DNSSEC Walker

Simon Josefsson

What is this?

This is a proof-of-concept of a utility to download DNS zone contents even when AXFR is disabled on the server, assuming DNSSEC is used. Optionally it can also verify all digital signature RRs within a zone against the zone key. If you do not know what DNSSEC is, please refer to:

The tool support both the old DNSSEC according to RFC 2535 (i.e., KEY/SIG) and the latest DNSSEC version according to RFC 4033 (i.e., DNSKEY/RRSIG).

The DNSSEC Walker is licensed under the GNU General Public License.

Download

This program requires the Net::DNS and Net::DNS::SEC packages.

The software packages are signed using my PGP key.

walker-3.7.tar.gz [PGP signature]
2005-09-19 Version 3.7. Support for an optional "startname" parameter, to specify which owner name to start walking on (useful when interrupted half way through a big zone).
walker-3.6.tar.gz [PGP signature]
2005-09-14 Version 3.6. Verification of data in zone's with multiple keys (e.g., "se") now work.
walker-3.5.tar.gz [PGP signature]
2004-06-03 Version 3.5. Slight bug fix. Improved output.
walker-3.4.tar.gz [PGP signature]
2004-06-02 Version 3.4. Support RRSIG/DNSKEY (as well as old-style SIG/KEY). The -n parameter now enable non-recursiveness for everything. Improved output.
walker-3.3.tar.gz
2004-02-27 Version 3.3. Minor feature enhancement: Support NSEC as well as NXT, see draf-ietf-dnssec-nsec-rdata.
walker-3.2.tar.gz
2003-02-18 Version 3.2. Minor feature enhancement: New -n parameter to optimize big zone traversals. Bugfix: Prints SIG RRs even when -y isn't used. Other: Now tries to verify CERT/SRV/CNAME even though Net::DNS(::SEC) may print warnings.
walker-3.1.tar.gz
2002-11-13 Version 3.1, bugfix: disable defnames to make TLD recursion work.
walker-3.0.tar.gz
2002-11-13 Version 3.0, added SIG verification.
walker-2.0.tar.gz
2001-11-28 Version 2.0, rewritten using Net::DNS.
walker-1.0.tar.gz
2001-01-03 Version 1.0, initial release.

Earlier distribution archives doesn't mention what license it is distributed under, but to make it clear: all versions are released under the GPL. Recent releases include copying conditions.

Development

Source code is available via CVS (just press enter at the password prompt): 

	$ cvs -d :pserver:anoncvs@yxa.extundo.com:/home/cvs/public-cvs login
	Logging in to :pserver:anoncvs@yxa.extundo.com:2401/home/cvs/public-cvs
	CVS password:
	$ cvs -d :pserver:anoncvs@yxa.extundo.com:/home/cvs/public-cvs co walker

The CVS repository can also be access by using the HTML interface.

Known problems

Please report any other problems to me.

Documentation

 

WALKER(1)             User Contributed Perl Documentation            WALKER(1)

NAME
       walker - Retrieve a DNS zone using NXT/NSEC traversal

SYNOPSIS
       walker [-y] [-n] [-d] [ @nameserver ] zone [ startname ]

DESCRIPTION
       walker retrieves a DNS zone from the default or supplied name server
       and prints each record to the standard output.  AXFR is not used,
       instead the DNSSEC NXT/NSEC record chain is traversed.  The zone must
       use DNSSEC.  The output should conform to the standard DNS master file
       format (but see BUGS).  Optionally, walker can also verify DNSSEC sig‐
       natures on the RRsets within the zone.

OPTIONS
       -y  Additionally perform verification on each RRset within the zone and
           print result of verification (in a zone file comment).

       -n  When querying for records, ask the nameserver non-recursively,
           instead of going through the full resolver logic.  This parameter
           is useful when you know that the default name server (or the sup‐
           plied specific nameserver) can respond correctly, which it typi‐
           cally only would if it is responsible for the zone.

           The original motivation for the -n parameter was to improve speed
           when asking parents for NS records on delegated zones, which would
           make the server recursively ask the child servers.

       -d  Enable debugging in the resolver (this will print all DNS packets,
           just like dig).

       @nameserver
           Query nameserver instead of the default nameserver.

       zone
           Name of the zone to retrieve master file for.  For example, "com".

       startname
           Optional name to start the zone walk at.  The default is to start
           walking from the start.  This option is useful if the tool failed
           or was intterupted in the middle of a large zone.

AUTHOR
       Simon Josefsson 

BUGS
       CNAME, CERT and/or SRV RRs is known to cause perl warnings during veri‐
       fications with some versions of Net::DNS and Net::DNS::SEC.  The cause
       is belived to be in Perl, Net::DNS or Net::DNS::SEC.  The reader is
       encouraged to track down and fix these bugs.

