Giters

nodejs / node

Node.js JavaScript runtime βœ¨πŸ’πŸš€βœ¨

Home Page:https://nodejs.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[DNS] TLSA records [HTTPS] DANE request

Falci opened this issue Β· comments

commented

Is your feature request related to a problem? Please describe.
I'd like to make an HTTPS request to a server that uses a self-signed certificate that follows the DANE protocol (Wikipedia)

Describe the solution you'd like
I believe the best option would be an extra option on HTTPS request:

https.get('https://example.com', {dane: true})

Describe alternatives you've considered
I tried to create a new https.Agent that forces rejectUnauthorized: false;
Then, I got the tlsSocket instance in the keylog event and added a listener for the secureConnect event;
This moment I realised that the DNS api don't have a resolveTLSA.
Not sure how to continue from here.

commented

@nodejs/dns

commented

There has been no activity on this feature request for 5 months and it is unlikely to be implemented. It will be closed 6 months after the last non-automated comment.

For more information on how the project manages feature requests, please consult the feature request management document.

commented

This request is a bit old, but I'd like to +1, it would be really helpful.

Even if dane isn't added to https, at least resolveTLSA can be.

Looks like it's just adding a few lines next to

node/lib/dns.js

Line 304 in 1000eb1

Resolver.prototype.resolveTxt = resolveMap.TXT = resolver('queryTxt');
and

node/src/cares_wrap.h

Line 457 in 3914354

static constexpr const char* name = "resolveTxt";

For reference, I'm looking at how resolveTxt was added: d9c67ae

commented

The first step would be to add TLSA support to upstream c-ares, then add a binding to node.

commented

In some time I also would be in need of this feature.

commented

There has been no activity on this feature request for 5 months and it is unlikely to be implemented. It will be closed 6 months after the last non-automated comment.

For more information on how the project manages feature requests, please consult the feature request management document.

commented

There has been no activity on this feature request and it is being closed. If you feel closing this issue is not the right thing to do, please leave a comment.

For more information on how the project manages feature requests, please consult the feature request management document.

commented

πŸ‘‹ Hey - we made 🍊 Tangerine with support for TLSA records among others (such as CERT) that the DNS module does not provide. We used inspiration from dnspython for the format of objects returned.

🍊 Tangerine is a 1:1 drop-in replacement for the Node.js DNS module and it also supports resolver.resolve(host, 'TLSA') and resolver.resolveTlsa) – which would make it possible for TLSA/DANE lookup. See https://github.com/forwardemail/tangerine. It also uses DNS over HTTPS and is as fast as the Node.js DNS module (see our benchmarks in the README of this repo).

const Tangerine = require('tangerine');

const tangerine = new Tangerine();

console.log(await tangerine.resolveTlsa('_25._tcp.internet.nl'));
[
  {
    cert: Buffer @Uint8Array [
      e1ae9c3d e848ece1 ba72e0d9 91ae4d0d 9ec547c6 bad1ddda b9d6beb0 a7e0e0d8
    ],
    mtype: 1,
    name: 'proloprod.mail._dane.internet.nl',
    selector: 1,
    ttl: 622,
    usage: 2,
  },
  {
    cert: Buffer @Uint8Array [
      d6fea64d 4e68caea b7cbb2e0 f905d7f3 ca3308b1 2fd88c5b 469f08ad 7e05c7c7
    ],
    mtype: 1,
    name: 'proloprod.mail._dane.internet.nl',
    selector: 1,
    ttl: 622,
    usage: 3,
  },
]

See https://github.com/forwardemail/tangerine#tangerineresolvetlsahostname--options-abortcontroller for more insight.