6.2.0

changelog.md

@@ -0,0 +1,110 @@
+# Changelog
+
+## 2024-09-19 - 6.2.0 - feat(dnssec)
+Introduced DNSSEC support with ECDSA algorithm
+
+- Added `DnsSec` class for handling DNSSEC operations.
+- Updated `DnsServer` to support DNSSEC with ECDSA.
+- Shifted DNS-related helper functions to `DnsServer` class.
+- Integrated parsing and handling of DNSKEY and RRSIG records in `DnsServer`.
+
+## 2024-09-19 - 6.1.1 - fix(ts_server)
+Update DnsSec class to fully implement key generation and DNSKEY record creation.
+
+- Added complete support for ECDSA and ED25519 algorithms in the DnsSec class.
+- Implemented DNSKEY generation and KeyTag computation methods.
+- Improved error handling and initialized the appropriate cryptographic instances based on the algorithm.
+
+## 2024-09-18 - 6.1.0 - feat(smartdns)
+Add DNS Server and DNSSEC tools with comprehensive unit tests
+
+- Updated package dependencies to the latest versions
+- Introduced DnsServer class for handling DNS requests over both HTTPS and UDP with support for custom handlers
+- Added DnsSec class for generating and managing DNSSEC keys and DS records
+- Implemented unit tests for DnsServer and Smartdns classes
+
+## 2024-06-02 - 6.0.0 - server/client
+Main description here
+
+- **Breaking Change:** Move from client only to server + client exports.
+
+## 2024-03-30 - 5.0.4 - maintenance
+Range contains relevant changes
+
+- Switch to new org scheme
+
+## 2023-04-08 - 5.0.4 - core
+Main description here
+
+- Core update
+- Fixes applied to the system
+
+## 2022-07-27 - 5.0.0 - core
+Update contains relevant changes
+
+- **Breaking Change:** Major update and core changes
+- Fixes and updates applied
+
+## 2022-07-27 - 4.0.11 - core
+Range contains relevant changes
+
+- **Breaking Change:** Core update and changes applied
+
+## 2021-08-24 - 4.0.10 - core
+Range contains relevant changes
+
+- Fixes applied to the core functionalities
+
+## 2021-01-23 - 4.0.8 - core
+Range contains relevant changes
+
+- Updates and fixes to the core components
+
+## 2020-08-05 - 4.0.4 - core
+Range contains relevant changes
+
+- Multiple core fixes applied
+
+## 2020-02-15 - 4.0.0 - core
+Main description here
+
+- Core updates
+- Fixes applied across the system
+
+## 2020-02-15 - 3.0.8 - core
+Core updates with major changes
+
+- **Breaking Change:** Now uses Google DNS HTTPS API and handles DNSSEC validation
+
+## 2019-01-07 - 3.0.6 - core
+Range contains relevant changes
+
+- Fixes and updates applied to the core
+
+## 2018-05-13 - 3.0.4 - core
+Range contains relevant changes
+
+- Fixes applied, including `fix .checkUntilAvailable` error
+
+## 2018-05-13 - 3.0.0 - ci
+Main description here
+
+- CI changes and updates to the access level and global packages
+
+## 2017-07-31 - 2.0.10 - package
+Update to new package name and improved record retrieval
+
+- **Breaking Change:** Package name update and record retrieval improvements
+
+## 2017-01-27 - 2.0.1 - maintenance
+Multiple fixes and merges
+
+## 2017-01-27 - 2.0.0 - core
+Fix typings and update to better API
+
+## 2016-11-15 - 1.0.7 - initial
+Initial setup and improvements
+
+- Initial deployment
+- README improvements
+

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartdns",
-  "version": "6.0.0",
+  "version": "6.2.0",
   "private": false,
   "description": "A TypeScript library for smart DNS methods, supporting various DNS records and providers.",
   "exports": {
@@ -36,18 +36,21 @@
   "dependencies": {
     "@push.rocks/smartdelay": "^3.0.1",
     "@push.rocks/smartenv": "^5.0.5",
-    "@push.rocks/smartpromise": "^4.0.2",
+    "@push.rocks/smartpromise": "^4.0.4",
     "@push.rocks/smartrequest": "^2.0.15",
-    "@tsclass/tsclass": "^4.0.54",
+    "@tsclass/tsclass": "^4.1.2",
     "@types/dns-packet": "^5.6.5",
-    "dns-packet": "^5.6.1"
+    "@types/elliptic": "^6.4.18",
+    "dns-packet": "^5.6.1",
+    "elliptic": "^6.5.7",
+    "minimatch": "^10.0.1"
   },
   "devDependencies": {
-    "@git.zone/tsbuild": "^2.1.66",
-    "@git.zone/tsrun": "^1.2.44",
+    "@git.zone/tsbuild": "^2.1.84",
+    "@git.zone/tsrun": "^1.2.49",
     "@git.zone/tstest": "^1.0.77",
-    "@push.rocks/tapbundle": "^5.0.8",
-    "@types/node": "^20.13.0"
+    "@push.rocks/tapbundle": "^5.2.0",
+    "@types/node": "^22.5.5"
   },
   "files": [
     "ts/**/*",

