update

changelog.md

@@ -1,5 +1,43 @@
 # Changelog
 
+## 2025-03-21 - 6.3.0 - feat(dns-server)
+Enhance DNS server functionality with advanced DNSSEC signing (supporting both ECDSA and ED25519), improved SSL certificate retrieval using Let's Encrypt, and refined handler management for cleaner shutdowns.
+
+- Updated package metadata with expanded keywords and revised dependency versions
+- Improved DNSSEC signing logic to support both ECDSA and ED25519 algorithms
+- Added unregisterHandler method for cleaner handler lifecycle management
+- Enhanced SSL certificate retrieval workflow with better DNS challenge handling
+- Refined test utilities for more robust DNS operations
+
+## 2025-03-21 - 6.3.0 - feat(dns-server)
+Enhance DNS server functionality with advanced DNSSEC signing (including ED25519 support), improved certificate retrieval using Let's Encrypt, updated package metadata, and refined test utilities for more robust DNS operations.
+
+- Updated package.json and npmextra.json with expanded keywords and revised dependency versions
+- Improved DNSSEC signing logic to support both ECDSA and ED25519 algorithms
+- Added unregisterHandler method and enhanced server stop logic for cleaner shutdowns
+- Enhanced SSL certificate retrieval workflow with better challenge handling and test support
+
+## 2024-09-21 - 6.2.1 - fix(core)
+Fixing issues with keywords and readme formatting.
+
+- Synchronized keywords field between npmextra.json and package.json.
+- Updated readme.md to fix formatting issues and added new sections.
+
+## 2024-09-19 - 6.2.0 - feat(dnssec)
+Introduced DNSSEC support with ECDSA algorithm
+
+- Added `DnsSec` class for handling DNSSEC operations.
+- Updated `DnsServer` to support DNSSEC with ECDSA.
+- Shifted DNS-related helper functions to `DnsServer` class.
+- Integrated parsing and handling of DNSKEY and RRSIG records in `DnsServer`.
+
+## 2024-09-19 - 6.1.1 - fix(ts_server)
+Update DnsSec class to fully implement key generation and DNSKEY record creation.
+
+- Added complete support for ECDSA and ED25519 algorithms in the DnsSec class.
+- Implemented DNSKEY generation and KeyTag computation methods.
+- Improved error handling and initialized the appropriate cryptographic instances based on the algorithm.
+
 ## 2024-09-18 - 6.1.0 - feat(smartdns)
 Add DNS Server and DNSSEC tools with comprehensive unit tests
 

npmextra.json

@@ -5,18 +5,27 @@
       "githost": "code.foss.global",
       "gitscope": "push.rocks",
       "gitrepo": "smartdns",
-      "description": "A TypeScript library for smart DNS methods, supporting various DNS records and providers.",
+      "description": "A robust TypeScript library providing advanced DNS management and resolution capabilities including support for DNSSEC, custom DNS servers, and integration with various DNS providers.",
       "npmPackagename": "@push.rocks/smartdns",
       "license": "MIT",
       "keywords": [
-        "DNS",
         "TypeScript",
+        "DNS",
+        "DNS records",
+        "DNS resolution",
+        "DNS management",
+        "DNSSEC",
         "Node.js",
         "Google DNS",
         "Cloudflare",
-        "DNS records",
+        "UDP DNS",
-        "DNS resolution",
+        "HTTPS DNS",
-        "DNSSEC"
+        "ACME",
+        "Let's Encrypt",
+        "SSL Certificates",
+        "Feature Flagging",
+        "Domain Propagation",
+        "DNS Server"
       ]
     }
   },

package.json

@@ -1,8 +1,8 @@
 {
   "name": "@push.rocks/smartdns",
-  "version": "6.1.0",
+  "version": "6.2.1",
   "private": false,
-  "description": "A TypeScript library for smart DNS methods, supporting various DNS records and providers.",
+  "description": "A robust TypeScript library providing advanced DNS management and resolution capabilities including support for DNSSEC, custom DNS servers, and integration with various DNS providers.",
   "exports": {
     ".": "./dist_ts_server/index.js",
     "./server": "./dist_ts_server/index.js",
@@ -18,14 +18,23 @@
     "url": "https://code.foss.global/push.rocks/smartdns.git"
   },
   "keywords": [
-    "DNS",
     "TypeScript",
+    "DNS",
+    "DNS records",
+    "DNS resolution",
+    "DNS management",
+    "DNSSEC",
     "Node.js",
     "Google DNS",
     "Cloudflare",
-    "DNS records",
+    "UDP DNS",
-    "DNS resolution",
+    "HTTPS DNS",
-    "DNSSEC"
+    "ACME",
+    "Let's Encrypt",
+    "SSL Certificates",
+    "Feature Flagging",
+    "Domain Propagation",
+    "DNS Server"
   ],
   "author": "Lossless GmbH",
   "license": "MIT",
@@ -36,21 +45,22 @@
   "dependencies": {
     "@push.rocks/smartdelay": "^3.0.1",
     "@push.rocks/smartenv": "^5.0.5",
-    "@push.rocks/smartpromise": "^4.0.4",
+    "@push.rocks/smartpromise": "^4.2.3",
-    "@push.rocks/smartrequest": "^2.0.15",
+    "@push.rocks/smartrequest": "^2.0.23",
-    "@tsclass/tsclass": "^4.1.2",
+    "@tsclass/tsclass": "^5.0.0",
     "@types/dns-packet": "^5.6.5",
     "@types/elliptic": "^6.4.18",
+    "acme-client": "^5.4.0",
     "dns-packet": "^5.6.1",
-    "elliptic": "^6.5.7",
+    "elliptic": "^6.6.1",
     "minimatch": "^10.0.1"
   },
   "devDependencies": {
-    "@git.zone/tsbuild": "^2.1.84",
+    "@git.zone/tsbuild": "^2.2.7",
-    "@git.zone/tsrun": "^1.2.49",
+    "@git.zone/tsrun": "^1.3.3",
-    "@git.zone/tstest": "^1.0.77",
+    "@git.zone/tstest": "^1.0.96",
-    "@push.rocks/tapbundle": "^5.2.0",
+    "@push.rocks/tapbundle": "^5.6.0",
-    "@types/node": "^22.5.5"
+    "@types/node": "^22.13.10"
   },
   "files": [
     "ts/**/*",

readme.md

@@ -1,6 +1,6 @@
 # @push.rocks/smartdns
 
-smart dns methods written in TypeScript
+A TypeScript library for smart DNS methods, supporting various DNS records and providers.
 
 ## Install
 
@@ -16,7 +16,7 @@ Or with `yarn`:
 yarn add @push.rocks/smartdns
 ```
 
-Make sure you have a TypeScript environment setup to utilize the library effectively.
+Make sure you have a TypeScript environment set up to utilize the library effectively.
 
 ## Usage
 
@@ -32,34 +32,51 @@ import { Smartdns } from '@push.rocks/smartdns';
 
 ### Basic DNS Record Lookup
 
-Often, the need arises to fetch various DNS records for a domain. `@push.rocks/smartdns` simplifies this by providing intuitive methods.
+Often, the need arises to fetch various DNS records for a domain. `@push.rocks/smartdns` simplifies this by providing intuitive methods. A DNS record is essentially a map from a domain name to information about that domain, such as its IP address, mail exchange server, etc.
 
 #### Fetching A Records
 
-To fetch an "A" record for a domain:
+To fetch an "A" record for a domain, which resolves the domain to an IPv4 address, use the following approach:
 
 ```typescript
+import { Smartdns } from '@push.rocks/smartdns';
+
 const dnsManager = new Smartdns({});
 const aRecords = await dnsManager.getRecordsA('example.com');
 console.log(aRecords);
 ```
 
+This will return an array of records that include the IPv4 addresses mapped to the domain `example.com`.
+
 #### Fetching AAAA Records
 
-Similarly, for "AAAA" records:
+For resolving a domain to an IPv6 address, you can fetch "AAAA" records in a similar manner:
 
 ```typescript
 const aaaaRecords = await dnsManager.getRecordsAAAA('example.com');
 console.log(aaaaRecords);
 ```
 
+These queries are quite common where IPv6 addresses have been prevalent due to the scarcity of IPv4 addresses.
+
+#### Fetching TXT Records
+
+TXT records store arbitrary text data associated with a domain. They are often used to hold information such as SPF records for email validation or Google site verification token.
+
+```typescript
+const txtRecords = await dnsManager.getRecordsTxt('example.com');
+console.log(txtRecords);
+```
+
+TXT records have increasingly become significant with the growth of security features and integrations that require domain verification.
+
 ### Advanced DNS Management
 
-Beyond simple queries, `@push.rocks/smartdns` offers functionalities suitable for more complex DNS management scenarios.
+The `@push.rocks/smartdns` doesn't just stop at querying— it offers more advanced DNS management utilities, which are crucial for real-world applications involving DNS operations.
 
 #### Checking DNS Propagation
 
-When changing DNS records, ensuring that the new records have propagated fully is crucial. `@push.rocks/smartdns` facilitates this with a method to check a DNS record until it is available globally.
+When changing DNS records, ensuring that the new records have propagated fully is crucial. `@push.rocks/smartdns` facilitates this with a method to check if a DNS record is available globally. This can be critical for ensuring that users worldwide are able to access your updated records in a consistent manner.
 
