Nmap Development mailing list archives
Re: DNSSEC NSEC howto
From: David Fifield <david () bamsoftware com>
Date: Sat, 26 Feb 2011 01:49:02 -0800
On Fri, Feb 25, 2011 at 10:31:34PM +0100, John Bond wrote:
On 25 February 2011 09:50, John Bond <john.r.bond () gmail com> wrote:On 25 February 2011 05:31, David Fifield <david () bamsoftware com> wrote: I would be interested to see What peoples experiences are with this When testing on a complex zone my script seems to find more entries. i.e. on the zone im testing my script gets 2612 results ldns-walk gets 1725. I think i know why this is but will have to check the ldns source tonightYes this is because they walk the zone differently i assume that the next zone to check should be 1.$lasthostname ldns-walk has \001$lasthostname i.e. no dot. basically i do something similar to ldns if my thing dosn't work and i think ldns does the opposite. The method i use means i get a lot more sub domain information.
I think you're right about this. (Except that ldns-walk is using $lasthostname0, not \001$lasthostname.) Section 6.1 of RFC 4034 says that 0.example.com precedes example0.com. And you're right that your method is finding the subdomains. This is clever and useful behavior. As I learned while studying your script, we need the "append 0" behavior sometimes too, namely when a complete subzone has been enumerated, because the final NSEC record will point back to the first name in the subzone. Then we append a zero to continue on in the parent zone. In my changes to your script I took advantage of this and displayed subzones with greater indentation. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: NSEC Enumeration script, (continued)
- Re: NSEC Enumeration script David Fifield (Mar 25)
- Re: NSEC Enumeration script John Bond (Mar 15)
- Re: NSEC Enumeration script John Bond (Mar 17)
- Re: NSEC Enumeration script David Fifield (Mar 17)
- Re: NSEC Enumeration script John Bond (Mar 17)
- Re: NSEC Enumeration script John Bond (Mar 17)
- Re: NSEC Enumeration script John Bond (Mar 17)
- DNSSEC NSEC howto David Fifield (Feb 24)
- Re: DNSSEC NSEC howto John Bond (Feb 25)
- Re: DNSSEC NSEC howto John Bond (Feb 25)
- Re: DNSSEC NSEC howto David Fifield (Feb 26)
- Re: DNSSEC NSEC howto John Bond (Feb 26)
- Re: DNSSEC NSEC howto John Bond (Feb 25)