test/test.server.ts

@@ -0,0 +1,163 @@
+import { expect, tap } from '@push.rocks/tapbundle';
+import { tapNodeTools } from '@push.rocks/tapbundle/node';
+
+import * as dnsPacket from 'dns-packet';
+import * as https from 'https';
+import * as dgram from 'dgram';
+
+import * as smartdns from '../ts_server/index.js';
+
+let dnsServer: smartdns.DnsServer;
+
+tap.test('should create an instance of DnsServer', async () => {
+  // Use valid options
+  const httpsData = await tapNodeTools.createHttpsCert();
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: 8080,
+    udpPort: 8081,
+  });
+  expect(dnsServer).toBeInstanceOf(smartdns.DnsServer);
+});
+
+tap.test('should start the server', async () => {
+  await dnsServer.start();
+  // @ts-ignore
+  expect(dnsServer.httpsServer).toBeDefined();
+});
+
+tap.test('lets add a handler', async () => {
+  dnsServer.registerHandler('*.bleu.de', ['A'], (question) => {
+    return {
+      name: question.name,
+      type: 'A',
+      class: 'IN',
+      ttl: 300,
+      data: '127.0.0.1',
+    };
+  });
+
+  // @ts-ignore
+  const response = dnsServer.processDnsRequest({
+    type: 'query',
+    id: 1,
+    flags: 0,
+    questions: [
+      {
+        name: 'dnsly_a.bleu.de',
+        type: 'A',
+        class: 'IN',
+      },
+    ],
+    answers: [],
+  });
+  expect(response.answers[0]).toEqual({
+    name: 'dnsly_a.bleu.de',
+    type: 'A',
+    class: 'IN',
+    ttl: 300,
+    data: '127.0.0.1',
+  });
+});
+
+tap.test('lets query over https', async () => {
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 2,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'dnsly_a.bleu.de',
+        type: 'A',
+        class: 'IN',
+      },
+    ],
+  });
+
+  const response = await fetch('https://localhost:8080/dns-query', {
+    method: 'POST',
+    body: query,
+    headers: {
+      'Content-Type': 'application/dns-message',
+    }
+  });
+
+  expect(response.status).toEqual(200);
+
+  const responseData = await response.arrayBuffer();
+  const dnsResponse = dnsPacket.decode(Buffer.from(responseData));
+
+  console.log(dnsResponse.answers[0]);
+
+  expect(dnsResponse.answers[0]).toEqual({
+    name: 'dnsly_a.bleu.de',
+    type: 'A',
+    class: 'IN',
+    ttl: 300,
+    flush: false,
+    data: '127.0.0.1',
+  });
+});
+
+tap.test('lets query over udp', async () => {
+  const client = dgram.createSocket('udp4');
+
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 3,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'dnsly_a.bleu.de',
+        type: 'A',
+        class: 'IN',
+      },
+    ],
+  });
+
+  const responsePromise = new Promise<dnsPacket.Packet>((resolve, reject) => {
+    client.on('message', (msg) => {
+      const dnsResponse = dnsPacket.decode(msg);
+      resolve(dnsResponse);
+      client.close();
+    });
+
+    client.on('error', (err) => {
+      reject(err);
+      client.close();
+    });
+
+    client.send(query, 8081, 'localhost', (err) => {
+      if (err) {
+        reject(err);
+        client.close();
+      }
+    });
+  });
+
+  const dnsResponse = await responsePromise;
+
+  console.log(dnsResponse.answers[0]);
+
+  expect(dnsResponse.answers[0]).toEqual({
+    name: 'dnsly_a.bleu.de',
+    type: 'A',
+    class: 'IN',
+    ttl: 300,
+    flush: false,
+    data: '127.0.0.1',
+  });
+});
+
+tap.test('should run for a while', async (toolsArg) => {
+  await toolsArg.delayFor(1000);
+});
+
+tap.test('should stop the server', async () => {
+  await dnsServer.stop();
+  // @ts-ignore
+  expect(dnsServer.httpsServer).toBeFalsy();
+});
+
+await tap.start();

