Nmap Development mailing list archives
Re: NSEC Enumeration script
From: David Fifield <david () bamsoftware com>
Date: Sat, 26 Feb 2011 08:40:46 -0800
On Sat, Feb 26, 2011 at 08:27:20AM -0800, David Fifield wrote:
On Sat, Feb 26, 2011 at 01:11:34PM +0100, John Bond wrote:On 26 February 2011 10:27, David Fifield <david () bamsoftware com> wrote:The script and the library hanges are getting closer to being accepted. I still have doubts about the interface of dns.dnssec_query. In the first place, it would be better if the DNSSEC queries could be made using the same top-level function as other DNS queries--is DNSSEC really so different that it needs a different interface? > I don't mind having a convenience wrapper for DNSSEC, but it should call the same underlying function as other queries.not at all, i originally added all of this functionality to the normal query fuction but i started to worry it might make other scripts incompatible. the main difference is dnssec_query has an extra return 'rPkt.dnssec' which indicates if the server responded with dnssec. I also use the host.ip instead of trying to use the system however this is probably because of what im trying to do and could be set else where. edns is on by default but i think this should also be an option for the query function. Finnaly you would need another option in query to request dnssec and that might be it.It's possible that dns.query isn't general enough or doesn't return enough information. If so, the way I'd like it to be handled is to write a new, more generic query function, then have dns.query call it (throwing away information to keep a compatible interface). The DNSSEC code will call this more generic function directly or through another wrapper. I don't think that the DNSSEC support flag is important enough to justify being a return value. It would be better for the caller to check the AD flag (which means the generic function will have to provide access to it).
Or maybe better, the caller can do the same check that dns.lua is doing now: if auth.NSEC or auth.RRSIG or auth.DNSKEY or auth.DS or auth.NSEC3 then pkt.dnssec = true end Dealing with retPkt-level objects is also reasonable for a low-level script like this. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: NSEC Enumeration script, (continued)
- Re: NSEC Enumeration script Patrik Karlsson (Feb 09)
- Re: NSEC Enumeration script John Bond (Feb 09)
- Re: NSEC Enumeration script John Bond (Feb 10)
- Re: NSEC Enumeration script Patrik Karlsson (Feb 10)
- Re: NSEC Enumeration script John Bond (Feb 15)
- Re: NSEC Enumeration script John Bond (Feb 24)
- Re: NSEC Enumeration script David Fifield (Feb 26)
- Re: NSEC Enumeration script John Bond (Feb 26)
- Re: NSEC Enumeration script John Bond (Feb 26)
- Re: NSEC Enumeration script David Fifield (Feb 26)
- Re: NSEC Enumeration script David Fifield (Feb 26)
- Re: NSEC Enumeration script John Bond (Feb 26)
- Re: NSEC Enumeration script John Bond (Feb 26)
- Re: NSEC Enumeration script David Fifield (Feb 26)
- Re: NSEC Enumeration script David Fifield (Feb 28)
- Re: NSEC Enumeration script John Bond (Mar 09)
- Re: NSEC Enumeration script David Fifield (Mar 14)
- Re: NSEC Enumeration script Patrik Karlsson (Mar 15)
- Re: NSEC Enumeration script John Bond (Mar 15)
- Re: NSEC Enumeration script David Fifield (Mar 15)
- Re: NSEC Enumeration script John Bond (Mar 15)