search

anonion0 / nsec3map

a tool to enumerate the resource records of a DNS zone using its DNSSEC NSEC or NSEC3 chain
GNU General Public License v3.0
181 stars 31 forks source link

NSEC enumeration fails for ax. #23

Closed BenBE closed 1 year ago

BenBE commented 1 year ago

Enumeration of the TLD ax. fails after a few records are found.

To reproduce:

$ n3map -v -v -n --ldh -p -f4 --ignore-overlapping -A -a ax.
n3map 0.7.0: starting mapping of ax.
looking up nameservers for zone ax.
using nameserver: 194.112.0.5 (ns2.aland.net.)
using nameserver: 2a00:5500:1:6::130 (ns3.alcom.fi.)
using nameserver: 194.112.0.1 (ns1.aland.net.)
using nameserver: 2a00:5500:1:7::194 (ns4.alcom.fi.)
checking SOA...
checking DNSKEY...
detecting zone type...
zone uses NSEC records
starting enumeration in A query mode...
discovered owner: ax.   NS SOA RRSIG NSEC DNSKEY TYPE65534
discovered owner: 00.ax.        NS RRSIG NSEC
discovered owner: 007.ax.       NS RRSIG NSEC
discovered owner: 0244a.ax.     NS RRSIG NSEC
discovered owner: 04.ax.        NS RRSIG NSEC
discovered owner: 07.ax.        NS RRSIG NSEC
discovered owner: 08.ax.        NS RRSIG NSEC
discovered owner: 089.ax.       NS RRSIG NSEC
discovered owner: 09.ax.        NS RRSIG NSEC
discovered owner: 0a.ax.        NS RRSIG NSEC
discovered owner: 0h.ax.        NS RRSIG NSEC
discovered owner: 0m.ax.        NS RRSIG NSEC
discovered owner: 0x.ax.        NS RRSIG NSEC
discovered owner: 10.ax.        NS RRSIG NSEC
discovered owner: 100.ax.       NS RRSIG NSEC
discovered owner: 1001.ax.      NS RRSIG NSEC
discovered owner: 100kvinnor.ax.        NS RRSIG NSEC
discovered owner: 1040t.ax.     NS RRSIG NSEC
discovered owner: 10mm.ax.      NS RRSIG NSEC
discovered owner: 11.ax.        NS RRSIG NSEC
discovered owner: 111.ax.       NS RRSIG NSEC
discovered owner: 112.ax.       NS RRSIG NSEC
discovered owner: 12.ax.        NS RRSIG NSEC
discovered owner: 123.ax.       NS RRSIG NSEC
discovered owner: 123domain.ax. NS RRSIG NSEC
discovered owner: 13.ax.        NS RRSIG NSEC
discovered owner: 1337.ax.      NS RRSIG NSEC
discovered owner: 1337h.ax.     NS RRSIG NSEC
discovered owner: 138.ax.       NS RRSIG NSEC
discovered owner: 15.ax.        NS RRSIG NSEC
discovered owner: 16.ax.        NS RRSIG NSEC
discovered owner: 17.ax.        NS RRSIG NSEC
discovered owner: 18.ax.        NS RRSIG NSEC
discovered owner: 19.ax.        NS RRSIG NSEC
discovered owner: 1963.ax.      NS RRSIG NSEC
discovered owner: 1fairf.ax.    NS RRSIG NSEC
discovered owner: 1h.ax.        NS RRSIG NSEC
discovered owner: 1n.ax.        NS RRSIG NSEC
discovered owner: 20.ax.        NS RRSIG NSEC
discovered owner: 2022.ax.      NS RRSIG NSEC
discovered owner: 21.ax.        NS RRSIG NSEC
discovered owner: 2138.ax.      NS RRSIG NSEC
discovered owner: 22.ax.        NS RRSIG NSEC
discovered owner: 23.ax.        NS RRSIG NSEC
discovered owner: 24.ax.        NS RRSIG NSEC
discovered owner: 240.ax.       NS RRSIG NSEC
discovered owner: 25.ax.        NS RRSIG NSEC
discovered owner: 26.ax.        NS RRSIG NSEC
discovered owner: 27.ax.        NS RRSIG NSEC
discovered owner: 28.ax.        NS RRSIG NSEC
discovered owner: 29.ax.        NS RRSIG NSEC
discovered owner: 297.ax.       NS RRSIG NSEC
discovered owner: 2d.ax.        NS RRSIG NSEC
discovered owner: 2m.ax.        NS RRSIG NSEC
discovered owner: 2ndtrip.ax.   NS RRSIG NSEC
discovered owner: 2x.ax.        NS RRSIG NSEC
discovered owner: 301.ax.       NS RRSIG NSEC
discovered owner: 31.ax.        NS RRSIG NSEC
discovered owner: 3152.ax.      NS RRSIG NSEC
discovered owner: 317.ax.       NS RRSIG NSEC
discovered owner: 32.ax.        NS RRSIG NSEC
discovered owner: 33.ax.        NS RRSIG NSEC
discovered owner: 35.ax.        NS RRSIG NSEC
discovered owner: 36.ax.        NS RRSIG NSEC
discovered owner: 365.ax.       NS RRSIG NSEC
discovered owner: 37.ax.        NS RRSIG NSEC
discovered owner: 38.ax.        NS RRSIG NSEC
discovered owner: 39.ax.        NS RRSIG NSEC
discovered owner: 3d.ax.        NS RRSIG NSEC
discovered owner: 3partners.ax. NS RRSIG NSEC
discovered owner: 42.ax.        NS RRSIG NSEC
discovered owner: 43.ax.        NS RRSIG NSEC
discovered owner: 44.ax.        NS RRSIG NSEC
discovered owner: 45.ax.        NS RRSIG NSEC
discovered owner: 46.ax.        NS RRSIG NSEC
discovered owner: 47.ax.        NS RRSIG NSEC
discovered owner: 48.ax.        NS RRSIG NSEC
error: no NSEC RR received
Maybe the zone doesn't support DNSSEC or uses NSEC3 RRs