 ```typescript
 const recordType = 'TXT'; // Record type: A, AAAA, CNAME, TXT etc.
@@ -73,13 +90,15 @@ if (isAvailable) {
 }
 ```
 
+This method repeatedly queries DNS servers until the expected DNS record appears, making sure that the changes made are visible globally.
+
 ### Leveraging DNS for Application Logic
 
-DNS records can serve beyond mere domain-to-IP resolution; they can be instrumental in application logic, such as feature flagging or environment-specific configurations.
+DNS records can function beyond their typical usage of domain-to-IP resolution. They can be extremely useful in application logic such as feature flagging or environment-specific configurations.
 
 #### Example: Feature Flagging via TXT Records
 
-Consider leveraging TXT records for enabling/disabling features dynamically without deploying new code.
+One such advanced use case is using TXT records for enabling or disabling features dynamically without needing to redeploy or change the actual application code:
 
 ```typescript
 const txtRecords = await dnsManager.getRecordsTxt('features.example.com');
@@ -91,18 +110,279 @@ const featureFlags = txtRecords.reduce((acc, record) => {
 
 if (featureFlags['NewFeature']) {
   // Logic to enable the new feature
+  console.log('New Feature enabled');
 }
 ```
 
-### Conclusion
+This approach enables applications to be more flexible and responsive to business needs as feature toggles can be managed through DNS.
 
-`@push.rocks/smartdns` offers a versatile set of tools for DNS querying and management, tailored for applications at any scale. The examples provided illustrate the library's potential use cases, highlighting its applicability in various scenarios from basic lookups to facilitating complex application features through DNS.
+### DNS Server Implementation
 
-For the full spectrum of functionalities, including detailed method documentation and additional use cases, consult the module's [TypeDoc documentation](https://pushrocks.gitlab.io/smartdns/). This will serve as a comprehensive guide to leveraging `@push.rocks/smartdns` effectively in your projects.
+`@push.rocks/smartdns` includes powerful features that allow you to implement your very own DNS server, complete with UDP and HTTPS protocols support and DNSSEC compliance.
 
-Remember, DNS changes might take time to propagate worldwide, and the utility methods provided by `@push.rocks/smartdns` for checking record availability will be invaluable in managing these changes seamlessly.
+#### Basic DNS Server Example
 
+Implementing a DNS server involves setting it up to respond to various DNS queries. Here's how you can set up a basic DNS server using UDP and HTTPS protocols:
 
+```typescript
+import { DnsServer } from '@push.rocks/smartdns';
+
+const dnsServer = new DnsServer({
+  httpsKey: 'path/to/key.pem',
+  httpsCert: 'path/to/cert.pem',
+  httpsPort: 443,
+  udpPort: 53,
+  dnssecZone: 'example.com',
+});
+
+dnsServer.registerHandler('*.example.com', ['A'], (question) => ({
+  name: question.name,
+  type: 'A',
+  class: 'IN',
+  ttl: 300,
+  data: '127.0.0.1',
+}));
+
+dnsServer.start().then(() => console.log('DNS Server started'));
+```
+
+This sets up a basic DNS server responding to A records for the domain `example.com` and mirrors the common structure used in production applications.
+
+### DNSSEC Support
+
+DNS Security Extensions (DNSSEC) adds an additional layer of security to DNS, protecting against various types of attacks. With `@push.rocks/smartdns`, setting up a DNS server with DNSSEC is straightforward.
+
+#### DNSSEC Configuration
+
+To configure DNSSEC for your DNS server, you’ll need to establish DNSSEC parameters including zone signatures and enabling key management. This setup ensures that DNS records are signed and can be verified for authenticity.
+
+```typescript
+import { DnsServer } from '@push.rocks/smartdns';
+
+const dnsServer = new DnsServer({
+  httpsKey: 'path/to/key.pem',
+  httpsCert: 'path/to/cert.pem',
+  httpsPort: 443,
+  udpPort: 53,
+  dnssecZone: 'example.com',
+});
+
+dnsServer.registerHandler('*.example.com', ['A'], (question) => ({
+  name: question.name,
+  type: 'A',
+  class: 'IN',
+  ttl: 300,
+  data: '127.0.0.1',
+}));
+
+dnsServer.start().then(() => console.log('DNS Server with DNSSEC started'));
+```
+
+### Handling DNS Queries Over Different Protocols
+
+The library supports handling DNS queries over UDP and HTTPS. This functionality allows for the flexible use and management of DNS inquiries and resolves, accommodating various protocol needs.
+
+#### Handling UDP Queries
+
+UDP is the traditional DNS protocol used for quick, non-persistent queries. Here’s how you can set up a DNS server to respond to UDP queries:
+
+```typescript
+import { DnsServer } from '@push.rocks/smartdns';
+import dgram from 'dgram';
+
+const dnsServer = new DnsServer({
+  udpPort: 53,
+  httpsPort: 443,
+});
+
+dnsServer.registerHandler('*.example.com', ['A'], (question) => ({
+  name: question.name,
+  type: 'A',
+  class: 'IN',
+  ttl: 300,
+  data: '127.0.0.1',
+}));
+
+dnsServer.start().then(() => {
+  console.log('UDP DNS Server started on port', dnsServer.getOptions().udpPort);
+});
+
+const client = dgram.createSocket('udp4');
+
+client.on('message', (msg, rinfo) => {
+  console.log(`Received ${msg} from ${rinfo.address}:${rinfo.port}`);
+});
+
+client.send(Buffer.from('example DNS query'), dnsServer.getOptions().udpPort, 'localhost');
+```
+
+This segment of code creates a UDP server that listens for incoming DNS requests and responds accordingly.
+
+#### Handling HTTPS Queries
+
+DNS over HTTPS (DoH) offers a heightened level of privacy and security, where DNS queries are transmitted over HTTPS to prevent eavesdropping and man-in-the-middle attacks.
+
+```typescript
+import { DnsServer } from '@push.rocks/smartdns';
+import https from 'https';
+import fs from 'fs';
+
+const dnsServer = new DnsServer({
+  httpsKey: fs.readFileSync('path/to/key.pem'),
+  httpsCert: fs.readFileSync('path/to/cert.pem'),
+  httpsPort: 443,
+  udpPort: 53,
+  dnssecZone: 'example.com',
+});
+
+dnsServer.registerHandler('*.example.com', ['A'], (question) => ({
+  name: question.name,
+  type: 'A',
+  class: 'IN',
+  ttl: 300,
+  data: '127.0.0.1',
+}));
+
+dnsServer.start().then(() => console.log('HTTPS DNS Server started'));
+
+const client = https.request({
+  hostname: 'localhost',
+  port: 443,
+  path: '/dns-query',
+  method: 'POST',
+  headers: {
+    'Content-Type': 'application/dns-message'
+  }
+}, (res) => {
+  res.on('data', (d) => {
+    process.stdout.write(d);
+  });
+});
+
+client.on('error', (e) => {
+  console.error(e);
+});
+
+client.write(Buffer.from('example DNS query'));
+client.end();
+```
+
+This ensures that DNS requests can be securely transmitted over the web, maintaining privacy for the clients querying the DNS server.
+
+### Testing
+
+Like any crucial application component, DNS servers require thorough testing to ensure reliability and correctness in different scenarios. Here we use TAP (Test Anything Protocol) to test various functionalities.
+
+#### DNS Server Tests
+
+`@push.rocks/smartdns` integrates seamlessly with TAP, allowing for comprehensive testing of server functionalities.
+
+Here's an example of how you might set up tests for your DNS server:
+
+```typescript
+import { expect, tap } from '@push.rocks/tapbundle';
+
+import { DnsServer } from '@push.rocks/smartdns';
+
+let dnsServer: DnsServer;
+
+tap.test('should create an instance of DnsServer', async () => {
+  dnsServer = new DnsServer({
+    httpsKey: 'path/to/key.pem',
+    httpsCert: 'path/to/cert.pem',
+    httpsPort: 443,
+    udpPort: 53,
+    dnssecZone: 'example.com',
+  });
+  expect(dnsServer).toBeInstanceOf(DnsServer);
+});
+
+tap.test('should start the server', async () => {
+  await dnsServer.start();
+  expect(dnsServer.isRunning()).toBeTrue();
+});
+
+tap.test('should add a DNS handler', async () => {
+  dnsServer.registerHandler('*.example.com', ['A'], (question) => ({
+    name: question.name,
+    type: 'A',
+    class: 'IN',
+    ttl: 300,
+    data: '127.0.0.1',
+  }));
+
+  const response = dnsServer.processDnsRequest({
+    type: 'query',
+    id: 1,
+    flags: 0,
+    questions: [
+      {
+        name: 'test.example.com',
+        type: 'A',
+        class: 'IN',
+      },
+    ],
+    answers: [],
+  });
+
+  expect(response.answers[0]).toEqual({
+    name: 'test.example.com',
+    type: 'A',
+    class: 'IN',
+    ttl: 300,
+    data: '127.0.0.1',
+  });
+});
+
+tap.test('should query the server over HTTP', async () => {
+  const query = dnsPacket.encode({
+    type: 'query',
+    id: 2,
+    flags: dnsPacket.RECURSION_DESIRED,
+    questions: [
+      {
+        name: 'test.example.com',
+        type: 'A',
+        class: 'IN',
+      },
+    ],
+  });
+
+  const response = await fetch('https://localhost:443/dns-query', {
+    method: 'POST',
+    body: query,
