Nmap Development mailing list archives
Re: DNSSEC NSEC howto
From: John Bond <john.r.bond () gmail com>
Date: Sat, 26 Feb 2011 13:34:58 +0100
On 26 February 2011 10:49, David Fifield <david () bamsoftware com> wrote:
I think you're right about this. (Except that ldns-walk is using $lasthostname0, not \001$lasthostname.) Section 6.1 of RFC 4034 says that 0.example.com precedes example0.com. And you're right that your method is finding the subdomains. This is clever and useful behavior. As I learned while studying your script, we need the "append 0" behavior sometimes too, namely when a complete subzone has been enumerated, because the final NSEC record will point back to the first name in the subzone. Then we append a zero to continue on in the parent zone. In my changes to your script I took advantage of this and displayed subzones with greater indentation.
This is actually something slightly different. this occurs when we have a delegated zone hosted on the same server. i.e. we have example.com which has a delegation for test.example.com however both zones are on the dns same server. when you step into test.example.com you actually start enumerating a new zone so you need to know when you have finished that zone and when to step back out. We use the fact that an A request for a delegated domain returns a no error state instead of nxdomain. We also do the same thing if we step into a delegated zone that isn't signed. _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: NSEC Enumeration script, (continued)
- Re: NSEC Enumeration script John Bond (Mar 15)
- Re: NSEC Enumeration script John Bond (Mar 17)
- Re: NSEC Enumeration script David Fifield (Mar 17)
- Re: NSEC Enumeration script John Bond (Mar 17)
- Re: NSEC Enumeration script John Bond (Mar 17)
- Re: NSEC Enumeration script John Bond (Mar 17)
- DNSSEC NSEC howto David Fifield (Feb 24)
- Re: DNSSEC NSEC howto John Bond (Feb 25)
- Re: DNSSEC NSEC howto John Bond (Feb 25)
- Re: DNSSEC NSEC howto David Fifield (Feb 26)
- Re: DNSSEC NSEC howto John Bond (Feb 26)
- Re: DNSSEC NSEC howto John Bond (Feb 25)