ts_client/classes.dnsclient.ts

@@ -24,7 +24,7 @@ export const makeNodeProcessUseDnsProvider = (providerArg: TDnsProvider) => {
 
 export interface ISmartDnsConstructorOptions {}
 
-export interface IGoogleDNSHTTPSResponse {
+export interface IDnsJsonResponse {
   Status: number;
   TC: boolean;
   RD: boolean;
@@ -135,14 +135,14 @@ export class Smartdns {
   ): Promise<plugins.tsclass.network.IDnsRecord[]> {
     const requestUrl = `https://cloudflare-dns.com/dns-query?name=${recordNameArg}&type=${recordTypeArg}&do=1`;
     const returnArray: plugins.tsclass.network.IDnsRecord[] = [];
-    const getResponseBody = async (counterArg = 0): Promise<IGoogleDNSHTTPSResponse> => {
+    const getResponseBody = async (counterArg = 0): Promise<IDnsJsonResponse> => {
       const response = await plugins.smartrequest.request(requestUrl, {
         method: 'GET',
         headers: {
           accept: 'application/dns-json',
         },
       });
-      const responseBody: IGoogleDNSHTTPSResponse = response.body;
+      const responseBody: IDnsJsonResponse = response.body;
       if (responseBody?.Status !== 0 && counterArg < retriesCounterArg) {
         await plugins.smartdelay.delayFor(500);
         return getResponseBody(counterArg++);

ts_client/dnsly.plugins.ts

@@ -16,7 +16,3 @@ export { smartdelay, smartenv, smartpromise, smartrequest };
 import * as tsclass from '@tsclass/tsclass';
 
 export { tsclass };
-
-// third party scope
-const dns2 = smartenvInstance.getSafeNodeModule('dns2');
-export { dns2 };

