[DNS] TLSA records [HTTPS] DANE request
Falci opened this issue Β· comments
Is your feature request related to a problem? Please describe.
I'd like to make an HTTPS request to a server that uses a self-signed certificate that follows the DANE protocol (Wikipedia)
Describe the solution you'd like
I believe the best option would be an extra option on HTTPS request:
https.get('https://example.com', {dane: true})
Describe alternatives you've considered
I tried to create a new https.Agent
that forces rejectUnauthorized: false
;
Then, I got the tlsSocket
instance in the keylog
event and added a listener for the secureConnect
event;
This moment I realised that the DNS api don't have a resolveTLSA
.
Not sure how to continue from here.
@nodejs/dns
There has been no activity on this feature request for 5 months and it is unlikely to be implemented. It will be closed 6 months after the last non-automated comment.
For more information on how the project manages feature requests, please consult the feature request management document.
The first step would be to add TLSA support to upstream c-ares, then add a binding to node.
In some time I also would be in need of this feature.
There has been no activity on this feature request for 5 months and it is unlikely to be implemented. It will be closed 6 months after the last non-automated comment.
For more information on how the project manages feature requests, please consult the feature request management document.
There has been no activity on this feature request and it is being closed. If you feel closing this issue is not the right thing to do, please leave a comment.
For more information on how the project manages feature requests, please consult the feature request management document.
π Hey - we made π Tangerine with support for TLSA records among others (such as CERT) that the DNS module does not provide. We used inspiration from dnspython for the format of objects returned.
resolver.resolve(host, 'TLSA')
and resolver.resolveTlsa
) β which would make it possible for TLSA/DANE lookup. See https://github.com/forwardemail/tangerine. It also uses DNS over HTTPS and is as fast as the Node.js DNS module (see our benchmarks in the README of this repo).
const Tangerine = require('tangerine');
const tangerine = new Tangerine();
console.log(await tangerine.resolveTlsa('_25._tcp.internet.nl'));
[
{
cert: Buffer @Uint8Array [
e1ae9c3d e848ece1 ba72e0d9 91ae4d0d 9ec547c6 bad1ddda b9d6beb0 a7e0e0d8
],
mtype: 1,
name: 'proloprod.mail._dane.internet.nl',
selector: 1,
ttl: 622,
usage: 2,
},
{
cert: Buffer @Uint8Array [
d6fea64d 4e68caea b7cbb2e0 f905d7f3 ca3308b1 2fd88c5b 469f08ad 7e05c7c7
],
mtype: 1,
name: 'proloprod.mail._dane.internet.nl',
selector: 1,
ttl: 622,
usage: 3,
},
]
See https://github.com/forwardemail/tangerine#tangerineresolvetlsahostname--options-abortcontroller for more insight.