Support option to disable DNSSEC validation

[gnarea]

This enables the cd flag when DNSSEC records are requested, but we want to disable DNSSEC validation on the resolver.

I created this test file to test the changes against real resolvers (but didn't commit it):

// pkg/dohdec/test/real.ava.js

import {DNSoverHTTPS} from '../lib/doh.js'
import {DNSoverTLS} from '../lib/index.js'
// eslint-disable-next-line node/no-missing-import
import test from 'ava'

test('DoH - no dnssec', async t => {
  const doh = new DNSoverHTTPS()
  const r = await doh.lookup('ietf.org', {
    json: false,
    dnssec: false,
  })
  t.truthy(r)

  t.false(r.answers.some(a => a.type === 'RRSIG'))
  t.false(r.flag_cd)
})

test('DoH - dnssec', async t => {
  const doh = new DNSoverHTTPS()
  const r = await doh.lookup('ietf.org', {
    json: false,
    dnssec: true,
  })
  t.truthy(r)

  t.true(r.answers.some(a => a.type === 'RRSIG'))
  t.false(r.flag_cd)
})

test('DoH - dnssec failed', async t => {
  const doh = new DNSoverHTTPS()
  const r = await doh.lookup('dnssec-failed.org', {
    json: false,
    dnssec: true,
  })
  t.truthy(r)

  t.is(r.rcode, 'SERVFAIL')
  t.is(r.answers.length, 0)
  t.false(r.flag_cd)
})

test('DoH - dnssec failed with cd=1', async t => {
  const doh = new DNSoverHTTPS()
  const r = await doh.lookup('dnssec-failed.org', {
    json: false,
    dnssec: true,
    dnssecCd: true,
  })
  t.truthy(r)

  t.is(r.rcode, 'NOERROR')
  t.true(r.answers.some(a => a.type === 'RRSIG'))
  t.true(r.flag_cd)
})

test('DoT - no dnssec', async t => {
  const dot = new DNSoverTLS()
  const r = await dot.lookup('ietf.org', {
    json: false,
    dnssec: false,
  })
  t.truthy(r)

  t.false(r.answers.some(a => a.type === 'RRSIG'))
  t.false(r.flag_cd)
})

test('DoT - dnssec', async t => {
  const dot = new DNSoverTLS()
  const r = await dot.lookup('ietf.org', {
    json: false,
    dnssec: true,
  })
  t.truthy(r)

  t.true(r.answers.some(a => a.type === 'RRSIG'))
  t.false(r.flag_cd)
})

test('DoT - dnssec failed', async t => {
  const dot = new DNSoverTLS()
  const r = await dot.lookup('dnssec-failed.org', {
    json: false,
    dnssec: true,
  })
  t.truthy(r)

  t.is(r.rcode, 'SERVFAIL')
  t.is(r.answers.length, 0)
  t.false(r.flag_cd)
})

Fixes #37

[gnarea]

I spotted a couple of bugs whilst testing the PR but now everything looks good and I won't be making further changes until you provide some feedback.

[hildjj]

This looks pretty close. I had a few minor questions that aren't blockers.
I'd like two changes, please:

• Add yourself to a new contributors section in the package.json
• Add a corresponding CLI option

Only the first is mandatory, I can hack the CLI option in if you don't have time.

[hildjj]

OK, this looks ready to go to me. There's a solid 10% chance this is going to break GHA when it lands, because I hadn't updated the action definition to run on pull requests to main instead of master, but I'll deal with that in my update PR that will come after this. Anything else before I merge?

[gnarea]

Thank you! I think we're good to go! 🚀

[gnarea]

Hi @hildjj 👋🏾 Can you please release this change to NPM? I've been relying on the Git tag but that's now breaking CI for me. TIA! 🙇🏾

[hildjj]

I'll look at this first thing Tuesday. I think this is blocked on hildjj/mock-tls-server#2, so I either have to fix that or rewrite the tests.

[hildjj]

OK, I think I'm ready to cut a major release, but I'm too tired today to re-learn lerna. Release probably will happen tomorrow morning MDT.

[hildjj]

Version 6.0.0 just released. Please check to make sure I got it right... I had to do a bunch of manual hacking to get the release to publish from GHA with provenance information correct.

[gnarea]

Thanks @hildjj! I tried upgrading, but it looks like the changes I made to pkg/dohdec/types/doh.d.ts in this PR didn't make it to NPM:

src/integration_tests/retrieval.test.ts:38:9 - error TS2345: Argument of type '{ rrtype: "A" | "NS" | "MD" | "MF" | "CNAME" | "SOA" | "MB" | "MG" | "MR" | "NULL" | "WKS" | "PTR" | "HINFO" | "MINFO" | "MX" | "TXT" | "RP" | "AFSDB" | "X25" | "ISDN" | "RT" | "NSAP" | ... 66 more ... | "DLV"; json: false; decode: false; dnssec: true; dnssecCheckingDisabled: boolean; }' is not assignable to parameter of type 'string | DOH_LookupOptions | undefined'.
  Object literal may only specify known properties, and 'dnssecCheckingDisabled' does not exist in type 'DOH_LookupOptions'.

38         dnssecCheckingDisabled: true,
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Found 1 error in src/integration_tests/retrieval.test.ts:38

[hildjj]

The .d.ts files are generated, and aren't even checked into git anymore. I'll see if I can find the right place to change the source.

[hildjj]

It looks like you only added it on getJSON(), and didn't get it passed all the way through the types when you use lookup().

WillFix.