ts_server/classes.dnssec.ts

@@ -0,0 +1,172 @@
+// Import necessary plugins from plugins.ts
+import * as plugins from './plugins.js';
+
+interface DnssecZone {
+  zone: string;
+  algorithm: 'ECDSA' | 'ED25519' | 'RSA';
+  keySize: number;
+  days: number;
+}
+
+interface DnssecKeyPair {
+  privateKey: string;
+  publicKey: string;
+}
+
+export class DnsSec {
+  private zone: DnssecZone;
+  private keyPair: DnssecKeyPair;
+  private ec?: plugins.elliptic.ec; // For ECDSA algorithms
+  private eddsa?: plugins.elliptic.eddsa; // For EdDSA algorithms
+
+  constructor(zone: DnssecZone) {
+    this.zone = zone;
+
+    // Initialize the appropriate cryptographic instance based on the algorithm
+    switch (this.zone.algorithm) {
+      case 'ECDSA':
+        this.ec = new plugins.elliptic.ec('p256'); // Use P-256 curve for ECDSA
+        break;
+      case 'ED25519':
+        this.eddsa = new plugins.elliptic.eddsa('ed25519');
+        break;
+      case 'RSA':
+        // RSA implementation would go here
+        throw new Error('RSA algorithm is not yet implemented.');
+      default:
+        throw new Error(`Unsupported algorithm: ${this.zone.algorithm}`);
+    }
+
+    // Generate the key pair
+    this.keyPair = this.generateKeyPair();
+  }
+
+  private generateKeyPair(): DnssecKeyPair {
+    let privateKey: string;
+    let publicKey: string;
+
+    switch (this.zone.algorithm) {
+      case 'ECDSA':
+        if (!this.ec) throw new Error('EC instance is not initialized.');
+        const ecKeyPair = this.ec.genKeyPair();
+        privateKey = ecKeyPair.getPrivate('hex');
+        publicKey = ecKeyPair.getPublic(false, 'hex'); // Uncompressed format
+        break;
+      case 'ED25519':
+        if (!this.eddsa) throw new Error('EdDSA instance is not initialized.');
+        const secret = plugins.crypto.randomBytes(32);
+        const edKeyPair = this.eddsa.keyFromSecret(secret);
+        privateKey = edKeyPair.getSecret('hex');
+        publicKey = edKeyPair.getPublic('hex');
+        break;
+      case 'RSA':
+        // RSA key generation would be implemented here
+        throw new Error('RSA key generation is not yet implemented.');
+      default:
+        throw new Error(`Unsupported algorithm: ${this.zone.algorithm}`);
+    }
+
+    return { privateKey, publicKey };
+  }
+
+  public getAlgorithmNumber(): number {
+    switch (this.zone.algorithm) {
+      case 'ECDSA':
+        return 13; // ECDSAP256SHA256
+      case 'ED25519':
+        return 15;
+      case 'RSA':
+        return 8; // RSASHA256
+      default:
+        throw new Error(`Unsupported algorithm: ${this.zone.algorithm}`);
+    }
+  }
+
+  public signData(data: Buffer): Buffer {
+    // Sign the data using the private key
+    const keyPair = this.ec!.keyFromPrivate(this.keyPair.privateKey, 'hex');
+    const signature = keyPair.sign(plugins.crypto.createHash('sha256').update(data).digest());
+    return Buffer.from(signature.toDER());
+  }
+
+  private generateDNSKEY(): Buffer {
+    const flags = 256; // 256 indicates a Zone Signing Key (ZSK)
+    const protocol = 3; // Must be 3 according to RFC
+    const algorithm = this.getAlgorithmNumber();
+
+    let publicKeyData: Buffer;
+
+    switch (this.zone.algorithm) {
+      case 'ECDSA':
+        if (!this.ec) throw new Error('EC instance is not initialized.');
+        const ecPublicKey = this.ec.keyFromPublic(this.keyPair.publicKey, 'hex').getPublic();
+        const x = ecPublicKey.getX().toArrayLike(Buffer, 'be', 32);
+        const y = ecPublicKey.getY().toArrayLike(Buffer, 'be', 32);
+        publicKeyData = Buffer.concat([x, y]);
+        break;
+      case 'ED25519':
+        publicKeyData = Buffer.from(this.keyPair.publicKey, 'hex');
+        break;
+      case 'RSA':
+        // RSA public key extraction would go here
+        throw new Error('RSA public key extraction is not yet implemented.');
+      default:
+        throw new Error(`Unsupported algorithm: ${this.zone.algorithm}`);
+    }
+
+    // Construct the DNSKEY RDATA
+    const dnskeyRdata = Buffer.concat([
+      Buffer.from([flags >> 8, flags & 0xff]), // Flags (2 bytes)
+      Buffer.from([protocol]), // Protocol (1 byte)
+      Buffer.from([algorithm]), // Algorithm (1 byte)
+      publicKeyData, // Public Key
+    ]);
+
+    return dnskeyRdata;
+  }
+
+  private computeKeyTag(dnskeyRdata: Buffer): number {
+    // Key Tag calculation as per RFC 4034, Appendix B
+    let acc = 0;
+    for (let i = 0; i < dnskeyRdata.length; i++) {
+      acc += i & 1 ? dnskeyRdata[i] : dnskeyRdata[i] << 8;
+    }
+    acc += (acc >> 16) & 0xffff;
+    return acc & 0xffff;
+  }
+
+  private getDNSKEYRecord(): string {
+    const dnskeyRdata = this.generateDNSKEY();
+    const flags = 256;
+    const protocol = 3;
+    const algorithm = this.getAlgorithmNumber();
+    const publicKeyData = dnskeyRdata.slice(4); // Skip flags, protocol, algorithm bytes
+    const publicKeyBase64 = publicKeyData.toString('base64');
+
+    return `${this.zone.zone}. IN DNSKEY ${flags} ${protocol} ${algorithm} ${publicKeyBase64}`;
+  }
+
+  public getDSRecord(): string {
+    const dnskeyRdata = this.generateDNSKEY();
+    const keyTag = this.computeKeyTag(dnskeyRdata);
+    const algorithm = this.getAlgorithmNumber();
+    const digestType = 2; // SHA-256
+    const digest = plugins.crypto
+      .createHash('sha256')
+      .update(dnskeyRdata)
+      .digest('hex')
+      .toUpperCase();
+
+    return `${this.zone.zone}. IN DS ${keyTag} ${algorithm} ${digestType} ${digest}`;
+  }
+
+  public getKeyPair(): DnssecKeyPair {
+    return this.keyPair;
+  }
+
+  public getDsAndKeyPair(): { keyPair: DnssecKeyPair; dsRecord: string; dnskeyRecord: string } {
+    const dsRecord = this.getDSRecord();
+    const dnskeyRecord = this.getDNSKEYRecord();
+    return { keyPair: this.keyPair, dsRecord, dnskeyRecord };
+  }
+}

ts_server/classes.dnsserver.ts

@@ -1,98 +1,338 @@
 import * as plugins from './plugins.js';
+import { DnsSec } from './classes.dnssec.js';
+import * as dnsPacket from 'dns-packet';
 
 interface IDnsServerOptions {
   httpsKey: string;
   httpsCert: string;
   httpsPort: number;
   udpPort: number;
+  dnssecZone: string;
 }
 
