hildjj · hildjj · Nov 23, 2022 · Nov 23, 2022 · Nov 23, 2022 · Nov 23, 2022
diff --git a/pkg/dohdec/lib/dnsUtils.js b/pkg/dohdec/lib/dnsUtils.js
@@ -148,6 +148,7 @@ export class DNSutils extends EventEmitter {
    * @param {string} [opts.name] The name to look up.
    * @param {string} [opts.rrtype="A"] The record type to look up.
    * @param {boolean} [opts.dnssec=false] Request DNSSec information?
+   * @param {boolean} [opts.dnssecCd=false] Disable DNSSec validation?
    * @param {string} [opts.ecsSubnet] Subnet to use for ECS.
    * @param {number} [opts.ecs] Number of ECS bits.  Defaults to 24 or 56
    *   (IPv4/IPv6).
@@ -179,6 +180,9 @@ export class DNSutils extends EventEmitter {
       dns.flags |= packet.AUTHENTIC_DATA
       // @ts-ignore TS2339: types not up to date
       dns.additionals[0].flags |= packet.DNSSEC_OK
+      if (opts.dnssecCd) {
+        dns.flags |= packet.CHECKING_DISABLED
+      }
     }
     if (opts.ecs != null || net.isIP(opts.ecsSubnet) !== 0) {
       // https://tools.ietf.org/html/rfc7871#section-11.1

diff --git a/pkg/dohdec/lib/doh.js b/pkg/dohdec/lib/doh.js
@@ -147,6 +147,7 @@ export class DNSoverHTTPS extends DNSutils {
    * @param {string} [opts.rrtype="A"] The record type to look up.
    * @param {boolean} [opts.decode=true] Parse the returned JSON?
    * @param {boolean} [opts.dnssec=false] Request DNSSEC records.
+   * @param {boolean} [opts.dnssecCd=false] Disable DNSSEC validation.
    * @returns {Promise<string|object>} DNS result.
    */
   getJSON(opts) {
@@ -156,6 +157,9 @@ export class DNSoverHTTPS extends DNSutils {
     let req = `${this.opts.url}?name=${opts.name}&type=${rrtype}`
     if (opts.dnssec) {
       req += '&do=1'
+      if (opts.dnssecCd) {
+        req += '&cd=1'
+      }
     }
     req += '&random_padding='
     req += cryptoRandomString({
@@ -200,6 +204,7 @@ export class DNSoverHTTPS extends DNSutils {
       json: true,
       decode: true,
       dnssec: false,
+      dnssecCd: false,
     })
     this.verbose(1, 'DNSoverHTTPS.lookup options:', nopts)
 

diff --git a/pkg/dohdec/lib/dot.js b/pkg/dohdec/lib/dot.js
@@ -280,6 +280,7 @@ Received: "${hash}"`)
     const nopts = DNSutils.normalizeArgs(name, opts, {
       rrtype: 'A',
       dnsssec: false,
+      dnssecCd: false,
       decode: true,
       stream: true,
     })

diff --git a/pkg/dohdec/test/dnsUtils.ava.js b/pkg/dohdec/test/dnsUtils.ava.js
@@ -51,6 +51,27 @@ test('makePacket - subnet & ecs = 16', t => {
   t.is(options.sourcePrefixLength, ecs)
 })
 
+test('makePacket - dnssec disabled', t => {
+  const pkt = DNSutils.makePacket({name: 'foo'})
+  const dns = packet.decode(pkt)
+  t.false(dns.flag_ad)
+  t.false(dns.flag_cd)
+})
+
+test('makePacket - dnssec', t => {
+  const pkt = DNSutils.makePacket({name: 'foo', dnssec: true})
+  const dns = packet.decode(pkt)
+  t.true(dns.flag_ad)
+  t.false(dns.flag_cd)
+})
+
+test('makePacket - dnssec with cd=1', t => {
+  const pkt = DNSutils.makePacket({name: 'foo', dnssec: true, dnssecCd: true})
+  const dns = packet.decode(pkt)
+  t.true(dns.flag_ad)
+  t.true(dns.flag_cd)
+})
+
 test('normalizeArgs', t => {
   t.deepEqual(DNSutils.normalizeArgs('foo', 'mx'), {
     name: 'foo',

