Re: NSEC Enumeration script

[John Bond <john.r.bond () gmail com>]

On 25 March 2011 05:49, David Fifield <david () bamsoftware com> wrote:
> Thanks, I added your latest changes. In the development branch I'm
> trying to understand the rest of the new code in dns.lua. I've deleted
> decoders and answerFetchers that we don't use yet. I have a few
> remaining specific questions:
>
> What is going on here? What do the numbers 255, 46, 47, 48, and 50 mean?
> Can you provide references to specifications that define them? This
> piece of code could use a comment to say what it's doing.
Yes this was something i put in to deal with ANY queries which is what
the 255 represents.  the other list of numbers are DNSSEC records
which the use would not be interested in receiving you should be able
to work out what they are by looking at the types array of the top of
my head i think its
46 = RRSIG
47 = NSEC
48 = DNSKEY
50 = NSEC3


following on from that the code builds an array of unique array of
types we are intrested in and calls the answer fetcher for each.  the
reason it follows this logic is because if there are two A records in
the answer section we dont want to call answerFetcher['A'](dec,
retAll) twice because calling it onse will return both packets.

So if we have an ANY query;
  ignore any DNSSEC info (43 (DS) should probably be added here
although if you have remove al the answer-fetchers that are not needed
this check can probably be removed )
 build an array of unique types;
 call answer fetcher for each type in the array

the way i do my sorting is a bit sloppy.  i will take a look at how
your have cleaned up previous code and try and clean up this

> To me it looks like this was a typo in the first place. I think it
> should have been 'type(dtype) == "nil"', not 'type(dtype) or "nil"'. Why
> did you need to add the extra "or dtype"?
The or nil was already there so it that the function doesn't bail if
dtype is junk.  i added the extra dytpe because if the dytpe was not a
string then the function would print out the type i.e. int of dtype
but i actually wanted to know the number.  TBH if i had writtent this
from scratch i would have probably just done
stdnse.print_debug(1, "dns.findNiceAnswer() does not have an
answerFetcher for dtype %s",dtype)

> How is this being used? Where does it make sense to have findNiceAnswer
> return false but also do the extra work to fetch an NSEC record? What
> makes NSEC special in this block of code?
NSEC and NSEC3 are proof of none existence i.e. by there nature they
are saying this query failed. if there is an NSEC record in the
*additional* section there will be no records in the answer section
and the code should return false


> Why did you have to define any ANY (type 255) decoder? Is this
> compatible with other potential uses of ANY outside of DNSSEC?
TBH i dont think i use it anywhere anymore do i.  i played around with
using different types in the enumerate script to see if it made any
difference.  I didn't notice anything.  Although it is nice to have
and could probably be put to better use in scripts like
dns-cache-snoop.  i.e. if you are trying to get as much information as
possible from a dns server then any is the best way to do it.  However
i think it can be removed as i dont think im using it

Well i am away on training course next week so not sure if i will have
a chance to look at this until the week after but let me know if you
have any further questions
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/