party implementations we found on NPM (dns-packet and dns2) parsed the entire message eagerly (all the way down to the RDATA fields) and didn't offer an option to keep the original byte stream.
This would've made it cumbersome to validate DNSSEC signatures, as we'd need to re-serialise the records that we just parsed. A re-serialisation would also introduce the possibility that the new byte stream would be functionally equivalent but not identical to the one that was originally signed (especially when re-serialising the RDATA field).
Fortunately, since we're only interested in the answers section of the message, our implementation is very straightforward.
As this is primarily a DNSSEC library, we treat DNS and DNSSEC errors differently:
We don't need DoE records in Vera, so we won't be implementing that functionality ourselves, but PRs are welcomed.
This library supports producing RRSig records simply for testing purposes: It makes it very easy to test valid and invalid signatures both internally and from any software using this library, without mocking anything.
We support all the Zone Signing DNSSEC algorithms as of 2022, except for:
3
) because it's too insecure and hardly used.6
and 7
) because we don't currently support Denial of Existence records.12
) due to lack of support in Node.js, and its lack of popularity and security doesn't seem to justify integrating a third party NPM package supporting it (assuming a suitable one exists).253
and 254
) because we have no use for those, but we'd welcome PRs to implement them.FAQs
Resolver-agnostic DNSSEC library
The npm package @relaycorp/dnssec receives a total of 64 weekly downloads. As such, @relaycorp/dnssec popularity was classified as not popular.
We found that @relaycorp/dnssec demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.