diff --git a/pkg/dohdec/test/doh.ava.js b/pkg/dohdec/test/doh.ava.js
@@ -83,3 +83,14 @@ test('getJSON', async t => {
   const r = await doh.getJSON({name: 'ietf.org'})
   t.is(typeof r, 'object')
 })
+
+test('DNSSEC with cd=1', async t => {
+  const doh = new DNSoverHTTPS({
+    preferPost: false,
+    verbose: 1,
+    http2: false,
+  })
+  const r = await doh.lookup('ietf.org', {rrtype: 'MX', dnssec: true, dnssecCd: true})
+  t.truthy(r)
+  t.truthy(r.CD)
+})
diff --git a/pkg/dohdec/test/fixtures/doh.ava.js.json b/pkg/dohdec/test/fixtures/doh.ava.js.json
@@ -320,5 +320,59 @@
             "chunked"
         ],
         "responseIsBinary": false
+    },
+    {
+        "scope": "https://cloudflare-dns.com:443",
+        "method": "GET",
+        "path": "/dns-query?name=ietf.org&type=MX&random_padding=0&do=1&cd=1",
+        "body": "",
+        "status": 200,
+        "response": {
+            "Status": 0,
+            "TC": false,
+            "RD": true,
+            "RA": true,
+            "AD": true,
+            "CD": true,
+            "Question": [
+                {
+                    "name": "ietf.org",
+                    "type": 15
+                }
+            ],
+            "Answer": [
+                {
+                    "name": "ietf.org",
+                    "type": 15,
+                    "TTL": 1800,
+                    "data": "0 mail.ietf.org."
+                }
+            ]
+        },
+        "rawHeaders": [
+            "Date",
+            "Sun, 03 Oct 2021 17:16:31 GMT",
+            "Content-Type",
+            "application/dns-json",
+            "Content-Length",
+            "185",
+            "Connection",
+            "close",
+            "Report-To",
+            "{\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v3?s=NVBzzN6QkCMb4qGcHtGElr0IkiJ8%2FH3P5KM9AqDAM2B5VkvtguEFEZGkn%2FnMIGFcp7fLZIODNmf2rZ993hv4T4rXIegiyfkgNVHnq64s593L6uczZPhEtSjDZ8polFZ1cOueCQ%3D%3D\"}],\"group\":\"cf-nel\",\"max_age\":604800}",
+            "NEL",
+            "{\"report_to\":\"cf-nel\",\"max_age\":604800}",
+            "Access-Control-Allow-Origin",
+            "*",
+            "Expect-CT",
+            "max-age=604800, report-uri=\"https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct\"",
+            "Vary",
+            "Accept-Encoding",
+            "Server",
+            "cloudflare",
+            "CF-RAY",
+            "6987d1966bacc7b9-DEN"
+        ],
+        "responseIsBinary": false
     }
-]
+]
diff --git a/pkg/dohdec/types/dnsUtils.d.ts b/pkg/dohdec/types/dnsUtils.d.ts
@@ -8,6 +8,7 @@ export class DNSutils extends EventEmitter {
      * @param {string} [opts.name] The name to look up.
      * @param {string} [opts.rrtype="A"] The record type to look up.
      * @param {boolean} [opts.dnssec=false] Request DNSSec information?
+     * @param {boolean} [opts.dnssecCd=false] Disable DNSSec validation?
      * @param {string} [opts.ecsSubnet] Subnet to use for ECS.
      * @param {number} [opts.ecs] Number of ECS bits.  Defaults to 24 or 56
      *   (IPv4/IPv6).
@@ -21,6 +22,7 @@ export class DNSutils extends EventEmitter {
         name?: string;
         rrtype?: string;
         dnssec?: boolean;
+        dnssecCd?: boolean;
         ecsSubnet?: string;
         ecs?: number;
         stream?: boolean;

diff --git a/pkg/dohdec/types/doh.d.ts b/pkg/dohdec/types/doh.d.ts
@@ -77,13 +77,15 @@ export class DNSoverHTTPS extends DNSutils {
      * @param {string} [opts.rrtype="A"] The record type to look up.
      * @param {boolean} [opts.decode=true] Parse the returned JSON?
      * @param {boolean} [opts.dnssec=false] Request DNSSEC records.
+     * @param {boolean} [opts.dnssecCd=false] Disable DNSSEC validation.
      * @returns {Promise<string|object>} DNS result.
      */
     getJSON(opts: {
         name?: string;
         rrtype?: string;
         decode?: boolean;
         dnssec?: boolean;
+        dnssecCd?: boolean;
     }): Promise<string | object>;
     /**
      * Look up a DNS entry using DNS-over-HTTPS (DoH).

diff --git a/pkg/dohdec/types/dot.d.ts b/pkg/dohdec/types/dot.d.ts
@@ -160,10 +160,13 @@ export type DOT_LookupOptions = {
      */
     decode?: boolean;
     /**
-     * Request DNSSec records.  Currently
-     * requires `json: false`.
+     * Request DNSSec records.
      */
     dnssec?: boolean;
+    /**
+     * Disable DNSSec validation.
+     */
+    dnssecCd?: boolean;
 };
 export type pendingResolve = (results: Buffer | object) => any;
 export type pendingError = (error: Error) => any;