SEE ALSO
       perl(1), axfr, perldig, Net::DNS, Net::DNS::SEC, resolv.conf

perl v5.8.7                       2005-09-14                         WALKER(1)

Example usage

Here is how you would recover the zone file for "se". Zone transfer of the zone is disabled, but it uses DNSSEC. The -y parameter is used as well, so walker prints out verification results in comments as well. For brevity, only the first couple of hundred lines are printed. 

jas@latte:~/src/walker$ walker -y @a.ns.se se|head -150
;; Walker by Simon Josefsson
;; $Id: index.html,v 1.37 2005/09/19 19:15:24 jas Exp $
;; Net::DNS 0.53
;; Net::DNS::SEC 0.12_02

	;; Using key RR type: DNSKEY
	;; Key(s) used to verify signatures:
	;; se.	3600	IN	DNSKEY	257  3  5 ( 
	;; 			AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65K
	;; 			bhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/zGZUd
	;; 			EGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
	;; 			OTcM8pwXlj0EiX3oDFVmjHO444gLkBOUKUf/
	;; 			mC7HvfwYH/Be22GnClrinKJp1Og4ywzO9Wgl
	;; 			Mk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt8
	;; 			lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTix
	;; 			in/1LcrgX/KMEGd/buvF4qJCyduieHukuY3H
	;; 			4XMAcR+xia2nIUPvm/oyWR8BW/hWdzOvnSCT
	;; 			hlHf3xiYleDbt/o1OTQ09A0= 
	;; 			) ; Key ID = 17686

	;; se.	3600	IN	DNSKEY	256  3  5 ( 
	;; 			AQP1sR0hcUUBo9VZqxPVdaEsqXcpHqgyOC0K
	;; 			tcxzm3isIDB4337lIJKdrmob2xZrcYRF+H8x
	;; 			NiR2fv436K9ayg7/D0gIRjFrMGmvD/FWP621
	;; 			yAtFHYZ6536T3V+8pSCFwwiC4ZXhHEzaGj3Q
	;; 			TpLY2yhThJWiqyGHbbXhi0FCLnnkWw== 
	;; 			) ; Key ID = 10217

	;; Using next RR type: NSEC
	;; Using signature RR type: RRSIG
	;; First SOA:
se.	172800	IN	SOA	catcher-in-the-rye.nic-se.se. registry.nic.se. (
					2005091406	; Serial
					1800	; Refresh
					1800	; Retry
					2419200	; Expire
					7200 )	; Minimum TTL

	;; Getting NXT/NSEC for se.
	;; Wed Sep 14 12:48:23 2005
se.	7200	IN	NSEC	00385kroatien.se  DNSKEY NS NSEC RRSIG SOA TXT
	;; Looking at type DNSKEY for domain se.
se.	3600	IN	DNSKEY	256  3  5 ( 
			AQP1sR0hcUUBo9VZqxPVdaEsqXcpHqgyOC0K
			tcxzm3isIDB4337lIJKdrmob2xZrcYRF+H8x
			NiR2fv436K9ayg7/D0gIRjFrMGmvD/FWP621
			yAtFHYZ6536T3V+8pSCFwwiC4ZXhHEzaGj3Q
			TpLY2yhThJWiqyGHbbXhi0FCLnnkWw== 
			) ; Key ID = 10217
se.	3600	IN	DNSKEY	257  3  5 ( 
			AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65K
			bhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/zGZUd
			EGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
			OTcM8pwXlj0EiX3oDFVmjHO444gLkBOUKUf/
			mC7HvfwYH/Be22GnClrinKJp1Og4ywzO9Wgl
			Mk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt8
			lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTix
			in/1LcrgX/KMEGd/buvF4qJCyduieHukuY3H
			4XMAcR+xia2nIUPvm/oyWR8BW/hWdzOvnSCT
			hlHf3xiYleDbt/o1OTQ09A0= 
			) ; Key ID = 17686
se.	3600	IN	RRSIG	DNSKEY  5  1  3600  20050918211507 (
			20050911230542 10217  se.
			7bnGB7SKPmcA17eCLKfzXVcU4XOzQ/K2G8bClWlBqfsK+
			7qlokfEa9zljwHr6gNlZxwuz1bMmJMqKzXQggc1iMhESX
			BRRo164y71yEVkJ6ic5cVyTXbR5f+WSA1/mRjsH4PxybQ
			7bF3IYTYYrv7U4g5SZuIy2gf+AvTO9tOJv9w= )
se.	3600	IN	RRSIG	DNSKEY  5  1  3600  20051114000000 (
			20050907135428 17686  se.
			e+43DQPoHr5TBuFqSltdTBITQzauHqV5luogJ7d/mwFWA
			+MnMdnr8XJbjvNCSH3VhJ0fEXJk0Ix4PuFtrxjOC4ExCe
			NuIOx6g39DL61DdLYjMpgVhOMV7DHf9gDrRQp/5YJo/QA
			9YgsmMa+yRQxzgS7D38iPdXmx7LiXpM7dKnHBVCWC5OPj
			MHtsHxRsuCtOU9m1v4VeA94c2Omxus23j2eUz+KGVa7C/
			vIieh1idKVH+wtQLSUTB+4csmfRtgesoU8jU5HQpisYzr
			h6QyUqW8V0t8oNY3dmXBlWT/OkeovdHF+zuqohMy3Fv+h
			Jr3927p/vEIY+J1rt7yYIDThySQ== )
	;; verify ok
	;; Looking at type NS for domain se.
se.	172800	IN	NS	e.ns.se.
se.	172800	IN	NS	f.ns.se.
se.	172800	IN	NS	g.ns.se.
se.	172800	IN	NS	a.ns.se.
se.	172800	IN	NS	b.ns.se.
se.	172800	IN	NS	c.ns.se.
se.	172800	IN	NS	d.ns.se.
se.	172800	IN	RRSIG	NS  5  1  172800  20050920125143 (
			20050914090541 10217  se.
			0Y1cALJwxyddnghVoqZN/aARrEALk2GxZpZudMQ6ohnSI
			UlmjN52ejEFjtJXVrclJtQjs1O0zfZJexFPKJdYHzVIeX
			edo+tZ8ULGpouUVbEz8fP+8F3uv2RInITyIjrtj9wrz1C
			NSjnFpSY+ZiV7u622tWN0h6KKgHdSSLcpg1s= )
	;; verify ok
	;; Looking at type TXT for domain se.
se.	86400	IN	TXT	"Read instructions before sending requests of update"
se.	86400	IN	TXT	"SE zone update: 2005-09-14 12:01:30 +0200 (EPOCH 1126692090)"
se.	86400	IN	TXT	"http://www.nic.se/english/domaner/autoompekning.shtml?lang=en"
se.	86400	IN	RRSIG	TXT  5  1  86400  20050921072734 (
			20050914090541 10217  se.
			Mid8pfMXZdnK6jJ+/247OZOg+m6mCfVKxRtwkO3wktgg3
			0aZ0ksLmPabWpxQ0V/VmZWNet47XL32nWNMoaRf/Pc4/m
			QkAbPzdI8QBd2PhslUdeBb4O4I7WI2UxCSwVfQB6G8WGe
			65pHMXlvNqxfHR/XpFuHC2FhAhkbYyHgW6jk= )
	;; verify ok

