Nmap Development mailing list archives
Re: NSEC Enumeration script
From: John Bond <john.r.bond () gmail com>
Date: Fri, 25 Mar 2011 10:22:36 +0100
On 25 March 2011 05:49, David Fifield <david () bamsoftware com> wrote:
Thanks, I added your latest changes. In the development branch I'm trying to understand the rest of the new code in dns.lua. I've deleted decoders and answerFetchers that we don't use yet. I have a few remaining specific questions: What is going on here? What do the numbers 255, 46, 47, 48, and 50 mean? Can you provide references to specifications that define them? This piece of code could use a comment to say what it's doing.
Yes this was something i put in to deal with ANY queries which is what the 255 represents. the other list of numbers are DNSSEC records which the use would not be interested in receiving you should be able to work out what they are by looking at the types array of the top of my head i think its 46 = RRSIG 47 = NSEC 48 = DNSKEY 50 = NSEC3 following on from that the code builds an array of unique array of types we are intrested in and calls the answer fetcher for each. the reason it follows this logic is because if there are two A records in the answer section we dont want to call answerFetcher['A'](dec, retAll) twice because calling it onse will return both packets. So if we have an ANY query; ignore any DNSSEC info (43 (DS) should probably be added here although if you have remove al the answer-fetchers that are not needed this check can probably be removed ) build an array of unique types; call answer fetcher for each type in the array the way i do my sorting is a bit sloppy. i will take a look at how your have cleaned up previous code and try and clean up this
To me it looks like this was a typo in the first place. I think it should have been 'type(dtype) == "nil"', not 'type(dtype) or "nil"'. Why did you need to add the extra "or dtype"?
The or nil was already there so it that the function doesn't bail if dtype is junk. i added the extra dytpe because if the dytpe was not a string then the function would print out the type i.e. int of dtype but i actually wanted to know the number. TBH if i had writtent this from scratch i would have probably just done stdnse.print_debug(1, "dns.findNiceAnswer() does not have an answerFetcher for dtype %s",dtype)
How is this being used? Where does it make sense to have findNiceAnswer return false but also do the extra work to fetch an NSEC record? What makes NSEC special in this block of code?
NSEC and NSEC3 are proof of none existence i.e. by there nature they are saying this query failed. if there is an NSEC record in the *additional* section there will be no records in the answer section and the code should return false
Why did you have to define any ANY (type 255) decoder? Is this compatible with other potential uses of ANY outside of DNSSEC?
TBH i dont think i use it anywhere anymore do i. i played around with using different types in the enumerate script to see if it made any difference. I didn't notice anything. Although it is nice to have and could probably be put to better use in scripts like dns-cache-snoop. i.e. if you are trying to get as much information as possible from a dns server then any is the best way to do it. However i think it can be removed as i dont think im using it Well i am away on training course next week so not sure if i will have a chance to look at this until the week after but let me know if you have any further questions _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: NSEC Enumeration script, (continued)
- Re: NSEC Enumeration script John Bond (Feb 26)
- Re: NSEC Enumeration script David Fifield (Feb 26)
- Re: NSEC Enumeration script David Fifield (Feb 28)
- Re: NSEC Enumeration script John Bond (Mar 09)
- Re: NSEC Enumeration script David Fifield (Mar 14)
- Re: NSEC Enumeration script Patrik Karlsson (Mar 15)
- Re: NSEC Enumeration script John Bond (Mar 15)
- Re: NSEC Enumeration script David Fifield (Mar 15)
- Re: NSEC Enumeration script John Bond (Mar 15)
- Re: NSEC Enumeration script David Fifield (Mar 24)
- Re: NSEC Enumeration script John Bond (Mar 25)
- Re: NSEC Enumeration script John Bond (Mar 25)
- Re: NSEC Enumeration script David Fifield (Mar 26)
- Re: NSEC Enumeration script John Bond (Mar 27)
- Re: NSEC Enumeration script John Bond (Mar 30)
- Re: NSEC Enumeration script David Fifield (Mar 30)
- Re: NSEC Enumeration script David Fifield (Mar 25)
- Re: NSEC Enumeration script John Bond (Mar 25)
- Re: NSEC Enumeration script David Fifield (Mar 25)
- Re: NSEC Enumeration script John Bond (Mar 15)
- Re: NSEC Enumeration script John Bond (Mar 17)