warning: 0 errors left for 194.112.0.5 (ns2.aland.net.)
warning: removed misbehaving/unresponsive nameserver 194.112.0.5 (ns2.aland.net.)
error: no NSEC RR received
Maybe the zone doesn't support DNSSEC or uses NSEC3 RRs

warning: 0 errors left for 2a00:5500:1:6::130 (ns3.alcom.fi.)
warning: removed misbehaving/unresponsive nameserver 2a00:5500:1:6::130 (ns3.alcom.fi.)
error: no NSEC RR received
Maybe the zone doesn't support DNSSEC or uses NSEC3 RRs

warning: 0 errors left for 194.112.0.1 (ns1.aland.net.)
warning: removed misbehaving/unresponsive nameserver 194.112.0.1 (ns1.aland.net.)
error: no NSEC RR received
Maybe the zone doesn't support DNSSEC or uses NSEC3 RRs

warning: 0 errors left for 2a00:5500:1:7::194 (ns4.alcom.fi.)
warning: removed misbehaving/unresponsive nameserver 2a00:5500:1:7::194 (ns4.alcom.fi.)
;; walking ax.: records =  77; queries =  84; ................................................................................................................................... q/s = 16 ;;
n3map: fatal: ran out of working nameservers!

Given that 4h.ax. seems to b served also by the same nameservers as ax. itself, querying for the A DNS RR does not produce a NSEC record:

$ dig +dnssec @194.112.0.1 A 4h.ax.

; <<>> DiG 9.18 <<>> +dnssec @194.112.0.1 A 4h.ax.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29925
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 7
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;4h.ax.                         IN      A

;; ANSWER SECTION:
4h.ax.                  86400   IN      A       194.136.187.240

;; AUTHORITY SECTION:
4h.ax.                  86400   IN      NS      ns1.aland.net.
4h.ax.                  86400   IN      NS      ns2.aland.net.
4h.ax.                  86400   IN      NS      ns3.alcom.fi.