+    headers: {
+      'Content-Type': 'application/dns-message',
+    }
+  });
+
+  expect(response.status).toEqual(200);
+
+  const responseData = await response.arrayBuffer();
+  const dnsResponse = dnsPacket.decode(Buffer.from(responseData));
+
+  expect(dnsResponse.answers[0]).toEqual({
+    name: 'test.example.com',
+    type: 'A',
+    class: 'IN',
+    ttl: 300,
+    data: '127.0.0.1',
+  });
+});
+
+tap.test('should stop the server', async () => {
+  await dnsServer.stop();
+  expect(dnsServer.isRunning()).toBeFalse();
+});
+
+await tap.start();
+```
+
+The above tests ensure that the DNS server setup, query handling, and proper stopping of the server are all functioning as intended.
+
+In a realistic production environment, additional tests would include edge cases such as malformed requests, large queries, concurrent access handling, and integration tests with various DNS resolvers. These tests ensure robustness and reliability of DNS services provided by the server.
+
+This comprehensive guide demonstrates how to implement, manage, and test a DNS server using `@push.rocks/smartdns`, making it an ideal tool for developers tasked with handling DNS management and setup in TypeScript projects. The library supports the full scope of DNS operations needed for modern applications, from basic record query to full-scale DNS server operations with advanced security extensions.
 
 ## License and Legal Information
 

test/test.server.ts

@@ -1,13 +1,218 @@
+import * as plugins from '../ts_server/plugins.js';
 import { expect, tap } from '@push.rocks/tapbundle';
 import { tapNodeTools } from '@push.rocks/tapbundle/node';
+import { execSync } from 'child_process';
 
 import * as dnsPacket from 'dns-packet';
 import * as https from 'https';
 import * as dgram from 'dgram';
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
 
 import * as smartdns from '../ts_server/index.js';
 
+// Generate a real self-signed certificate using OpenSSL
+function generateSelfSignedCert() {
+  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'cert-'));
+  const keyPath = path.join(tmpDir, 'key.pem');
+  const certPath = path.join(tmpDir, 'cert.pem');
+  
+  try {
+    // Generate private key
+    execSync(`openssl genrsa -out "${keyPath}" 2048`);
+    
+    // Generate self-signed certificate
+    execSync(
+      `openssl req -new -x509 -key "${keyPath}" -out "${certPath}" -days 365 -subj "/C=US/ST=State/L=City/O=Organization/CN=test.example.com"`
+    );
+    
+    // Read the files
+    const privateKey = fs.readFileSync(keyPath, 'utf8');
+    const cert = fs.readFileSync(certPath, 'utf8');
+    
+    return { key: privateKey, cert };
+  } catch (error) {
+    console.error('Error generating certificate:', error);
+    throw error;
+  } finally {
+    // Clean up temporary files
+    try {
+      if (fs.existsSync(keyPath)) fs.unlinkSync(keyPath);
+      if (fs.existsSync(certPath)) fs.unlinkSync(certPath);
+      if (fs.existsSync(tmpDir)) fs.rmdirSync(tmpDir);
+    } catch (err) {
+      console.error('Error cleaning up temporary files:', err);
+    }
+  }
+}
+
+// Cache the generated certificate for performance
+let cachedCert = null;
+
+// Helper function to get certificate
+function getTestCertificate() {
+  if (!cachedCert) {
+    cachedCert = generateSelfSignedCert();
+  }
+  return cachedCert;
+}
+
+// Mock for acme-client directly imported as a module
+const acmeClientMock = {
+  Client: class {
+    constructor() {}
+    
+    createAccount() {
+      return Promise.resolve({});
+    }
+    
+    createOrder() {
+      return Promise.resolve({
+        authorizations: ['auth1', 'auth2']
+      });
+    }
+    
+    getAuthorizations() {
+      return Promise.resolve([
+        {
+          identifier: { value: 'test.bleu.de' },
+          challenges: [
+            { type: 'dns-01', url: 'https://example.com/challenge' }
+          ]
+        }
+      ]);
+    }
+    
+    getChallengeKeyAuthorization() {
+      return Promise.resolve('test_key_authorization');
+    }
+    
+    completeChallenge() {
+      return Promise.resolve({});
+    }
+    
+    waitForValidStatus() {
+      return Promise.resolve({});
+    }
+    
+    finalizeOrder() {
+      return Promise.resolve({});
+    }
+    
+    getCertificate() {
+      // Use a real certificate
+      const { cert } = getTestCertificate();
+      return Promise.resolve(cert);
+    }
+  },
+  
+  forge: {
+    createCsr({commonName, altNames}) {
+      return Promise.resolve({
+        csr: Buffer.from('mock-csr-data')
+      });
+    }
+  },
+  
+  directory: {
+    letsencrypt: {
+      staging: 'https://acme-staging-v02.api.letsencrypt.org/directory',
+      production: 'https://acme-v02.api.letsencrypt.org/directory'
+    }
+  }
+};
+
+// Override generateKeyPairSync to use our test key for certificate generation in tests
+const originalGenerateKeyPairSync = plugins.crypto.generateKeyPairSync;
+plugins.crypto.generateKeyPairSync = function(type, options) {
+  if (type === 'rsa' && 
+      options?.modulusLength === 2048 && 
+      options?.privateKeyEncoding?.type === 'pkcs8') {
+    
+    // Get the test certificate key if we're in the retrieveSslCertificate method
+    try {
+      const stack = new Error().stack || '';
+      if (stack.includes('retrieveSslCertificate')) {
+        const { key } = getTestCertificate();
+        return { privateKey: key, publicKey: 'TEST_PUBLIC_KEY' };
+      }
+    } catch (e) {
+      // Fall back to original function if error occurs
+    }
+  }
+  
+  // Use the original function for other cases
+  return originalGenerateKeyPairSync.apply(this, arguments);
+};
+
 let dnsServer: smartdns.DnsServer;
+const testCertDir = path.join(process.cwd(), 'test-certs');
+
+// Helper to clean up test certificate directory
+function cleanCertDir() {
+  if (fs.existsSync(testCertDir)) {
+    const files = fs.readdirSync(testCertDir);
+    for (const file of files) {
+      fs.unlinkSync(path.join(testCertDir, file));
+    }
+    fs.rmdirSync(testCertDir);
+  }
+}
+
+// Port management for tests
+let nextHttpsPort = 8080;
+let nextUdpPort = 8081;
+
+function getUniqueHttpsPort() {
+  return nextHttpsPort++;
+}
+
+function getUniqueUdpPort() {
+  return nextUdpPort++;
+}
+
+// Cleanup function for servers - more robust implementation
+async function stopServer(server: smartdns.DnsServer | null | undefined) {
+  if (!server) {
+    return; // Nothing to do if server doesn't exist
+  }
+  
+  try {
+    // Access private properties for checking before stopping
+    // @ts-ignore - accessing private properties for testing
+    const hasHttpsServer = server.httpsServer !== undefined && server.httpsServer !== null;
+    // @ts-ignore - accessing private properties for testing
+    const hasUdpServer = server.udpServer !== undefined && server.udpServer !== null;
+    
+    // Only try to stop if there's something to stop
+    if (hasHttpsServer || hasUdpServer) {
+      await server.stop();
+    }
+  } catch (e) {
+    console.log('Handled error when stopping server:', e);
+    // Ignore errors during cleanup
+  }
+}
+
+// Setup and teardown
+tap.test('setup', async () => {
+  cleanCertDir();
+  // Reset dnsServer to null at the start
+  dnsServer = null;
+  // Reset certificate cache
+  cachedCert = null;
+});
+
+tap.test('teardown', async () => {
+  // Stop the server if it exists
+  await stopServer(dnsServer);
+  dnsServer = null;
+  
+  cleanCertDir();
+  // Reset certificate cache
+  cachedCert = null;
+});
 
 tap.test('should create an instance of DnsServer', async () => {
   // Use valid options
@@ -17,17 +222,43 @@ tap.test('should create an instance of DnsServer', async () => {
     httpsCert: httpsData.cert,
     httpsPort: 8080,
     udpPort: 8081,
+    dnssecZone: 'example.com',
   });
   expect(dnsServer).toBeInstanceOf(smartdns.DnsServer);
 });
 
 tap.test('should start the server', async () => {
+  // Clean up any existing server
+  await stopServer(dnsServer);
+  
+  const httpsData = await tapNodeTools.createHttpsCert();
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: getUniqueUdpPort(),
+    dnssecZone: 'example.com',
+  });
+  
   await dnsServer.start();
-  // @ts-ignore
+  // @ts-ignore - accessing private property for testing
   expect(dnsServer.httpsServer).toBeDefined();
+  
+  // Stop the server at the end of this test
+  await stopServer(dnsServer);
+  dnsServer = null;
 });
 
 tap.test('lets add a handler', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: 8080,
+    udpPort: 8081,
+    dnssecZone: 'example.com',
+  });
+
   dnsServer.registerHandler('*.bleu.de', ['A'], (question) => {
     return {
       name: question.name,
@@ -38,7 +269,7 @@ tap.test('lets add a handler', async () => {
     };
   });
 
-  // @ts-ignore
+  // @ts-ignore - accessing private method for testing
   const response = dnsServer.processDnsRequest({
     type: 'query',
     id: 1,
@@ -61,7 +292,91 @@ tap.test('lets add a handler', async () => {
   });
 });
 
+tap.test('should unregister a handler', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: 8080,
+    udpPort: 8081,
+    dnssecZone: 'example.com',
+  });
+
+  // Register handlers
+  dnsServer.registerHandler('*.bleu.de', ['A'], (question) => {
+    return {
+      name: question.name,
+      type: 'A',
+      class: 'IN',
+      ttl: 300,
+      data: '127.0.0.1',
+    };
+  });
+  
+  dnsServer.registerHandler('test.com', ['TXT'], (question) => {
+    return {
+      name: question.name,
+      type: 'TXT',
+      class: 'IN',
+      ttl: 300,
+      data: ['test'],
+    };
+  });
+
+  // Test unregistering
+  const result = dnsServer.unregisterHandler('*.bleu.de', ['A']);
+  expect(result).toEqual(true);
+  
+  // Verify handler is removed
+  // @ts-ignore - accessing private method for testing
+  const response = dnsServer.processDnsRequest({
+    type: 'query',
+    id: 1,
+    flags: 0,
+    questions: [
+      {
+        name: 'dnsly_a.bleu.de',
+        type: 'A',
+        class: 'IN',
+      },
+    ],
+    answers: [],
+  });
+  
+  // Should get SOA record instead of A record
+  expect(response.answers[0].type).toEqual('SOA');
+});
+
 tap.test('lets query over https', async () => {
+  // Clean up any existing server
+  await stopServer(dnsServer);
+  
+  const httpsPort = getUniqueHttpsPort();
+  const httpsData = await tapNodeTools.createHttpsCert();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: httpsPort,
+    udpPort: getUniqueUdpPort(),
+    dnssecZone: 'example.com',
+  });
+  
+  await dnsServer.start();
+  
+  dnsServer.registerHandler('*.bleu.de', ['A'], (question) => {
+    return {
+      name: question.name,
+      type: 'A',
+      class: 'IN',
+      ttl: 300,
+      data: '127.0.0.1',
+    };
+  });
+
+  // Skip SSL verification for self-signed cert in tests
+  process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+  
   const query = dnsPacket.encode({
     type: 'query',
     id: 2,
@@ -75,7 +390,7 @@ tap.test('lets query over https', async () => {
     ],
   });
 
-  const response = await fetch('https://localhost:8080/dns-query', {
+  const response = await fetch(`https://localhost:${httpsPort}/dns-query`, {
     method: 'POST',
     body: query,
     headers: {
@@ -98,9 +413,42 @@ tap.test('lets query over https', async () => {
     flush: false,
     data: '127.0.0.1',
   });
+  
+  // Reset TLS verification
+  process.env.NODE_TLS_REJECT_UNAUTHORIZED = '1';
+  
+  // Clean up server
+  await stopServer(dnsServer);
+  dnsServer = null;
 });
 
 tap.test('lets query over udp', async () => {
+  // Clean up any existing server
+  await stopServer(dnsServer);
+  
+  const udpPort = getUniqueUdpPort();
+  const httpsData = await tapNodeTools.createHttpsCert();
+  
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: udpPort,
+    dnssecZone: 'example.com',
+  });
+  
+  await dnsServer.start();
+  
+  dnsServer.registerHandler('*.bleu.de', ['A'], (question) => {
+    return {
+      name: question.name,
+      type: 'A',
+      class: 'IN',
+      ttl: 300,
+      data: '127.0.0.1',
+    };
+  });
+
   const client = dgram.createSocket('udp4');
 
   const query = dnsPacket.encode({
@@ -128,7 +476,7 @@ tap.test('lets query over udp', async () => {
       client.close();
     });
 
-    client.send(query, 8081, 'localhost', (err) => {
+    client.send(query, udpPort, 'localhost', (err) => {
       if (err) {
         reject(err);
         client.close();
@@ -148,6 +496,125 @@ tap.test('lets query over udp', async () => {
     flush: false,
     data: '127.0.0.1',
   });
+  
+  // Clean up server
+  await stopServer(dnsServer);
+  dnsServer = null;
+});
+
+tap.test('should filter authorized domains correctly', async () => {
+  const httpsData = await tapNodeTools.createHttpsCert();
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: 8080,
+    udpPort: 8081,
+    dnssecZone: 'example.com',
+  });
+  
+  // Register handlers for specific domains
+  dnsServer.registerHandler('*.bleu.de', ['A'], () => null);
+  dnsServer.registerHandler('test.com', ['A'], () => null);
+  
+  // Test filtering authorized domains
+  const authorizedDomains = dnsServer.filterAuthorizedDomains([
+    'test.com',              // Should be authorized
+    'sub.test.com',          // Should not be authorized
+    '*.bleu.de',             // Pattern itself isn't a domain
+    'something.bleu.de',     // Should be authorized via wildcard pattern
+    'example.com',           // Should be authorized (dnssecZone)
+    'sub.example.com',       // Should be authorized (within dnssecZone)
+    'othersite.org'          // Should not be authorized
+  ]);
+  
+  // Using toContain with expect from tapbundle
+  expect(authorizedDomains.includes('test.com')).toEqual(true);
+  expect(authorizedDomains.includes('something.bleu.de')).toEqual(true);
+  expect(authorizedDomains.includes('example.com')).toEqual(true);
+  expect(authorizedDomains.includes('sub.example.com')).toEqual(true);
+  
+  expect(authorizedDomains.includes('sub.test.com')).toEqual(false);
+  expect(authorizedDomains.includes('*.bleu.de')).toEqual(false);
+  expect(authorizedDomains.includes('othersite.org')).toEqual(false);
+});
+
+tap.test('should retrieve SSL certificate successfully', async () => {
+  // Clean up any existing server
+  await stopServer(dnsServer);
+  
+  // Create a temporary directory for the certificate test
+  const tempCertDir = path.join(process.cwd(), 'temp-certs');
+  if (!fs.existsSync(tempCertDir)) {
+    fs.mkdirSync(tempCertDir, { recursive: true });
+  }
+  
+  // Create a server with unique ports
+  const httpsData = await tapNodeTools.createHttpsCert();
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: getUniqueUdpPort(),
+    dnssecZone: 'example.com',
+  });
+  
+  // Register handlers for test domains
+  dnsServer.registerHandler('*.bleu.de', ['A'], () => null);
+  dnsServer.registerHandler('test.bleu.de', ['A'], () => null);
+  
+  await dnsServer.start();
+  
+  // Inject our mock for acme-client
+  (dnsServer as any).acmeClientOverride = acmeClientMock;
+  
+  try {
+    // Request certificate for domains
+    const result = await dnsServer.retrieveSslCertificate(
+      ['test.bleu.de', '*.bleu.de', 'unknown.org'],
+      {
+        email: 'test@example.com',
+        staging: true,
+        certDir: tempCertDir
+      }
+    );
+    
+    console.log('Certificate retrieval result:', {
+      success: result.success,
+      certLength: result.cert.length,
+      keyLength: result.key.length,
+    });
+    
+    expect(result.success).toEqual(true);
+    expect(result.cert.includes('BEGIN CERTIFICATE')).toEqual(true);
+    expect(typeof result.key === 'string').toEqual(true);
+    
+    // Check that certificate directory was created
+    expect(fs.existsSync(tempCertDir)).toEqual(true);
+    
+    // Verify TXT record handler was registered and then removed
+    // @ts-ignore - accessing private property for testing
+    const txtHandlerCount = dnsServer.handlers.filter(h => 
+      h.domainPattern.includes('_acme-challenge') && 
+      h.recordTypes.includes('TXT')
+    ).length;
+    
+    expect(txtHandlerCount).toEqual(0); // Should be removed after validation
+  } catch (err) {
+    console.error('Test error:', err);
+    throw err;
+  } finally {
+    // Clean up server and temporary cert directory
+    await stopServer(dnsServer);
+    dnsServer = null;
+    
+    if (fs.existsSync(tempCertDir)) {
+      const files = fs.readdirSync(tempCertDir);
+      for (const file of files) {
+        fs.unlinkSync(path.join(tempCertDir, file));
+      }
+      fs.rmdirSync(tempCertDir);
+    }
+  }
 });
 
 tap.test('should run for a while', async (toolsArg) => {
@@ -155,9 +622,26 @@ tap.test('should run for a while', async (toolsArg) => {
 });
 
 tap.test('should stop the server', async () => {
+  // Clean up any existing server
+  await stopServer(dnsServer);
+  
+  const httpsData = await tapNodeTools.createHttpsCert();
+  dnsServer = new smartdns.DnsServer({
+    httpsKey: httpsData.key,
+    httpsCert: httpsData.cert,
+    httpsPort: getUniqueHttpsPort(),
+    udpPort: getUniqueUdpPort(),
+    dnssecZone: 'example.com',
+  });
+  
+  await dnsServer.start();
   await dnsServer.stop();
-  // @ts-ignore
+  
-  expect(dnsServer.httpsServer).toBeFalsy();
+  // @ts-ignore - accessing private property for testing
+  expect(dnsServer.httpsServer).toEqual(null);
+  
+  // Clear the reference
+  dnsServer = null;
 });
 
 await tap.start();

ts_server/classes.dnssec.ts

@@ -0,0 +1,189 @@
+// Import necessary plugins from plugins.ts
+import * as plugins from './plugins.js';
+
+interface DnssecZone {
+  zone: string;
+  algorithm: 'ECDSA' | 'ED25519' | 'RSA';
+  keySize: number;
+  days: number;
+}
+
+interface DnssecKeyPair {
+  privateKey: string;
+  publicKey: string;
+}
+
+export class DnsSec {
+  private zone: DnssecZone;
+  private keyPair: DnssecKeyPair;
+  private ec?: plugins.elliptic.ec; // For ECDSA algorithms
+  private eddsa?: plugins.elliptic.eddsa; // For EdDSA algorithms
+
+  constructor(zone: DnssecZone) {
+    this.zone = zone;
+
+    // Initialize the appropriate cryptographic instance based on the algorithm
+    switch (this.zone.algorithm) {
+      case 'ECDSA':
+        this.ec = new plugins.elliptic.ec('p256'); // Use P-256 curve for ECDSA
+        break;
+      case 'ED25519':
+        this.eddsa = new plugins.elliptic.eddsa('ed25519');
+        break;
+      case 'RSA':
+        // RSA implementation would go here
+        throw new Error('RSA algorithm is not yet implemented.');
+      default:
+        throw new Error(`Unsupported algorithm: ${this.zone.algorithm}`);
+    }
+
+    // Generate the key pair
+    this.keyPair = this.generateKeyPair();
+  }
+
+  private generateKeyPair(): DnssecKeyPair {
+    let privateKey: string;
+    let publicKey: string;
+
+    switch (this.zone.algorithm) {
+      case 'ECDSA':
+        if (!this.ec) throw new Error('EC instance is not initialized.');
+        const ecKeyPair = this.ec.genKeyPair();
+        privateKey = ecKeyPair.getPrivate('hex');
+        publicKey = ecKeyPair.getPublic(false, 'hex'); // Uncompressed format
+        break;
+      case 'ED25519':
+        if (!this.eddsa) throw new Error('EdDSA instance is not initialized.');
+        const secret = plugins.crypto.randomBytes(32);
+        const edKeyPair = this.eddsa.keyFromSecret(secret);
+        privateKey = edKeyPair.getSecret('hex');
+        publicKey = edKeyPair.getPublic('hex');
+        break;
+      case 'RSA':
+        // RSA key generation would be implemented here
+        throw new Error('RSA key generation is not yet implemented.');
+      default:
+        throw new Error(`Unsupported algorithm: ${this.zone.algorithm}`);
+    }
+
+    return { privateKey, publicKey };
+  }
+
+  public getAlgorithmNumber(): number {
+    switch (this.zone.algorithm) {
+      case 'ECDSA':
+        return 13; // ECDSAP256SHA256
+      case 'ED25519':
+        return 15;
+      case 'RSA':
+        return 8; // RSASHA256
+      default:
+        throw new Error(`Unsupported algorithm: ${this.zone.algorithm}`);
+    }
+  }
+
+  public signData(data: Buffer): Buffer {
+    switch (this.zone.algorithm) {
+      case 'ECDSA':
+        if (!this.ec) throw new Error('EC instance is not initialized.');
+        const ecKeyPair = this.ec.keyFromPrivate(this.keyPair.privateKey, 'hex');
+        const ecSignature = ecKeyPair.sign(plugins.crypto.createHash('sha256').update(data).digest());
+        return Buffer.from(ecSignature.toDER());
+      
+      case 'ED25519':
+        if (!this.eddsa) throw new Error('EdDSA instance is not initialized.');
+        const edKeyPair = this.eddsa.keyFromSecret(Buffer.from(this.keyPair.privateKey, 'hex'));
+        // ED25519 doesn't need a separate hash function as it includes the hashing internally
+        const edSignature = edKeyPair.sign(data);
+        // Convert the signature to the correct format for Buffer.from
+        return Buffer.from(edSignature.toBytes());
+      
+      case 'RSA':
+        throw new Error('RSA signing is not yet implemented.');
+      
+      default:
+        throw new Error(`Unsupported algorithm: ${this.zone.algorithm}`);
+    }
+  }
+
+  private generateDNSKEY(): Buffer {
+    const flags = 256; // 256 indicates a Zone Signing Key (ZSK)
+    const protocol = 3; // Must be 3 according to RFC
+    const algorithm = this.getAlgorithmNumber();
+
+    let publicKeyData: Buffer;
+
+    switch (this.zone.algorithm) {
+      case 'ECDSA':
+        if (!this.ec) throw new Error('EC instance is not initialized.');
+        const ecPublicKey = this.ec.keyFromPublic(this.keyPair.publicKey, 'hex').getPublic();
+        const x = ecPublicKey.getX().toArrayLike(Buffer, 'be', 32);
+        const y = ecPublicKey.getY().toArrayLike(Buffer, 'be', 32);
+        publicKeyData = Buffer.concat([x, y]);
+        break;
+      case 'ED25519':
+        publicKeyData = Buffer.from(this.keyPair.publicKey, 'hex');
+        break;
+      case 'RSA':
+        // RSA public key extraction would go here
+        throw new Error('RSA public key extraction is not yet implemented.');
+      default:
+        throw new Error(`Unsupported algorithm: ${this.zone.algorithm}`);
+    }
+
+    // Construct the DNSKEY RDATA
+    const dnskeyRdata = Buffer.concat([
+      Buffer.from([flags >> 8, flags & 0xff]), // Flags (2 bytes)
+      Buffer.from([protocol]), // Protocol (1 byte)
+      Buffer.from([algorithm]), // Algorithm (1 byte)
+      publicKeyData, // Public Key
+    ]);
+
+    return dnskeyRdata;
+  }
+
+  private computeKeyTag(dnskeyRdata: Buffer): number {
+    // Key Tag calculation as per RFC 4034, Appendix B
+    let acc = 0;
+    for (let i = 0; i < dnskeyRdata.length; i++) {
+      acc += i & 1 ? dnskeyRdata[i] : dnskeyRdata[i] << 8;
+    }
+    acc += (acc >> 16) & 0xffff;
+    return acc & 0xffff;
+  }
+
+  private getDNSKEYRecord(): string {
+    const dnskeyRdata = this.generateDNSKEY();
+    const flags = 256;
+    const protocol = 3;
+    const algorithm = this.getAlgorithmNumber();
+    const publicKeyData = dnskeyRdata.slice(4); // Skip flags, protocol, algorithm bytes
+    const publicKeyBase64 = publicKeyData.toString('base64');
+
+    return `${this.zone.zone}. IN DNSKEY ${flags} ${protocol} ${algorithm} ${publicKeyBase64}`;
+  }
+
+  public getDSRecord(): string {
+    const dnskeyRdata = this.generateDNSKEY();
+    const keyTag = this.computeKeyTag(dnskeyRdata);
+    const algorithm = this.getAlgorithmNumber();
+    const digestType = 2; // SHA-256
+    const digest = plugins.crypto
+      .createHash('sha256')
+      .update(dnskeyRdata)
+      .digest('hex')
+      .toUpperCase();
+
+    return `${this.zone.zone}. IN DS ${keyTag} ${algorithm} ${digestType} ${digest}`;
+  }
+
+  public getKeyPair(): DnssecKeyPair {
+    return this.keyPair;
+  }
+
+  public getDsAndKeyPair(): { keyPair: DnssecKeyPair; dsRecord: string; dnskeyRecord: string } {
+    const dsRecord = this.getDSRecord();
+    const dnskeyRecord = this.getDNSKEYRecord();
+    return { keyPair: this.keyPair, dsRecord, dnskeyRecord };
+  }
+}

ts_server/classes.dnsserver.ts

@@ -1,16 +1,53 @@
 import * as plugins from './plugins.js';
+import { DnsSec } from './classes.dnssec.js';
+import * as dnsPacket from 'dns-packet';
 
-interface IDnsServerOptions {
+export interface IDnsServerOptions {
   httpsKey: string;
   httpsCert: string;
   httpsPort: number;
   udpPort: number;
+  dnssecZone: string;
 }
 
-interface IDnsHandler {
+export interface DnsAnswer {
+  name: string;
+  type: string;
+  class: string | number;
+  ttl: number;
+  data: any;
+}
+
+export interface IDnsHandler {
   domainPattern: string;
   recordTypes: string[];
-  handler: (question: plugins.dnsPacket.Question) => plugins.dnsPacket.Answer | null;
+  handler: (question: dnsPacket.Question) => DnsAnswer | null;
+}
+
+// Define types for DNSSEC records if not provided
+interface DNSKEYData {
+  flags: number;
+  algorithm: number;
+  key: Buffer;
+}
+
+interface RRSIGData {
+  typeCovered: string; // Changed to string to match dns-packet expectations
+  algorithm: number;
+  labels: number;
+  originalTTL: number;
+  expiration: number;
+  inception: number;
+  keyTag: number;
+  signerName: string;
+  signature: Buffer;
+}
+
+// Let's Encrypt related interfaces
+interface LetsEncryptOptions {
+  email?: string;
+  staging?: boolean;
+  certDir?: string;
 }
 
 export class DnsServer {
@@ -18,30 +55,395 @@ export class DnsServer {
   private httpsServer: plugins.https.Server;
   private handlers: IDnsHandler[] = [];
 
-  constructor(private options: IDnsServerOptions) {}
+  // DNSSEC related properties
+  private dnsSec: DnsSec;
+  private dnskeyRecord: DNSKEYData;
+  private keyTag: number;
+
+  constructor(private options: IDnsServerOptions) {
+    // Initialize DNSSEC
+    this.dnsSec = new DnsSec({
+      zone: options.dnssecZone,
+      algorithm: 'ECDSA', // You can change this based on your needs
+      keySize: 256,
+      days: 365,
+    });
+
+    // Generate DNSKEY and DS records
+    const { dsRecord, dnskeyRecord } = this.dnsSec.getDsAndKeyPair();
+
+    // Parse DNSKEY record into dns-packet format
+    this.dnskeyRecord = this.parseDNSKEYRecord(dnskeyRecord);
+    this.keyTag = this.computeKeyTag(this.dnskeyRecord);
+  }
 
   public registerHandler(
     domainPattern: string,
     recordTypes: string[],
-    handler: (question: plugins.dnsPacket.Question) => plugins.dnsPacket.Answer | null
+    handler: (question: dnsPacket.Question) => DnsAnswer | null
   ): void {
     this.handlers.push({ domainPattern, recordTypes, handler });
   }
 
-  private processDnsRequest(request: plugins.dnsPacket.Packet): plugins.dnsPacket.Packet {
+  // Unregister a specific handler
-    const response: plugins.dnsPacket.Packet = {
+  public unregisterHandler(domainPattern: string, recordTypes: string[]): boolean {
+    const initialLength = this.handlers.length;
+    this.handlers = this.handlers.filter(handler => 
+      !(handler.domainPattern === domainPattern && 
+        recordTypes.every(type => handler.recordTypes.includes(type)))
+    );
+    return this.handlers.length < initialLength;
+  }
+
+  /**
+   * Retrieve SSL certificate for specified domains using Let's Encrypt
+   * @param domainNames Array of domain names to include in the certificate
+   * @param options Configuration options for Let's Encrypt
+   * @returns Object containing certificate, private key, and success status
+   */
+  public async retrieveSslCertificate(
+    domainNames: string[],
+    options: LetsEncryptOptions = {}
+  ): Promise<{ cert: string; key: string; success: boolean }> {
+    // Default options
+    const opts = {
+      email: options.email || 'admin@example.com',
+      staging: options.staging !== undefined ? options.staging : false,
+      certDir: options.certDir || './certs'
+    };
+
+    // Create certificate directory if it doesn't exist
+    if (!plugins.fs.existsSync(opts.certDir)) {
+      plugins.fs.mkdirSync(opts.certDir, { recursive: true });
+    }
+
+    // Filter domains this server is authoritative for
+    const authorizedDomains = this.filterAuthorizedDomains(domainNames);
+    
+    if (authorizedDomains.length === 0) {
+      console.error('None of the provided domains are authorized for this DNS server');
+      return { cert: '', key: '', success: false };
+    }
+    
+    console.log(`Retrieving SSL certificate for domains: ${authorizedDomains.join(', ')}`);
+    
+    try {
+      // Allow for override in tests
+      // @ts-ignore - acmeClientOverride is added for testing purposes
+      const acmeClient = this.acmeClientOverride || await import('acme-client');
+      
+      // Generate or load account key
+      const accountKeyPath = plugins.path.join(opts.certDir, 'account.key');
+      let accountKey: Buffer;
+      
+      if (plugins.fs.existsSync(accountKeyPath)) {
+        accountKey = plugins.fs.readFileSync(accountKeyPath);
+      } else {
+        // Generate new account key
+        const { privateKey } = plugins.crypto.generateKeyPairSync('rsa', {
+          modulusLength: 2048,
+          publicKeyEncoding: { type: 'spki', format: 'pem' },
+          privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
+        });
+        
+        accountKey = Buffer.from(privateKey);
+        plugins.fs.writeFileSync(accountKeyPath, accountKey);
+      }
+      
+      // Initialize ACME client
+      const client = new acmeClient.Client({
+        directoryUrl: opts.staging
+          ? acmeClient.directory.letsencrypt.staging
+          : acmeClient.directory.letsencrypt.production,
+        accountKey: accountKey
+      });
+      
+      // Create or update account
+      await client.createAccount({
+        termsOfServiceAgreed: true,
+        contact: [`mailto:${opts.email}`]
+      });
+      
+      // Create order for certificate
+      const order = await client.createOrder({
+        identifiers: authorizedDomains.map(domain => ({
+          type: 'dns',
+          value: domain
+        }))
+      });
+      
+      // Get authorizations
+      const authorizations = await client.getAuthorizations(order);
+      
+      // Track handlers to clean up later
+      const challengeHandlers: { domain: string; pattern: string }[] = [];
+      
+      // Process each authorization
+      for (const auth of authorizations) {
+        const domain = auth.identifier.value;
+        
+        // Get DNS challenge
+        const challenge = auth.challenges.find(c => c.type === 'dns-01');
+        if (!challenge) {
+          throw new Error(`No DNS-01 challenge found for ${domain}`);
+        }
+        
+        // Get key authorization and DNS record value
+        const keyAuthorization = await client.getChallengeKeyAuthorization(challenge);
+        const recordValue = this.getDnsRecordValueForChallenge(keyAuthorization);
+        
+        // Create challenge domain (where TXT record should be placed)
+        const challengeDomain = `_acme-challenge.${domain}`;
+        
+        console.log(`Setting up TXT record for ${challengeDomain}: ${recordValue}`);
+        
+        // Register handler for the TXT record
+        this.registerHandler(
+          challengeDomain,
+          ['TXT'],
+          (question: dnsPacket.Question): DnsAnswer | null => {
+            if (question.name === challengeDomain && question.type === 'TXT') {
+              return {
+                name: question.name,
+                type: 'TXT',
+                class: 'IN',
+                ttl: 300,
+                data: [recordValue]
+              };
+            }
+            return null;
+          }
+        );
+        
+        // Track the handler for cleanup
+        challengeHandlers.push({ domain, pattern: challengeDomain });
+        
+        // Wait briefly for DNS propagation
+        await new Promise(resolve => setTimeout(resolve, 2000));
+        
+        // Complete the challenge
+        await client.completeChallenge(challenge);
+        
+        // Wait for verification
+        await client.waitForValidStatus(challenge);
+        console.log(`Challenge for ${domain} validated successfully!`);
+      }
+      
+      // Generate certificate key
+      const domainKeyPath = plugins.path.join(opts.certDir, `${authorizedDomains[0]}.key`);
+      const { privateKey } = plugins.crypto.generateKeyPairSync('rsa', {
+        modulusLength: 2048,
+        publicKeyEncoding: { type: 'spki', format: 'pem' },
+        privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
+      });
+      
+      plugins.fs.writeFileSync(domainKeyPath, privateKey);
+      
+      // Create CSR
+      // Define an interface for the expected CSR result structure
+      interface CSRResult {
+        csr: Buffer;
+      }
+      
+      // Use the forge.createCsr method and handle typing with a more direct approach
+      const csrResult = await acmeClient.forge.createCsr({
+        commonName: authorizedDomains[0],
+        altNames: authorizedDomains
+      }) as unknown as CSRResult;
+      
+      // Finalize the order with the CSR
+      await client.finalizeOrder(order, csrResult.csr);
+      
+      // Get certificate
+      const certificate = await client.getCertificate(order);
+      
+      // Save certificate
+      const certPath = plugins.path.join(opts.certDir, `${authorizedDomains[0]}.cert`);
+      plugins.fs.writeFileSync(certPath, certificate);
+      
+      // Update HTTPS server with new certificate
+      this.options.httpsCert = certificate;
+      this.options.httpsKey = privateKey;
+      
+      // Restart HTTPS server with new certificate
+      await this.restartHttpsServer();
+      
+      // Clean up challenge handlers
+      for (const handler of challengeHandlers) {
+        this.unregisterHandler(handler.pattern, ['TXT']);
+        console.log(`Cleaned up challenge handler for ${handler.domain}`);
+      }
+      
+      return {
+        cert: certificate,
+        key: privateKey,
+        success: true
+      };
+    } catch (error) {
+      console.error('Error retrieving SSL certificate:', error);
+      return { cert: '', key: '', success: false };
+    }
+  }
+
+  /**
+   * Create DNS record value for the ACME challenge
+   */
+  private getDnsRecordValueForChallenge(keyAuthorization: string): string {
+    // Create SHA-256 digest of the key authorization
+    const digest = plugins.crypto
+      .createHash('sha256')
+      .update(keyAuthorization)
+      .digest('base64')
+      .replace(/\+/g, '-')
+      .replace(/\//g, '_')
+      .replace(/=/g, '');
+    
+    return digest;
+  }
+
+  /**
+   * Restart the HTTPS server with the new certificate
+   */
+  private async restartHttpsServer(): Promise<void> {
+    return new Promise<void>((resolve, reject) => {
+      // First check if the server exists
+      if (!this.httpsServer) {
+        console.log('No HTTPS server to restart');
+        resolve();
+        return;
+      }
+
+      this.httpsServer.close(() => {
+        try {
+          // Validate certificate and key before trying to create the server
+          if (!this.options.httpsCert || !this.options.httpsKey) {
+            throw new Error('Missing certificate or key for HTTPS server');
+          }
+
+          // For testing, check if we have a mock certificate
+          if (this.options.httpsCert.includes('MOCK_CERTIFICATE')) {
+            console.log('Using mock certificate in test mode');
+            // In test mode with mock cert, we can use the original cert
+            // @ts-ignore - accessing acmeClientOverride for testing
