-
-
Notifications
You must be signed in to change notification settings - Fork 31.6k
[DNS] TLSA records [HTTPS] DANE request #39569
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
@nodejs/dns |
There has been no activity on this feature request for 5 months and it is unlikely to be implemented. It will be closed 6 months after the last non-automated comment. For more information on how the project manages feature requests, please consult the feature request management document. |
This request is a bit old, but I'd like to +1, it would be really helpful. Even if Looks like it's just adding a few lines next to Line 304 in 1000eb1
Line 457 in 3914354
For reference, I'm looking at how |
The first step would be to add TLSA support to upstream c-ares, then add a binding to node. |
In some time I also would be in need of this feature. |
There has been no activity on this feature request for 5 months and it is unlikely to be implemented. It will be closed 6 months after the last non-automated comment. For more information on how the project manages feature requests, please consult the feature request management document. |
There has been no activity on this feature request and it is being closed. If you feel closing this issue is not the right thing to do, please leave a comment. For more information on how the project manages feature requests, please consult the feature request management document. |
👋 Hey - we made 🍊 Tangerine with support for TLSA records among others (such as CERT) that the DNS module does not provide. We used inspiration from dnspython for the format of objects returned. 🍊 Tangerine is a 1:1 drop-in replacement for the Node.js DNS module and it also supports const Tangerine = require('tangerine');
const tangerine = new Tangerine();
console.log(await tangerine.resolveTlsa('_25._tcp.internet.nl')); [
{
cert: Buffer @Uint8Array [
e1ae9c3d e848ece1 ba72e0d9 91ae4d0d 9ec547c6 bad1ddda b9d6beb0 a7e0e0d8
],
mtype: 1,
name: 'proloprod.mail._dane.internet.nl',
selector: 1,
ttl: 622,
usage: 2,
},
{
cert: Buffer @Uint8Array [
d6fea64d 4e68caea b7cbb2e0 f905d7f3 ca3308b1 2fd88c5b 469f08ad 7e05c7c7
],
mtype: 1,
name: 'proloprod.mail._dane.internet.nl',
selector: 1,
ttl: 622,
usage: 3,
},
] See https://github.com/forwardemail/tangerine#tangerineresolvetlsahostname--options-abortcontroller for more insight. |
c-ares will support this in v1.22 by year's end. c-ares/c-ares#600 |
Thanks for the update. I'll reopen the issue. |
c-ares 1.22.0 released with this capability |
Awesome, can't wait to get DANE support added to our project @forwardemail |
How is the process here? Am I too naive assuming this could be done by simply copying and renaming the binding of another DNS record? |
Unfortunately the implementation for TLSA uses the new DNS Record helpers in c-ares, and not the legacy parser style, so if you're looking to just copy paste and make slight modifications, that's not going to work, though I don't think you'll find it too difficult. The general logic is you'll pass Then to extract the results, you'd call:
There's also Docs here on the new functionality: |
There has been no activity on this feature request for 5 months. To help maintain relevant open issues, please add the
never-stale
|
Commenting so that stalebot does not close the issue. There is a PR for this: #52983 |
There has been no activity on this feature request for 5 months. To help maintain relevant open issues, please add the
never-stale
|
Not stale. |
Just landed ef91595 so, if all goes well, this feature should be in the Node.js 23.9.0 release. That's likely to be in about 1 week (February 25, 2025). (@targos Can you confirm? Or is that change far more likely to end up in the March 11 release instead?) If this is a feature that means a lot to you, please look at the doc changes in ef91595 and then download a nightly build (or build one yourself) to test it out. If downloading a nightly build, you'll need to wait until the February 19 nightly build (in less than 24 hours). If compiling yourself, you can do it right now using the main branch in the repository. |
(And if ef91595 is only a partial solution to the request here, please reopen or leave a comment if GitHub won't allow you to reopen the issue. Or open a new issue. Whatever seems best.) |
Hi! Thank you all for your contributions! I want to mention that I do not see this issue as being completed. As far as I see ef91595 only adds TLSA parsing. For working DANE we however also need DNSSEC, which does not seem to be supported by c-ares yet. That's why I am also confused to see DANE being within the list of supported features on https://github.com/nodejs/node/tree/main/deps/cares Thus, after all the DNSSEC RR-types ( Finally, if validation of DNS-RR signatures is ok, we can use the result of |
its true c-ares doesn't support dnssec directly, typically its something that the recursive resolvers do, then send back a result stating the response was validated by the upstream recursive resolver (OPT 'do' flag). Now if you don't trust that upstream resolver, that's an issue. It wouldn't be hard to add parsers for the DNSSEC records to c-ares and request the upstream server(s) return them, the harder part would be validation due to potentially needing to spawn additional queries and maintain a root certificate cache. Also, we've seen lots of issues with intermediate caching stub implementations which mangle result data (for instance see a really weird one in c-ares/c-ares#968), I wouldn't be surprised if these wouldn't cause significant DNSSEC validation failures. |
Well, as DNSSEC does not secure the path between resolver and client by design,
I get such a response
Unfortunately it does not seem like there being a flag indicating if the result was verified by the upstream resolver or not. Afterward, this flag could be used to perform the DANE check within the http requests. |
Would it make sense to open a new issue with this feature request? You can refer to this issue so we don't lose context/history, but I suspect a new issue will get more attention than re-opening this issue. |
PR-URL: nodejs#52983 Refs: nodejs#39569 Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Ethan Arrowood <ethan@arrowood.dev>
Hello together, any news somebody can provide regarding the follow up issue I posed? [DNS] add AD Flag support for DNSSEC to allow DANE usage #57159 Thank you! |
Is your feature request related to a problem? Please describe.
I'd like to make an HTTPS request to a server that uses a self-signed certificate that follows the DANE protocol (Wikipedia)
Describe the solution you'd like
I believe the best option would be an extra option on HTTPS request:
Describe alternatives you've considered
I tried to create a new
https.Agent
that forcesrejectUnauthorized: false
;Then, I got the
tlsSocket
instance in thekeylog
event and added a listener for thesecureConnect
event;This moment I realised that the DNS api don't have a
resolveTLSA
.Not sure how to continue from here.
The text was updated successfully, but these errors were encountered: