[DNS] add AD Flag support for DNSSEC to allow DANE usage

### What is the problem this feature will solve?

With ef91595e2fc1f96b7c8eb51bfcc1408a5adaa4a9 in PR https://github.com/nodejs/node/pull/52983 related to issue https://github.com/nodejs/node/issues/39569 you added support for TLSA resource records via `dns.resolve` .
This was done with the intention to support DANE.
However, to correctly make use of DANE, the records need to be DNSSEC validated.

Currently there is no possibility to validate DNSSEC via the given API.

As example, the following code (currently a [nightly](https://nodejs.org/download/nightly/v24.0.0-nightly20250220f6ce48636b/) build)
```
dns.resolveTlsa("_443._tcp.fedoraproject.org", (error, result) => {
	console.log(result)
})
```
 generates the following response
```
[
  {
    certUsage: 3,
    selector: 1,
    match: 1,
    data: ArrayBuffer {
      [Uint8Contents]: <09 ca 10 dd 09 f1 24 a2 26 3a a8 cc 49 12 fd a8 59 2f 40 cc ab 90 b6 10 ae 84 01 01 a9 1a eb c0>,
      byteLength: 32
    }
  }
]
```


Thus, as next step for the DANE implementation, this feature request aims to add information to above response of `dns.resolve`, about if the records have been validated by the resolver.
This allows to use technology relying on DNSSEC, such as TLSA records for DANE.

### What is the feature you are proposing to solve the problem?

As DNSSEC does not protect the path between client and resolver by design, we can make use of the AD bit: [RFC 6840 Section 5.7](https://datatracker.ietf.org/doc/html/rfc6840#section-5.7)  and [RFC 6840 Section 5.8](https://datatracker.ietf.org/doc/html/rfc6840#section-5.8) 

According to above mentioned RFC6840, the AD bit should be set in the query to indicate that node is going to honor the AD bit in the response. Then, the AD bit in the reply should be propagated to the returned contents of `dns.resolve`

If this request is included we can get to the next step of checking TLSA records within TLS certificate verification.


### What alternatives have you considered?

In https://github.com/nodejs/node/issues/39569 @bradh352 mentioned the [DO bit (RFC 6840 Section 5.6)](https://datatracker.ietf.org/doc/html/rfc6840#section-5.6) and [RFC 3225 Section 3](https://datatracker.ietf.org/doc/html/rfc3225#section-3), however as I read it, the setting the DO bit indicates that the client can understand DNSSEC related records. Thus, the resolver is going to attach RRSIG, etc. for validation on the client side.
In contrast, the DO bit should be set to 0 to indicate that node is unprepared to handle DNSSEC RR.



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[DNS] add AD Flag support for DNSSEC to allow DANE usage #57159

What is the problem this feature will solve?

What is the feature you are proposing to solve the problem?

What alternatives have you considered?

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development