-class DnsServer {
+interface DnsAnswer {
+  name: string;
+  type: string;
+  class: string | number;
+  ttl: number;
+  data: any;
+}
+
+interface IDnsHandler {
+  domainPattern: string;
+  recordTypes: string[];
+  handler: (question: dnsPacket.Question) => DnsAnswer | null;
+}
+
+// Define types for DNSSEC records if not provided
+interface DNSKEYData {
+  flags: number;
+  algorithm: number;
+  key: Buffer;
+}
+
+interface RRSIGData {
+  typeCovered: string; // Changed to string to match dns-packet expectations
+  algorithm: number;
+  labels: number;
+  originalTTL: number;
+  expiration: number;
+  inception: number;
+  keyTag: number;
+  signerName: string;
+  signature: Buffer;
+}
+
+export class DnsServer {
   private udpServer: plugins.dgram.Socket;
   private httpsServer: plugins.https.Server;
+  private handlers: IDnsHandler[] = [];
+
+  // DNSSEC related properties
+  private dnsSec: DnsSec;
+  private dnskeyRecord: DNSKEYData;
+  private keyTag: number;
 
   constructor(private options: IDnsServerOptions) {
-    this.udpServer = plugins.dgram.createSocket('udp4');
-    this.setupUdpServer();
+    // Initialize DNSSEC
+    this.dnsSec = new DnsSec({
+      zone: options.dnssecZone,
+      algorithm: 'ECDSA', // You can change this based on your needs
+      keySize: 256,
+      days: 365,
+    });
 
-    this.httpsServer = plugins.https.createServer(
-      {
-        key: plugins.fs.readFileSync(options.httpsKey),
-        cert: plugins.fs.readFileSync(options.httpsCert)
-      },
-      this.handleHttpsRequest.bind(this)
-    );
+    // Generate DNSKEY and DS records
+    const { dsRecord, dnskeyRecord } = this.dnsSec.getDsAndKeyPair();
+
+    // Parse DNSKEY record into dns-packet format
+    this.dnskeyRecord = this.parseDNSKEYRecord(dnskeyRecord);
+    this.keyTag = this.computeKeyTag(this.dnskeyRecord);
   }
 
-  private setupUdpServer(): void {
-    this.udpServer.on('message', (msg, rinfo) => {
-      const request = plugins.dnsPacket.decode(msg);
-      const response = {
-        type: 'response' as const,
+  public registerHandler(
+    domainPattern: string,
+    recordTypes: string[],
+    handler: (question: dnsPacket.Question) => DnsAnswer | null
+  ): void {
+    this.handlers.push({ domainPattern, recordTypes, handler });
+  }
+
+  private processDnsRequest(request: dnsPacket.Packet): dnsPacket.Packet {
+    const response: dnsPacket.Packet = {
+      type: 'response',
       id: request.id,
-        flags: plugins.dnsPacket.RECURSION_DESIRED | plugins.dnsPacket.RECURSION_AVAILABLE,
+      flags:
+        dnsPacket.AUTHORITATIVE_ANSWER |
+        dnsPacket.RECURSION_AVAILABLE |
+        (request.flags & dnsPacket.RECURSION_DESIRED ? dnsPacket.RECURSION_DESIRED : 0),
       questions: request.questions,
-        answers: [] as plugins.dnsPacket.Answer[]
+      answers: [],
+      additionals: [],
     };
 
-      const question = request.questions[0];
-      console.log(`UDP query for ${question.name} of type ${question.type}`);
+    const dnssecRequested = this.isDnssecRequested(request);
 
-      if (question.type === 'A') {
-        response.answers.push({
+    for (const question of request.questions) {
+      console.log(`Query for ${question.name} of type ${question.type}`);
+
+      let answered = false;
+
+      // Handle DNSKEY queries if DNSSEC is requested
+      if (dnssecRequested && question.type === 'DNSKEY' && question.name === this.options.dnssecZone) {
+        const dnskeyAnswer: DnsAnswer = {
           name: question.name,
-          type: 'A',
+          type: 'DNSKEY',
           class: 'IN',
-          ttl: 300,
-          data: '127.0.0.1'
-        });
+          ttl: 3600,
+          data: this.dnskeyRecord,
+        };
+        response.answers.push(dnskeyAnswer as plugins.dnsPacket.Answer);
+
+        // Sign the DNSKEY RRset
+        const rrsig = this.generateRRSIG('DNSKEY', [dnskeyAnswer], question.name);
+        response.answers.push(rrsig as plugins.dnsPacket.Answer);
+
+        answered = true;
+        continue;
       }
 
-      const responseData = plugins.dnsPacket.encode(response);
-      this.udpServer.send(responseData, rinfo.port, rinfo.address);
-    });
+      for (const handlerEntry of this.handlers) {
+        if (
+          plugins.minimatch.minimatch(question.name, handlerEntry.domainPattern) &&
+          handlerEntry.recordTypes.includes(question.type)
+        ) {
+          const answer = handlerEntry.handler(question);
+          if (answer) {
+            // Ensure the answer has ttl and class
+            const dnsAnswer: DnsAnswer = {
+              ...answer,
+              ttl: answer.ttl || 300,
+              class: answer.class || 'IN',
+            };
+            response.answers.push(dnsAnswer as plugins.dnsPacket.Answer);
 
-    this.udpServer.on('error', (err) => {
-      console.error(`UDP Server error:\n${err.stack}`);
-      this.udpServer.close();
-    });
+            if (dnssecRequested) {
+              // Sign the answer RRset
+              const rrsig = this.generateRRSIG(question.type, [dnsAnswer], question.name);
+              response.answers.push(rrsig as plugins.dnsPacket.Answer);
+            }
 
-    this.udpServer.bind(this.options.udpPort, '0.0.0.0', () => {
-      console.log(`UDP DNS server running on port ${this.options.udpPort}`);
-    });
+            answered = true;
+            break;
+          }
+        }
+      }
+
+      if (!answered) {
+        console.log(`No handler found for ${question.name} of type ${question.type}`);
+        response.flags |= dnsPacket.AUTHORITATIVE_ANSWER;
+        const soaAnswer: DnsAnswer = {
+          name: question.name,
+          type: 'SOA',
+          class: 'IN',
+          ttl: 3600,
+          data: {
+            mname: `ns1.${this.options.dnssecZone}`,
+            rname: `hostmaster.${this.options.dnssecZone}`,
+            serial: Math.floor(Date.now() / 1000),
+            refresh: 3600,
+            retry: 600,
+            expire: 604800,
+            minimum: 86400,
+          },
+        };
+        response.answers.push(soaAnswer as plugins.dnsPacket.Answer);
+      }
+    }
+
+    return response;
+  }
+
+  private isDnssecRequested(request: dnsPacket.Packet): boolean {
+    if (!request.additionals) return false;
+    for (const additional of request.additionals) {
+      if (additional.type === 'OPT' && typeof additional.flags === 'number') {
+        // The DO bit is the 15th bit (0x8000)
+        if (additional.flags & 0x8000) {
+          return true;
+        }
+      }
+    }
+    return false;
+  }
+
+  private generateRRSIG(
+    type: string,
+    rrset: DnsAnswer[],
+    name: string
+  ): DnsAnswer {
+    // Prepare RRSIG data
+    const algorithm = this.dnsSec.getAlgorithmNumber();
+    const keyTag = this.keyTag;
+    const signerName = this.options.dnssecZone.endsWith('.') ? this.options.dnssecZone : `${this.options.dnssecZone}.`;
+    const inception = Math.floor(Date.now() / 1000) - 3600; // 1 hour ago
+    const expiration = inception + 86400; // Valid for 1 day
+    const ttl = rrset[0].ttl || 300;
+
+    // Serialize the RRset in canonical form
+    const rrsetBuffer = this.serializeRRset(rrset);
+
+    // Sign the RRset
+    const signature = this.dnsSec.signData(rrsetBuffer);
+
+    // Construct the RRSIG record
+    const rrsig: DnsAnswer = {
+      name,
+      type: 'RRSIG',
+      class: 'IN',
+      ttl,
+      data: {
+        typeCovered: type, // Changed to type string
+        algorithm,
+        labels: name.split('.').length - 1,
+        originalTTL: ttl,
+        expiration,
+        inception,
+        keyTag,
+        signerName,
+        signature: signature,
+      },
+    };
+
+    return rrsig;
+  }
+
+  private serializeRRset(rrset: DnsAnswer[]): Buffer {
+    // Implement canonical DNS RRset serialization as per RFC 4034 Section 6
+    const buffers: Buffer[] = [];
+    for (const rr of rrset) {
+      if (rr.type === 'OPT') {
+        continue; // Skip OPT records
+      }
+
+      const name = rr.name.endsWith('.') ? rr.name : rr.name + '.';
+      const nameBuffer = this.nameToBuffer(name.toLowerCase());
+
+      const typeValue = this.qtypeToNumber(rr.type);
+      const typeBuffer = Buffer.alloc(2);
+      typeBuffer.writeUInt16BE(typeValue, 0);
+
+      const classValue = this.classToNumber(rr.class);
+      const classBuffer = Buffer.alloc(2);
+      classBuffer.writeUInt16BE(classValue, 0);
+
+      const ttlValue = rr.ttl || 300;
+      const ttlBuffer = Buffer.alloc(4);
+      ttlBuffer.writeUInt32BE(ttlValue, 0);
+
+      // Serialize the data based on the record type
+      const dataBuffer = this.serializeRData(rr.type, rr.data);
+
+      const rdLengthBuffer = Buffer.alloc(2);
+      rdLengthBuffer.writeUInt16BE(dataBuffer.length, 0);
+
+      buffers.push(Buffer.concat([nameBuffer, typeBuffer, classBuffer, ttlBuffer, rdLengthBuffer, dataBuffer]));
+    }
+    return Buffer.concat(buffers);
+  }
+
+  private serializeRData(type: string, data: any): Buffer {
+    // Implement serialization for each record type you support
+    switch (type) {
+      case 'A':
+        return Buffer.from(data.split('.').map((octet: string) => parseInt(octet, 10)));
+      case 'AAAA':
+        // Handle IPv6 addresses
+        return Buffer.from(data.split(':').flatMap((segment: string) => {
+          const num = parseInt(segment, 16);
+          return [num >> 8, num & 0xff];
+        }));
+      case 'DNSKEY':
+        const dnskeyData: DNSKEYData = data;
+        return Buffer.concat([
+          Buffer.from([dnskeyData.flags >> 8, dnskeyData.flags & 0xff]),
+          Buffer.from([3]), // Protocol field, always 3
+          Buffer.from([dnskeyData.algorithm]),
+          dnskeyData.key,
+        ]);
+      case 'SOA':
+        // Implement SOA record serialization if needed
+        // For now, return an empty buffer or handle as needed
+        return Buffer.alloc(0);
+      // Add cases for other record types as needed
+      default:
+        throw new Error(`Serialization for record type ${type} is not implemented.`);
+    }
+  }
+
+  private parseDNSKEYRecord(dnskeyRecord: string): DNSKEYData {
+    // Parse the DNSKEY record string into dns-packet format
+    const parts = dnskeyRecord.trim().split(/\s+/);
+    const flags = parseInt(parts[3], 10);
+    const algorithm = parseInt(parts[5], 10);
+    const publicKeyBase64 = parts.slice(6).join('');
+    const key = Buffer.from(publicKeyBase64, 'base64');
+
+    return {
+      flags,
+      algorithm,
+      key,
+    };
+  }
+
+  private computeKeyTag(dnskeyRecord: DNSKEYData): number {
+    // Compute key tag as per RFC 4034 Appendix B
+    const flags = dnskeyRecord.flags;
+    const algorithm = dnskeyRecord.algorithm;
+    const key = dnskeyRecord.key;
+
+    const dnskeyRdata = Buffer.concat([
+      Buffer.from([flags >> 8, flags & 0xff]),
+      Buffer.from([3]), // Protocol field, always 3
+      Buffer.from([algorithm]),
+      key,
+    ]);
+
+    let acc = 0;
+    for (let i = 0; i < dnskeyRdata.length; i++) {
+      acc += (i & 1) ? dnskeyRdata[i] : dnskeyRdata[i] << 8;
+    }
+    acc += (acc >> 16) & 0xffff;
+    return acc & 0xffff;
   }
 
