Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: NSEC Enumeration script
From: David Fifield <david () bamsoftware com>
Date: Sat, 26 Feb 2011 08:40:46 -0800

On Sat, Feb 26, 2011 at 08:27:20AM -0800, David Fifield wrote:
On Sat, Feb 26, 2011 at 01:11:34PM +0100, John Bond wrote:
On 26 February 2011 10:27, David Fifield <david () bamsoftware com> wrote:
The script and the library hanges are getting closer to being accepted.
I still have doubts about the interface of dns.dnssec_query. In the
first place, it would be better if the DNSSEC queries could be made
using the same top-level function as other DNS queries--is DNSSEC really
so different that it needs a different interface? > I don't mind having a
convenience wrapper for DNSSEC, but it should call the same underlying
function as other queries.

not at all, i originally added all of this functionality to the normal
query fuction but i started to worry it might make other scripts
incompatible.  the main difference is dnssec_query has an extra return
'rPkt.dnssec' which indicates if the server responded with dnssec.  I
also use the host.ip instead of trying to use the system however this
is probably because of what im trying to do and could be set else
where.  edns is on by default but i think this should also be an
option for the query function.  Finnaly you would need another option
in query to request dnssec and that might be it.

It's possible that dns.query isn't general enough or doesn't return
enough information. If so, the way I'd like it to be handled is to write
a new, more generic query function, then have dns.query call it
(throwing away information to keep a compatible interface). The DNSSEC
code will call this more generic function directly or through another

I don't think that the DNSSEC support flag is important enough to
justify being a return value. It would be better for the caller to check
the AD flag (which means the generic function will have to provide
access to it).

Or maybe better, the caller can do the same check that dns.lua is doing
      if auth.NSEC or auth.RRSIG or auth.DNSKEY or auth.DS or auth.NSEC3 then
         pkt.dnssec = true
Dealing with retPkt-level objects is also reasonable for a low-level
script like this.

David Fifield
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]