Re: DNSSEC NSEC howto

[David Fifield <david () bamsoftware com>]

On Fri, Feb 25, 2011 at 10:31:34PM +0100, John Bond wrote:
> On 25 February 2011 09:50, John Bond <john.r.bond () gmail com> wrote:
> > On 25 February 2011 05:31, David Fifield <david () bamsoftware com> wrote:
> > I would be interested to see What peoples experiences are with this
> > When testing on a complex zone my script seems to find more entries.
> > i.e. on the zone im testing my script gets 2612 results ldns-walk gets
> > 1725.  I think i know why this is but will have to check the ldns
> > source tonight
>
> Yes this is because they walk the zone differently i assume that
> the next zone to check should be 1.$lasthostname ldns-walk has \001$lasthostname
> i.e. no dot.  basically i do something similar to ldns if my thing
> dosn't work and i think
> ldns does the opposite.  The method i use means i get a lot more sub
> domain information.

I think you're right about this. (Except that ldns-walk is using
$lasthostname0, not \001$lasthostname.) Section 6.1 of RFC 4034 says
that 0.example.com precedes example0.com. And you're right that your
method is finding the subdomains. This is clever and useful behavior.

As I learned while studying your script, we need the "append 0" behavior
sometimes too, namely when a complete subzone has been enumerated,
because the final NSEC record will point back to the first name in the
subzone. Then we append a zero to continue on in the parent zone. In my
changes to your script I took advantage of this and displayed subzones
with greater indentation.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/