   private handleHttpsRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void {
     if (req.method === 'POST' && req.url === '/dns-query') {
       let body: Buffer[] = [];
 
-      req.on('data', chunk => {
+      req.on('data', (chunk) => {
         body.push(chunk);
       }).on('end', () => {
         const msg = Buffer.concat(body);
-        const request = plugins.dnsPacket.decode(msg);
-        const response = {
-          type: 'response' as const,
-          id: request.id,
-          flags: plugins.dnsPacket.RECURSION_DESIRED | plugins.dnsPacket.RECURSION_AVAILABLE,
-          questions: request.questions,
-          answers: [] as plugins.dnsPacket.Answer[]
-        };
-
-        const question = request.questions[0];
-        console.log(`DoH query for ${question.name} of type ${question.type}`);
-
-        if (question.type === 'A') {
-          response.answers.push({
-            name: question.name,
-            type: 'A',
-            class: 'IN',
-            ttl: 300,
-            data: '127.0.0.1'
-          });
-        }
-
-        const responseData = plugins.dnsPacket.encode(response);
+        const request = dnsPacket.decode(msg);
+        const response = this.processDnsRequest(request);
+        const responseData = dnsPacket.encode(response);
         res.writeHead(200, { 'Content-Type': 'application/dns-message' });
         res.end(responseData);
       });
@@ -102,19 +342,110 @@ class DnsServer {
     }
   }
 
