Nmap Development mailing list archives
Re: NSEC Enumeration script
From: David Fifield <david () bamsoftware com>
Date: Mon, 14 Mar 2011 23:27:13 -0700
On Wed, Mar 09, 2011 at 10:59:03PM +0100, John Bond wrote:
On 1 March 2011 01:15, David Fifield <david () bamsoftware com> wrote:Thanks, I tried the domain you gave me and got an infinite loop on a wildcard too. I edited the script to check for a NSEC record before checking whether the query succeeded, and also made it use the lower-level retPkt structures to get at the extra information we need. It stopped the loop in this case, at least. Please give r22408 in /nmap-exp/david/nmap-nsec.Ok finally got round to looking at this and definitely looks better using raw packets however i came across a few issues in the latest version. The first issue was if the NSEC records come in an order that is unexpected i.e. the first record in the response is z.example.com and the second is a.example.com. The way the script was written meant it always used the last NSEC record. i dont think NSEC records necessarily need to be served in lexicographic order and i have come across situations were they dont. The second was if the script came across a sub domain that wasn't signed. This cause the script to exit at that point instead of bumping the domain. I think the attache patch should resolve these.
Thanks for testing it and for this new patch. I tried it, but I hit an infinite loop on the very last name. I think it's because the last NSEC record points backwards to the first name in the subzone. In r22589 I changed get_next_nsec to look for an NSEC record that brackets a given domain name, with the dname on the left and name on the right. It works for me, but please give it a try. This is looking really good! I think it's almost ready to merge. The last thing is I'd like the library interface to be cleaned up. In particular, I want dnssec_query to be removed or made a wrapper around a more fundamental function. Could some NSE library experts maybe make comments on how best to do this? The changes so far to the library are svn diff -r 22369:22589 svn://svn.insecure.org/nmap-exp/david/nmap-nsec/nselib | less Also, this is minor, but please fix the errors from a search and replace of "ds". The word "records" got turned into e.g. "recornsec3" and "recordnskey". David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: NSEC Enumeration script, (continued)
- Re: NSEC Enumeration script David Fifield (Feb 26)
- Re: NSEC Enumeration script John Bond (Feb 26)
- Re: NSEC Enumeration script John Bond (Feb 26)
- Re: NSEC Enumeration script David Fifield (Feb 26)
- Re: NSEC Enumeration script David Fifield (Feb 26)
- Re: NSEC Enumeration script John Bond (Feb 26)
- Re: NSEC Enumeration script John Bond (Feb 26)
- Re: NSEC Enumeration script David Fifield (Feb 26)
- Re: NSEC Enumeration script David Fifield (Feb 28)
- Re: NSEC Enumeration script John Bond (Mar 09)
- Re: NSEC Enumeration script David Fifield (Mar 14)
- Re: NSEC Enumeration script Patrik Karlsson (Mar 15)
- Re: NSEC Enumeration script John Bond (Mar 15)
- Re: NSEC Enumeration script David Fifield (Mar 15)
- Re: NSEC Enumeration script John Bond (Mar 15)
- Re: NSEC Enumeration script David Fifield (Mar 24)
- Re: NSEC Enumeration script John Bond (Mar 25)
- Re: NSEC Enumeration script John Bond (Mar 25)
- Re: NSEC Enumeration script David Fifield (Mar 26)
- Re: NSEC Enumeration script John Bond (Mar 27)
- Re: NSEC Enumeration script John Bond (Mar 30)