+            if (this.acmeClientOverride) {
+              this.httpsServer = plugins.https.createServer(
+                {
+                  key: this.options.httpsKey,
+                  cert: this.options.httpsCert,
+                },
+                this.handleHttpsRequest.bind(this)
+              );
+              
+              this.httpsServer.listen(this.options.httpsPort, () => {
+                console.log(`HTTPS DNS server restarted on port ${this.options.httpsPort} with test certificate`);
+                resolve();
+              });
+              return;
+            }
+          }
+
+          // Create the new server with the updated certificate
+          this.httpsServer = plugins.https.createServer(
+            {
+              key: this.options.httpsKey,
+              cert: this.options.httpsCert,
+            },
+            this.handleHttpsRequest.bind(this)
+          );
+          
+          this.httpsServer.listen(this.options.httpsPort, () => {
+            console.log(`HTTPS DNS server restarted on port ${this.options.httpsPort} with new certificate`);
+            resolve();
+          });
+        } catch (err) {
+          console.error('Error creating HTTPS server with new certificate:', err);
+          reject(err);
+        }
+      });
+    });
+  }
+
+  /**
+   * Filter domains to include only those the server is authoritative for
+   */
+  public filterAuthorizedDomains(domainNames: string[]): string[] {
+    const authorizedDomains: string[] = [];
+    
+    for (const domain of domainNames) {
+      // Handle wildcards (*.example.com)
+      if (domain.startsWith('*.')) {
+        const baseDomain = domain.substring(2);
+        if (this.isAuthorizedForDomain(baseDomain)) {
+          authorizedDomains.push(domain);
+        }
+      } 
+      // Regular domains
+      else if (this.isAuthorizedForDomain(domain)) {
+        authorizedDomains.push(domain);
+      }
+    }
+    
+    return authorizedDomains;
+  }
+
+  /**
+   * Check if the server is authoritative for a domain
+   */
+  private isAuthorizedForDomain(domain: string): boolean {
+    // Check if any handler matches this domain
+    for (const handler of this.handlers) {
+      if (plugins.minimatch.minimatch(domain, handler.domainPattern)) {
+        return true;
+      }
+    }
+    
+    // Also check if the domain is the DNSSEC zone itself
+    if (domain === this.options.dnssecZone || domain.endsWith(`.${this.options.dnssecZone}`)) {
+      return true;
+    }
+    
+    return false;
+  }
+
+  public processDnsRequest(request: dnsPacket.Packet): dnsPacket.Packet {
+    const response: dnsPacket.Packet = {
       type: 'response',
       id: request.id,
-      flags: plugins.dnsPacket.RECURSION_DESIRED | plugins.dnsPacket.RECURSION_AVAILABLE,
+      flags:
+        dnsPacket.AUTHORITATIVE_ANSWER |
+        dnsPacket.RECURSION_AVAILABLE |
+        (request.flags & dnsPacket.RECURSION_DESIRED ? dnsPacket.RECURSION_DESIRED : 0),
       questions: request.questions,
       answers: [],
+      additionals: [],
     };
 
+    const dnssecRequested = this.isDnssecRequested(request);
+
     for (const question of request.questions) {
       console.log(`Query for ${question.name} of type ${question.type}`);
 
       let answered = false;
 
+      // Handle DNSKEY queries if DNSSEC is requested
+      if (dnssecRequested && question.type === 'DNSKEY' && question.name === this.options.dnssecZone) {
+        const dnskeyAnswer: DnsAnswer = {
+          name: question.name,
+          type: 'DNSKEY',
+          class: 'IN',
+          ttl: 3600,
+          data: this.dnskeyRecord,
+        };
+        response.answers.push(dnskeyAnswer as plugins.dnsPacket.Answer);
+
+        // Sign the DNSKEY RRset
+        const rrsig = this.generateRRSIG('DNSKEY', [dnskeyAnswer], question.name);
+        response.answers.push(rrsig as plugins.dnsPacket.Answer);
+
+        answered = true;
+        continue;
+      }
+
       for (const handlerEntry of this.handlers) {
         if (
           plugins.minimatch.minimatch(question.name, handlerEntry.domainPattern) &&
@@ -49,7 +451,20 @@ export class DnsServer {
         ) {
           const answer = handlerEntry.handler(question);
           if (answer) {
-            response.answers.push(answer);
+            // Ensure the answer has ttl and class
+            const dnsAnswer: DnsAnswer = {
+              ...answer,
+              ttl: answer.ttl || 300,
+              class: answer.class || 'IN',
+            };
+            response.answers.push(dnsAnswer as plugins.dnsPacket.Answer);
+
+            if (dnssecRequested) {
+              // Sign the answer RRset
+              const rrsig = this.generateRRSIG(question.type, [dnsAnswer], question.name);
+              response.answers.push(rrsig as plugins.dnsPacket.Answer);
+            }
+
             answered = true;
             break;
           }
@@ -58,23 +473,206 @@ export class DnsServer {
 
       if (!answered) {
         console.log(`No handler found for ${question.name} of type ${question.type}`);
+        response.flags |= dnsPacket.AUTHORITATIVE_ANSWER;
+        const soaAnswer: DnsAnswer = {
+          name: question.name,
+          type: 'SOA',
+          class: 'IN',
+          ttl: 3600,
+          data: {
+            mname: `ns1.${this.options.dnssecZone}`,
+            rname: `hostmaster.${this.options.dnssecZone}`,
+            serial: Math.floor(Date.now() / 1000),
+            refresh: 3600,
+            retry: 600,
+            expire: 604800,
+            minimum: 86400,
+          },
+        };
+        response.answers.push(soaAnswer as plugins.dnsPacket.Answer);
       }
     }
 
     return response;
   }
 
+  private isDnssecRequested(request: dnsPacket.Packet): boolean {
+    if (!request.additionals) return false;
+    for (const additional of request.additionals) {
+      if (additional.type === 'OPT' && typeof additional.flags === 'number') {
+        // The DO bit is the 15th bit (0x8000)
+        if (additional.flags & 0x8000) {
+          return true;
+        }
+      }
+    }
+    return false;
+  }
+
+  private generateRRSIG(
+    type: string,
+    rrset: DnsAnswer[],
+    name: string
+  ): DnsAnswer {
+    // Prepare RRSIG data
+    const algorithm = this.dnsSec.getAlgorithmNumber();
+    const keyTag = this.keyTag;
+    const signerName = this.options.dnssecZone.endsWith('.') ? this.options.dnssecZone : `${this.options.dnssecZone}.`;
+    const inception = Math.floor(Date.now() / 1000) - 3600; // 1 hour ago
+    const expiration = inception + 86400; // Valid for 1 day
+    const ttl = rrset[0].ttl || 300;
+
+    // Serialize the RRset in canonical form
+    const rrsetBuffer = this.serializeRRset(rrset);
+
+    // Sign the RRset
+    const signature = this.dnsSec.signData(rrsetBuffer);
+
+    // Construct the RRSIG record
+    const rrsig: DnsAnswer = {
+      name,
+      type: 'RRSIG',
+      class: 'IN',
+      ttl,
+      data: {
+        typeCovered: type, // Changed to type string
+        algorithm,
+        labels: name.split('.').length - 1,
+        originalTTL: ttl,
+        expiration,
+        inception,
+        keyTag,
+        signerName,
+        signature: signature,
+      },
+    };
+
+    return rrsig;
+  }
+
+  private serializeRRset(rrset: DnsAnswer[]): Buffer {
+    // Implement canonical DNS RRset serialization as per RFC 4034 Section 6
+    const buffers: Buffer[] = [];
+    for (const rr of rrset) {
+      if (rr.type === 'OPT') {
+        continue; // Skip OPT records
+      }
+
+      const name = rr.name.endsWith('.') ? rr.name : rr.name + '.';
+      const nameBuffer = this.nameToBuffer(name.toLowerCase());
+
+      const typeValue = this.qtypeToNumber(rr.type);
+      const typeBuffer = Buffer.alloc(2);
+      typeBuffer.writeUInt16BE(typeValue, 0);
+
+      const classValue = this.classToNumber(rr.class);
+      const classBuffer = Buffer.alloc(2);
+      classBuffer.writeUInt16BE(classValue, 0);
+
+      const ttlValue = rr.ttl || 300;
+      const ttlBuffer = Buffer.alloc(4);
+      ttlBuffer.writeUInt32BE(ttlValue, 0);
+
+      // Serialize the data based on the record type
+      const dataBuffer = this.serializeRData(rr.type, rr.data);
+
+      const rdLengthBuffer = Buffer.alloc(2);
+      rdLengthBuffer.writeUInt16BE(dataBuffer.length, 0);
+
+      buffers.push(Buffer.concat([nameBuffer, typeBuffer, classBuffer, ttlBuffer, rdLengthBuffer, dataBuffer]));
+    }
+    return Buffer.concat(buffers);
+  }
+
+  private serializeRData(type: string, data: any): Buffer {
+    // Implement serialization for each record type you support
+    switch (type) {
+      case 'A':
+        return Buffer.from(data.split('.').map((octet: string) => parseInt(octet, 10)));
+      case 'AAAA':
+        // Handle IPv6 addresses
+        return Buffer.from(data.split(':').flatMap((segment: string) => {