-  public start(): void {
-    this.httpsServer.listen(this.options.httpsPort, () => {
-      console.log(`DoH server running on port ${this.options.httpsPort}`);
+  public async start(): Promise<void> {
+    this.httpsServer = plugins.https.createServer(
+      {
+        key: this.options.httpsKey,
+        cert: this.options.httpsCert,
+      },
+      this.handleHttpsRequest.bind(this)
+    );
+
+    this.udpServer = plugins.dgram.createSocket('udp4');
+    this.udpServer.on('message', (msg, rinfo) => {
+      const request = dnsPacket.decode(msg);
+      const response = this.processDnsRequest(request);
+      const responseData = dnsPacket.encode(response);
+      this.udpServer.send(responseData, rinfo.port, rinfo.address);
     });
+
+    this.udpServer.on('error', (err) => {
+      console.error(`UDP Server error:\n${err.stack}`);
+      this.udpServer.close();
+    });
+
+    const udpListeningDeferred = plugins.smartpromise.defer<void>();
+    const httpsListeningDeferred = plugins.smartpromise.defer<void>();
+
+    try {
+      this.udpServer.bind(this.options.udpPort, '0.0.0.0', () => {
+        console.log(`UDP DNS server running on port ${this.options.udpPort}`);
+        udpListeningDeferred.resolve();
+      });
+
+      this.httpsServer.listen(this.options.httpsPort, () => {
+        console.log(`HTTPS DNS server running on port ${this.options.httpsPort}`);
+        httpsListeningDeferred.resolve();
+      });
+    } catch (err) {
+      console.error('Error starting DNS server:', err);
+      process.exit(1);
+    }
+    await Promise.all([udpListeningDeferred.promise, httpsListeningDeferred.promise]);
   }
 
-  public stop(): void {
+  public async stop(): Promise<void> {
+    const doneUdp = plugins.smartpromise.defer<void>();
+    const doneHttps = plugins.smartpromise.defer<void>();
     this.udpServer.close(() => {
       console.log('UDP DNS server stopped');
+      this.udpServer.unref();
+      this.udpServer = null;
+      doneUdp.resolve();
     });
 
     this.httpsServer.close(() => {
       console.log('HTTPS DNS server stopped');
+      this.httpsServer.unref();
+      this.httpsServer = null;
+      doneHttps.resolve();
     });
+
+    await Promise.all([doneUdp.promise, doneHttps.promise]);
+  }
+
+  // Helper methods
+
+  private qtypeToNumber(type: string): number {
+    const QTYPE_NUMBERS: { [key: string]: number } = {
+      'A': 1,
+      'NS': 2,
+      'CNAME': 5,
+      'SOA': 6,
+      'PTR': 12,
+      'MX': 15,
+      'TXT': 16,
+      'AAAA': 28,
+      'SRV': 33,
+      'DNSKEY': 48,
+      'RRSIG': 46,
+      // Add more as needed
+    };
+    return QTYPE_NUMBERS[type.toUpperCase()] || 0;
+  }
+
+  private classToNumber(cls: string | number): number {
+    const CLASS_NUMBERS: { [key: string]: number } = {
+      'IN': 1,
+      'CH': 3,
+      'HS': 4,
+      // Add more as needed
+    };
+    if (typeof cls === 'number') {
+      return cls;
+    }
+    return CLASS_NUMBERS[cls.toUpperCase()] || 1;
+  }
+
+  private nameToBuffer(name: string): Buffer {
+    const labels = name.split('.');
+    const buffers = labels.map(label => {
+      const len = Buffer.byteLength(label, 'utf8');
+      const buf = Buffer.alloc(1 + len);
+      buf.writeUInt8(len, 0);
+      buf.write(label, 1);
+      return buf;
+    });
+    return Buffer.concat([...buffers, Buffer.from([0])]); // Add root label
   }
 }

ts_server/index.ts

@@ -0,0 +1 @@
+export * from './classes.dnsserver.js';

ts_server/plugins.ts

@@ -1,17 +1,32 @@
+// node native
+import crypto from 'crypto';
 import fs from 'fs';
 import http from 'http';
 import https from 'https';
 import dgram from 'dgram';
 
 export {
+  crypto,
   fs,
   http,
   https,
   dgram,
 }
 
-import * as dnsPacket from 'dns-packet';
+// @push.rocks scope
+import * as smartpromise from '@push.rocks/smartpromise';
 
 export {
-  dnsPacket
+  smartpromise,
+}
+
+// third party
+import elliptic from 'elliptic';
+import * as dnsPacket from 'dns-packet';
+import * as minimatch from 'minimatch';
+
+export {
+  dnsPacket,
+  elliptic,
+  minimatch,
 }