;; ADDITIONAL SECTION:
ns2.aland.net.          86400   IN      A       194.112.0.5
ns3.alcom.fi.           86400   IN      A       82.199.186.130
ns3.alcom.fi.           86400   IN      AAAA    2a00:5500:1:6::130
ns1.aland.net.          86400   IN      A       194.112.0.1
ns3.alcom.fi.           86400   IN      RRSIG   A 8 3 86400 20230317104514 20230215103424 18504 alcom.fi. Nf3S3eNg/kylFkuDNvjydN3H5NWQfvX2Olrdqn58Z3jffQISM5ZJXfKa g2JSh/wcckUF9c9+qlfscSWIiGBPULvaX8BanEDuTu/2wEFgFP/jfaUA G4DOPiwuxi4paoVCW9Y+Y9EhbG1rmLiIadMkWsZMJoe5IRibS/PnZ1Uy l54=
ns3.alcom.fi.           86400   IN      RRSIG   AAAA 8 3 86400 20230317104514 20230215103424 18504 alcom.fi. j52jup0dwEXH2wiyVkgadogO4v7gnL7QOnShCrEkL3klEXHvaxCMeeGK Huvr5Yd6UBUZEKqRnIqjkq+8NRsx7U4u2UNsQdxzm7y0NZzEB9L03V6M ZgoUXK0U4Stc1gNXmosJk31KPP4671cHRr4i3Z1BSZw1G07NzPmFy5HQ UOU=

;; Query time: 44 msec
;; SERVER: 194.112.0.1#53(194.112.0.1) (UDP)
;; WHEN: Thu Feb 16 19:46:27 CET 2023
;; MSG SIZE  rcvd: 533

Instead to produce the next NSEC record, we need to manually increment the left-most label from our previous response; similar to what NSEC White Lies does, e.g. 4h0.ax.. This gives the following (proper) reply:

$ dig +dnssec @194.112.0.1 a 4h0.ax.

; <<>> DiG 9.18 <<>> +dnssec @194.112.0.1 a 4h0.ax.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16223
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;4h0.ax.                                IN      A

;; AUTHORITY SECTION:
ax.                     7200    IN      SOA     ns1.aland.net. hostmaster.alcom.ax. 2023021889 1800 900 2419200 7200
ax.                     7200    IN      RRSIG   SOA 8 1 86400 20230318183823 20230216173823 10086 ax. ZC2L/HLYLy/fZUutB1vpUVYydv+hVAfZg613ECpLv5H85NXF8KqOK15F Sbx3w7FlDr5hUTPNZgGw9ScpnuhijA7z1FBM+yf72f7NOU31TgRT9OwQ slojorEfFJZIm6zjlgwGxtUtqJdCs6UcTMl8EF3ss2gLuATdHrk+rKTR 8ns=
ax.                     7200    IN      NSEC    00.ax. NS SOA RRSIG NSEC DNSKEY TYPE65534
ax.                     7200    IN      RRSIG   NSEC 8 1 7200 20230318134808 20230216131933 10086 ax. WjrgPOB2zYq0gXenPePcisdvxIOPItacWvr4wgtTUQYcSnQ8/wpJDnHR UCk769zsuluh8SaR/jYULTlRcdv97U8FIjm/z6bKktmwH/wwWtQrlnm9 HI7WcV+oLoPuvE8gozKpoXDGerabAMZWNbmsoRp/ilVyn1t7lxpJZjrt dfY=
4h.ax.                  7200    IN      NSEC    4m.ax. NS RRSIG NSEC
4h.ax.                  7200    IN      RRSIG   NSEC 8 2 7200 20230318143653 20230216134236 10086 ax. BZmis5n/0JUUtE+qf/a7jFTXELf/1kMMFAPcmts+wZsZBqBMejSXJKYY 5A/FNOSmpbKbwgpy+Yy9hVVAI9MN9jx0Gh8M6u4vg27Plpaj0mVEFhfC 6fG+3owlQOnHLSv3N1qICZe2euqP57C5STqZ7uyHlRBX0IZzXH1uGPFU oKM=

;; Query time: 48 msec
;; SERVER: 194.112.0.1#53(194.112.0.1) (UDP)
;; WHEN: Thu Feb 16 19:46:44 CET 2023
;; MSG SIZE  rcvd: 679

Would be nice, if this approach would be tried before declaring a nameserver to be misbehaving.

NB: I'm not yet sure, why this kills all four nameservers for this domain, but likely because the zone is authoritive there too, but not published in the NS RRset in the parent zone we are iterating.

FWIW: Using --query-mode=NSEC produces the same problem.

anonion0 commented 1 year ago

Yeah, this seems to be an unsigned sub-zone served by the same nameserver. n3map relied on the RRSet type bits in the NSEC record to detect when it is descending into a sub-zone, which doesn't work of course if it is not signed (it also would have failed if the sub-zone used NSEC3 though...).

I've made this more robust now (by also looking for a SOA RR in the reply) , but there are undoubtedly still things that can go wrong.