+          const num = parseInt(segment, 16);
+          return [num >> 8, num & 0xff];
+        }));
+      case 'TXT':
+        // Handle TXT records for ACME challenges
+        if (Array.isArray(data)) {
+          // Combine all strings and encode as lengths and values
+          const buffers = data.map(str => {
+            const strBuf = Buffer.from(str);
+            const lenBuf = Buffer.alloc(1);
+            lenBuf.writeUInt8(strBuf.length, 0);
+            return Buffer.concat([lenBuf, strBuf]);
+          });
+          return Buffer.concat(buffers);
+        }
+        return Buffer.alloc(0);
+      case 'DNSKEY':
+        const dnskeyData: DNSKEYData = data;
+        return Buffer.concat([
+          Buffer.from([dnskeyData.flags >> 8, dnskeyData.flags & 0xff]),
+          Buffer.from([3]), // Protocol field, always 3
+          Buffer.from([dnskeyData.algorithm]),
+          dnskeyData.key,
+        ]);
+      case 'SOA':
+        // Implement SOA record serialization if needed
+        // For now, return an empty buffer or handle as needed
+        return Buffer.alloc(0);
+      // Add cases for other record types as needed
+      default:
+        throw new Error(`Serialization for record type ${type} is not implemented.`);
+    }
+  }
+
+  private parseDNSKEYRecord(dnskeyRecord: string): DNSKEYData {
+    // Parse the DNSKEY record string into dns-packet format
+    const parts = dnskeyRecord.trim().split(/\s+/);
+    const flags = parseInt(parts[3], 10);
+    const algorithm = parseInt(parts[5], 10);
+    const publicKeyBase64 = parts.slice(6).join('');
+    const key = Buffer.from(publicKeyBase64, 'base64');
+
+    return {
+      flags,
+      algorithm,
+      key,
+    };
+  }
+
+  private computeKeyTag(dnskeyRecord: DNSKEYData): number {
+    // Compute key tag as per RFC 4034 Appendix B
+    const flags = dnskeyRecord.flags;
+    const algorithm = dnskeyRecord.algorithm;
+    const key = dnskeyRecord.key;
+
+    const dnskeyRdata = Buffer.concat([
+      Buffer.from([flags >> 8, flags & 0xff]),
+      Buffer.from([3]), // Protocol field, always 3
+      Buffer.from([algorithm]),
+      key,
+    ]);
+
+    let acc = 0;
+    for (let i = 0; i < dnskeyRdata.length; i++) {
+      acc += (i & 1) ? dnskeyRdata[i] : dnskeyRdata[i] << 8;
+    }
+    acc += (acc >> 16) & 0xffff;
+    return acc & 0xffff;
+  }
+
   private handleHttpsRequest(req: plugins.http.IncomingMessage, res: plugins.http.ServerResponse): void {
     if (req.method === 'POST' && req.url === '/dns-query') {
       let body: Buffer[] = [];
 
-      req.on('data', chunk => {
+      req.on('data', (chunk) => {
         body.push(chunk);
       }).on('end', () => {
         const msg = Buffer.concat(body);
-        const request = plugins.dnsPacket.decode(msg);
+        const request = dnsPacket.decode(msg);
         const response = this.processDnsRequest(request);
-        const responseData = plugins.dnsPacket.encode(response);
+        const responseData = dnsPacket.encode(response);
         res.writeHead(200, { 'Content-Type': 'application/dns-message' });
         res.end(responseData);
       });
@@ -95,9 +693,9 @@ export class DnsServer {
 
     this.udpServer = plugins.dgram.createSocket('udp4');
     this.udpServer.on('message', (msg, rinfo) => {
-      const request = plugins.dnsPacket.decode(msg);
+      const request = dnsPacket.decode(msg);
       const response = this.processDnsRequest(request);
-      const responseData = plugins.dnsPacket.encode(response);
+      const responseData = dnsPacket.encode(response);
       this.udpServer.send(responseData, rinfo.port, rinfo.address);
     });
 
@@ -108,6 +706,7 @@ export class DnsServer {
 
     const udpListeningDeferred = plugins.smartpromise.defer<void>();
     const httpsListeningDeferred = plugins.smartpromise.defer<void>();
+
     try {
       this.udpServer.bind(this.options.udpPort, '0.0.0.0', () => {
         console.log(`UDP DNS server running on port ${this.options.udpPort}`);
@@ -128,20 +727,78 @@ export class DnsServer {
   public async stop(): Promise<void> {
     const doneUdp = plugins.smartpromise.defer<void>();
     const doneHttps = plugins.smartpromise.defer<void>();
+    
+    if (this.udpServer) {
       this.udpServer.close(() => {
         console.log('UDP DNS server stopped');
+        if (this.udpServer) {
           this.udpServer.unref();
           this.udpServer = null;
+        }
         doneUdp.resolve();
       });
+    } else {
+      doneUdp.resolve();
+    }
 
+    if (this.httpsServer) {
       this.httpsServer.close(() => {
         console.log('HTTPS DNS server stopped');
+        if (this.httpsServer) {
           this.httpsServer.unref();
           this.httpsServer = null;
+        }
         doneHttps.resolve();
       });
+    } else {
+      doneHttps.resolve();
+    }
 
     await Promise.all([doneUdp.promise, doneHttps.promise]);
   }
+
+  // Helper methods
+
+  private qtypeToNumber(type: string): number {
+    const QTYPE_NUMBERS: { [key: string]: number } = {
+      'A': 1,
+      'NS': 2,
+      'CNAME': 5,
+      'SOA': 6,
+      'PTR': 12,
+      'MX': 15,
+      'TXT': 16,
+      'AAAA': 28,
+      'SRV': 33,
+      'DNSKEY': 48,
+      'RRSIG': 46,
+      // Add more as needed
+    };
+    return QTYPE_NUMBERS[type.toUpperCase()] || 0;
+  }
+
+  private classToNumber(cls: string | number): number {
+    const CLASS_NUMBERS: { [key: string]: number } = {
+      'IN': 1,
+      'CH': 3,
+      'HS': 4,
+      // Add more as needed
+    };
+    if (typeof cls === 'number') {
+      return cls;
+    }
+    return CLASS_NUMBERS[cls.toUpperCase()] || 1;
+  }
+
+  private nameToBuffer(name: string): Buffer {
+    const labels = name.split('.');
+    const buffers = labels.map(label => {
+      const len = Buffer.byteLength(label, 'utf8');
+      const buf = Buffer.alloc(1 + len);
+      buf.writeUInt8(len, 0);
+      buf.write(label, 1);
+      return buf;
+    });
+    return Buffer.concat([...buffers, Buffer.from([0])]); // Add root label
+  }
 }

ts_server/classes.dnstools.ts

@@ -1,83 +0,0 @@
-import * as plugins from './plugins.js';
-
-interface DnssecZone {
-  zone: string;
-  algorithm: string;
-  keySize: number;
-  days: number;
-}
-
-interface DnssecKeyPair {
-  private: string;
-  public: string;
-}
-
-class DnsSec {
-  private zone: DnssecZone;
-  private keyPair: DnssecKeyPair;
-  private ec: any; // declare the ec instance
-
-  constructor(zone: DnssecZone) {
-    this.zone = zone;
-    this.ec = new plugins.elliptic.ec('secp256k1'); // Create an instance of the secp256k1 curve
-    this.keyPair = this.generateKeyPair();
-  }
-
-  private generateKeyPair(): DnssecKeyPair {
-    const key = this.ec.genKeyPair();
-    const privatePem = key.getPrivate().toString('hex'); // get private key in hex format
-    // @ts-ignore
-    const publicPem = key.getPublic().toString('hex'); // get public key in hex format
-
-    return {
-      private: privatePem,
-      public: publicPem
-    };
-  }
-
-  private formatPEM(pem: string, type: string): string {
-    const start = `-----BEGIN ${type}-----`;
-    const end = `-----END ${type}-----`;
-
-    const formatted = [start];
-    for (let i = 0; i < pem.length; i += 64) {
-      formatted.push(pem.slice(i, i + 64));
-    }
-    formatted.push(end);
-    return formatted.join('\n');
-  }
-
-  public getDSRecord(): string {
-    const publicPem = this.keyPair.public;
-    const publicKey = this.ec.keyFromPublic(publicPem); // Create a public key from the publicPEM
-
-    const digest = publicKey.getPublic(); // get public point
-    return `DS {id} 8 {algorithm} {digest} {hash-algorithm}\n`
-      .replace('{id}', '256') // zone hash
-      .replace('{algorithm}', this.getAlgorithm())
-      .replace('{digest}', `0x${digest.getX()}${digest.getY()}`)
-      .replace('{hash-algorithm}', '2');
-  }
-
-  private getAlgorithm(): string {
-    switch (this.zone.algorithm) {
-      case 'ECDSA':
-        return '8';
-      case 'ED25519':
-        return '15';
-      case 'RSA':
-        return '1';
-      default:
-        throw new Error(`Unsupported algorithm: ${this.zone.algorithm}`);
-    }
-  }
-
-  public getKeyPair(): DnssecKeyPair {
-    return this.keyPair;
-  }
-
-  public getDsAndKeyPair(): [DnssecKeyPair, string] {
-    const dsRecord = this.getDSRecord();
-    return [this.keyPair, dsRecord];
-  }
-}

ts_server/plugins.ts

@@ -1,14 +1,18 @@
 // node native
+import crypto from 'crypto';
+import dgram from 'dgram';
 import fs from 'fs';
 import http from 'http';
 import https from 'https';
-import dgram from 'dgram';
+import * as path from 'path';
 
 export {
+  crypto,
   fs,
   http,
   https,
   dgram,
+  path,
 }
 
 // @push.rocks scope
@@ -19,7 +23,7 @@ export {
 }
 
 // third party
-import * as elliptic from 'elliptic';
+import elliptic from 'elliptic';
 import * as dnsPacket from 'dns-packet';
 import * as minimatch from 'minimatch';