TL;DR – DNSSEC Walker traverses a domain’s DNSSEC records to locate it’s regular DNS records.
I like to go through slides of cons I can’t make it out to, and Hack-in-the-Box (HITB) Kul (Malaysia), was one such as they were very quick to release sides:
http://conference.hitb.org/hitbsecconf2011kul/materials/
One that I came across is Marc “van Hauser” Heuse’s talk on IPv6 titled “IPv6 Insecurity Revolutions” (Link directly to PDF on aforementioned materials link). I definitely recommend checking it out as well as the IPv6 tools THC / Marc released (v2) here:
http://www.thc.org/thc-ipv6/
Amazing tools, but one I could not locate in their batch was dnssecwalk (slide 41 for those following along)
I found something that looks very similar here: http://josefsson.org/walker/
Released originally in 2001 by Simon Josefsson. If you read the TL;DR at the top, you pretty much know what to tool does, so I’ll take you through an example:
To get this bad boy working (since it’s Perl) you need to use CPAN to install Net::DNS and Net::DNS::SEC
cpan Net::DNS (hit enter for defaults)
cpan Net::DNS::SEC (same deal)
Using the slide’s example of ripe.net (ARIN’s Euro brother) You simply point it at a domain:
1
2
3
4
5
|
./walker ripe.net
;; Walker by Simon Josefsson
;; $Id: walker,v 1.31 2005/09/20 10:16:30 jas Exp $
;; Net::DNS 0.68
;; Net::DNS::SEC 0.16
|
Then it just starts going. Unlike the tool in the slides it’s a very verbose tool and doesn’t have any “write output to file” option so piping to a file is recommended.
1
2
|
$ ./walker ripe.net > output.txt &
[1] 32623
|
Then just run greps on it removing all of the DNS commenting with anything having a semicolon in it:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
$ cat output.txt | grep -v ';' | grep IN
ripe.net. 273 IN SOA pri.authdns.ripe.net. dns.ripe.net. (
ripe.net. 17146 IN A 193.0.6.139
ripe.net. 300 IN AAAA 2001:67c:2e8:22:0:0:c100:68b
ripe.net. 2814 IN DNSKEY 256 3 5 (
ripe.net. 2814 IN DNSKEY 257 3 5 (
ripe.net. 2814 IN DNSKEY 257 3 5 (
ripe.net. 2814 IN DNSKEY 256 3 5 (
ripe.net. 183 IN MX 200 postgirl.ripe.net.
ripe.net. 183 IN MX 250 postlady.ripe.net.
ripe.net. 2017 IN NS tinnie.arin.net.
ripe.net. 2017 IN NS ns3.nic.fr.
ripe.net. 2017 IN NS sns-pb.isc.org.
ripe.net. 2017 IN NS pri.authdns.ripe.net.
ripe.net. 2017 IN NS sec3.apnic.net.
ripe.net. 2017 IN NS sec1.apnic.net.
ripe.net. 2723 IN NSEC 256cns.ripe.net. A AAAA DNSKEY MX NS NSEC RRSIG SOA
ripe.net. 21510 IN RRSIG A 5 2 21600 20121120100104 (
ripe.net. 210 IN RRSIG AAAA 5 2 300 20121120100104 (
ripe.net. 3510 IN RRSIG NS 5 2 3600 20121120100104 (
ripe.net. 210 IN RRSIG MX 5 2 300 20121120100104 (
7Te5Hfqh79JcJO4m94PLZ/GXnm3OVuKW1GINiNToNnTbz
ripe.net. 3510 IN RRSIG NSEC 5 2 3600 20121120100104 (
ripe.net. 3510 IN RRSIG SOA 5 2 3600 20121120100104 (
bfTSOsob1qYKrv3MrTrxDcr0dQJMjEUuKvWJINbFsCDDp
ripe.net. 3510 IN RRSIG DNSKEY 5 2 3600 20121120100104 (
ILjTJkBEsfhSs/7RKpoS+rLVOINoQXOtGgBhl5Ex5aAip
256cns.ripe.net. 20814 IN CNAME pip.ripe.net.
256cns.ripe.net. 2793 IN NSEC _jabber._tcp.ripe.net. CNAME NSEC RRSIG
_jabber._tcp.ripe.net. 2804 IN NSEC _xmpp-client._tcp.ripe.net. NSEC RRSIG SRV
_jabber._tcp.ripe.net. 2814 IN RRSIG NSEC 5 4 3600 20121120100104 (
_jabber._tcp.ripe.net. 114 IN RRSIG SRV 5 4 900 20121120100104 (
_jabber._tcp.ripe.net. 114 IN SRV 30 30 5269 chat.ripe.net.
_xmpp-client._tcp.ripe.net. 2804 IN NSEC _xmpp-server._tcp.ripe.net. NSEC RRSIG SRV
_xmpp-client._tcp.ripe.net. 115 IN RRSIG SRV 5 4 900 20121120100104 (
_xmpp-client._tcp.ripe.net. 2815 IN RRSIG NSEC 5 4 3600 20121120100104 (
_xmpp-client._tcp.ripe.net. 115 IN SRV 30 30 5222 chat.ripe.net.
_xmpp-server._tcp.ripe.net. 2805 IN NSEC access.ripe.net. NSEC RRSIG SRV
_xmpp-server._tcp.ripe.net. 115 IN RRSIG SRV 5 4 900 20121120100104 (
NJpdcDaytdKNINLVCFYUJWRnXiTRFrXSi2cL4nJLGLQlt
_xmpp-server._tcp.ripe.net. 2815 IN RRSIG NSEC 5
(snipped)
|
But of course in side 40 it shows that you can simply zone transfer ripe.net anyways. But for those that aren’t so forthcoming with their zones this can be a nice thing to try.