TL;DR – DNSSEC Walker traverses a domain’s DNSSEC records to locate it’s regular DNS records.
I like to go through slides of cons I can’t make it out to, and Hack-in-the-Box (HITB) Kul (Malaysia), was one such as they were very quick to release sides:
One that I came across is Marc “van Hauser” Heuse’s talk on IPv6 titled “IPv6 Insecurity Revolutions” (Link directly to PDF on aforementioned materials link). I definitely recommend checking it out as well as the IPv6 tools THC / Marc released (v2) here:
Released originally in 2001 by Simon Josefsson. If you read the TL;DR at the top, you pretty much know what to tool does, so I’ll take you through an example:
To get this bad boy working (since it’s Perl) you need to use CPAN to install Net::DNS and Net::DNS::SEC
cpan Net::DNS (hit enter for defaults) cpan Net::DNS::SEC (same deal)
Using the slide’s example of ripe.net (ARIN’s Euro brother) You simply point it at a domain:
12345
./walker ripe.net
;; Walker by Simon Josefsson
;; $Id: walker,v 1.31 2005/09/20 10:16:30 jas Exp $
;; Net::DNS 0.68
;; Net::DNS::SEC 0.16
Then it just starts going. Unlike the tool in the slides it’s a very verbose tool and doesn’t have any “write output to file” option so piping to a file is recommended.
12
$ ./walker ripe.net > output.txt &
[1] 32623
Then just run greps on it removing all of the DNS commenting with anything having a semicolon in it:
$ cat output.txt | grep -v ';' | grep IN
ripe.net. 273 IN SOA pri.authdns.ripe.net. dns.ripe.net. (
ripe.net. 17146 IN A 193.0.6.139
ripe.net. 300 IN AAAA 2001:67c:2e8:22:0:0:c100:68b
ripe.net. 2814 IN DNSKEY 256 3 5 (
ripe.net. 2814 IN DNSKEY 257 3 5 (
ripe.net. 2814 IN DNSKEY 257 3 5 (
ripe.net. 2814 IN DNSKEY 256 3 5 (
ripe.net. 183 IN MX 200 postgirl.ripe.net.
ripe.net. 183 IN MX 250 postlady.ripe.net.
ripe.net. 2017 IN NS tinnie.arin.net.
ripe.net. 2017 IN NS ns3.nic.fr.
ripe.net. 2017 IN NS sns-pb.isc.org.
ripe.net. 2017 IN NS pri.authdns.ripe.net.
ripe.net. 2017 IN NS sec3.apnic.net.
ripe.net. 2017 IN NS sec1.apnic.net.
ripe.net. 2723 IN NSEC 256cns.ripe.net. A AAAA DNSKEY MX NS NSEC RRSIG SOA
ripe.net. 21510 IN RRSIG A 5 2 21600 20121120100104 (
ripe.net. 210 IN RRSIG AAAA 5 2 300 20121120100104 (
ripe.net. 3510 IN RRSIG NS 5 2 3600 20121120100104 (
ripe.net. 210 IN RRSIG MX 5 2 300 20121120100104 (
7Te5Hfqh79JcJO4m94PLZ/GXnm3OVuKW1GINiNToNnTbz
ripe.net. 3510 IN RRSIG NSEC 5 2 3600 20121120100104 (
ripe.net. 3510 IN RRSIG SOA 5 2 3600 20121120100104 (
bfTSOsob1qYKrv3MrTrxDcr0dQJMjEUuKvWJINbFsCDDp
ripe.net. 3510 IN RRSIG DNSKEY 5 2 3600 20121120100104 (
ILjTJkBEsfhSs/7RKpoS+rLVOINoQXOtGgBhl5Ex5aAip
256cns.ripe.net. 20814 IN CNAME pip.ripe.net.
256cns.ripe.net. 2793 IN NSEC _jabber._tcp.ripe.net. CNAME NSEC RRSIG
_jabber._tcp.ripe.net. 2804 IN NSEC _xmpp-client._tcp.ripe.net. NSEC RRSIG SRV
_jabber._tcp.ripe.net. 2814 IN RRSIG NSEC 5 4 3600 20121120100104 (
_jabber._tcp.ripe.net. 114 IN RRSIG SRV 5 4 900 20121120100104 (
_jabber._tcp.ripe.net. 114 IN SRV 30 30 5269 chat.ripe.net.
_xmpp-client._tcp.ripe.net. 2804 IN NSEC _xmpp-server._tcp.ripe.net. NSEC RRSIG SRV
_xmpp-client._tcp.ripe.net. 115 IN RRSIG SRV 5 4 900 20121120100104 (
_xmpp-client._tcp.ripe.net. 2815 IN RRSIG NSEC 5 4 3600 20121120100104 (
_xmpp-client._tcp.ripe.net. 115 IN SRV 30 30 5222 chat.ripe.net.
_xmpp-server._tcp.ripe.net. 2805 IN NSEC access.ripe.net. NSEC RRSIG SRV
_xmpp-server._tcp.ripe.net. 115 IN RRSIG SRV 5 4 900 20121120100104 (
NJpdcDaytdKNINLVCFYUJWRnXiTRFrXSi2cL4nJLGLQlt
_xmpp-server._tcp.ripe.net. 2815 IN RRSIG NSEC 5
(snipped)
But of course in side 40 it shows that you can simply zone transfer ripe.net anyways. But for those that aren’t so forthcoming with their zones this can be a nice thing to try.