	;; Getting NXT/NSEC for 00385kroatien.se.
	;; Wed Sep 14 12:48:23 2005
00385kroatien.se.	7200	IN	NSEC	0046sport.se  NS NSEC RRSIG
	;; Looking at type NS for domain 00385kroatien.se.
00385kroatien.se.	86400	IN	NS	ns1.surf-town.net.
00385kroatien.se.	86400	IN	NS	ns2.surf-town.net.
00385kroatien.se.	86400	IN	NS	ns3.surf-town.net.
	;; no signature found

	;; Getting NXT/NSEC for 0046sport.se.
	;; Wed Sep 14 12:48:23 2005
0046sport.se.	7200	IN	NSEC	007ta2.se  NS NSEC RRSIG
	;; Looking at type NS for domain 0046sport.se.
0046sport.se.	86400	IN	NS	ns3.loopia.se.
0046sport.se.	86400	IN	NS	ns4.loopia.se.
	;; no signature found

	;; Getting NXT/NSEC for 007ta2.se.
	;; Wed Sep 14 12:48:23 2005
007ta2.se.	7200	IN	NSEC	00800inkjet.se  NS NSEC RRSIG
	;; Looking at type NS for domain 007ta2.se.
007ta2.se.	86400	IN	NS	ns1.b-one.nu.
007ta2.se.	86400	IN	NS	ns2.b-one.nu.
	;; no signature found

	;; Getting NXT/NSEC for 00800inkjet.se.
	;; Wed Sep 14 12:48:23 2005
00800inkjet.se.	7200	IN	NSEC	00800inkjets.se  NS NSEC RRSIG
	;; Looking at type NS for domain 00800inkjet.se.
00800inkjet.se.	86400	IN	NS	ns1.eurodns.com.
00800inkjet.se.	86400	IN	NS	ns2.eurodns.com.
	;; no signature found

	;; Getting NXT/NSEC for 00800inkjets.se.
	;; Wed Sep 14 12:48:23 2005
00800inkjets.se.	7200	IN	NSEC	011web.se  NS NSEC RRSIG
	;; Looking at type NS for domain 00800inkjets.se.
00800inkjets.se.	86400	IN	NS	ns1.eurodns.com.
00800inkjets.se.	86400	IN	NS	ns2.eurodns.com.
	;; no signature found

	;; Getting NXT/NSEC for 011web.se.
	;; Wed Sep 14 12:48:23 2005
011web.se.	7200	IN	NSEC	01an.se  NS NSEC RRSIG
	;; Looking at type NS for domain 011web.se.
jas@latte:~/src/walker$
$Id: index.html,v 1.37 2005/09/19 19:15:24 jas Exp $