I'm building some web analytics tools, but I'm having some difficulty checking DNSSEC compliance in a NodeJS application. None of the DNSSEC record types seem to be accepted by the dns module in the standard library. I'm attempting to look up rrsig, ds, nsec, nsec3 but the docs do not list them as valid rrtypes to resolve. Is it possible to do this with NodeJS?
Unless you're planning on implementing DNSSEC validation in Javascript (good luck with that!) you're going to be dependent on some external validator to indicate valid, invalid, or insecure (DNSSEC not configured). The largest DNSSEC validator in the world in Google Public DNS (better known as 8.8.8.8), and they conveniently have added an HTTPS-based API that should be pretty easy to use from your Node.js code (the API responses are JSON).
You can check for successful resolution with and without &cd=1 parameter to disable DNSSEC validation:
The only downside for this is that these are remote web API calls, but even with a local validating resolver you are depending on remote DNS queries, so there's not so much difference (except for caching).
If you want to generate diagnostics about specific problems with invalid DNSSEC configurations, you'll need to query for the DNSSEC-specific record types directly (this works for DS, DNSKEY, NSEC, NSEC3, NSEC3PARAM, and RRSIG - but you will have to generate the NSEC3 hash name using NSEC3PARAM data yourself, which will be painful)