This is a proof-of-concept of a utility to download DNS zone contents even when AXFR is disabled on the server, assuming DNSSEC is used. Optionally it can also verify all digital signature RRs within a zone against the zone key. If you do not know what DNSSEC is, please refer to:
The tool support both the old DNSSEC according to RFC 2535 (i.e., KEY/SIG) and the latest DNSSEC version according to RFC 4033 (i.e., DNSKEY/RRSIG).
The DNSSEC Walker is licensed under the GNU General Public License.
I am a consultant in the network security area, and I am available on a commercial basis. If you find this tool useful, and would like to extend it or want me to do similar work, please contact me. If you find this tool useful, a donation would be greatly appreciated. No amount is too small!
This program requires the Net::DNS and Net::DNS::SEC packages.
The software packages are signed using my PGP key.
Earlier distribution archives doesn't mention what license it is distributed under, but to make it clear: all versions are released under the GPL. Recent releases include copying conditions.
Source code is available via CVS (just press enter at the password prompt):
$ cvs -d :pserver:[email protected]:/home/cvs/public-cvs login Logging in to :pserver:[email protected]:2401/home/cvs/public-cvs CVS password: $ cvs -d :pserver:[email protected]:/home/cvs/public-cvs co walker
The CVS repository can also be access by using the HTML interface.
Please report any other problems to me.
WALKER(1) User Contributed Perl Documentation WALKER(1) NAME walker - Retrieve a DNS zone using NXT/NSEC traversal SYNOPSIS walker [-y] [-n] [-d] [-x] [ @nameserver ] zone [ startname ] DESCRIPTION walker retrieves a DNS zone from the default or supplied name server and prints each record to the standard output. AXFR is not used, instead the DNSSEC NXT/NSEC record chain is traversed. The zone must use DNSSEC. The output should conform to the standard DNS master file format (but see BUGS). Optionally, walker can also verify DNSSEC sig‐ natures on the RRsets within the zone. OPTIONS -y Additionally perform verification on each RRset within the zone and print result of verification (in a zone file comment). -n When querying for records, ask the nameserver non-recursively, instead of going through the full resolver logic. This parameter is useful when you know that the default name server (or the sup‐ plied specific nameserver) can respond correctly, which it typi‐ cally only would if it is responsible for the zone. The original motivation for the -n parameter was to improve speed when asking parents for NS records on delegated zones, which would make the server recursively ask the child servers. -d Enable debugging in the resolver (this will print all DNS packets, just like dig). -x Enable the EDNS.0 DNSSEC flag for SIG/RRSIG queries. Not effective if -y is used. This is needed for some servers to return SIG/RRSIG at all. @nameserver Query nameserver instead of the default nameserver. zone Name of the zone to retrieve master file for. For example, "com". startname Optional name to start the zone walk at. The default is to start walking from the start. This option is useful if the tool failed or was intterupted in the middle of a large zone. AUTHOR Simon JosefssonBUGS CNAME, CERT and/or SRV RRs is known to cause perl warnings during veri‐ fications with some versions of Net::DNS and Net::DNS::SEC. The cause is belived to be in Perl, Net::DNS or Net::DNS::SEC. The reader is encouraged to track down and fix these bugs. SEE ALSO perl(1), axfr, perldig, Net::DNS, Net::DNS::SEC, resolv.conf perl v5.8.7 2005-09-14 WALKER(1)
Here is how you would recover the zone file for "dnssec.se", which uses DNSSEC. The -y parameter is used as well, so walker prints out verification results in comments as well.
jas@latte:~$ walker -y @ns1.dnssec.se dnssec.se ;; Walker by Simon Josefsson ;; $Id: index.html,v 1.46 2005/11/21 21:31:45 jas Exp $ ;; Net::DNS 0.53 ;; Net::DNS::SEC 0.12_02 ;; Using key RR type: DNSKEY ;; Key(s) used to verify signatures: ;; dnssec.se. 300 IN DNSKEY 256 3 5 ( ;; AQPMj1b/Qn/0YAsqlsU6Ei69Sq0zjmSCKnOj ;; 6fx3iMYaXUwBbq+L+iO16FOIkEBm86lL6UWT ;; 2aHNQuR4Xn2nI+TmFphcI+WctHXaG7AmozxM ;; 4EZr8vE7JkQnbBzGGxeTyCS4j3mGdtkWlNpp ;; QSV6iYzaTBGrh/eFACnIws1N+9L4kQ== ;; ) ; Key ID = 32672 ;; dnssec.se. 300 IN DNSKEY 257 3 1 ( ;; AQO9cBGWVBhvrONPJ8cLtigL1yYR2RYL/hLs ;; /GpTksVZ5rSDrr4WLLGCqkPuauczDTGUDOv8 ;; F4If71PU4oNPlpq/ ;; ) ; Key ID = 38554 ;; dnssec.se. 300 IN DNSKEY 257 3 5 ( ;; AQPAt5E2t/Pf3Yz8/4fRp6r1eN4vIUIpvcrE ;; 23B9ldrsWYcyD4s6EXoErqTqdf4XVwMhGfLu ;; ZjPpmfaTzGE9vC4v0OR9rS9QfY/l6FpXksFS ;; 97n7ypGF7JFG2xViQwXpxflVV32+W0Qy+Fn+ ;; y84VzUrASm5t0IKn2lAeFCkMNFtZUQ== ;; ) ; Key ID = 47940 ;; dnssec.se. 300 IN DNSKEY 257 3 5 ( ;; AQPQDE29ghF/wcdlfbKLGLvsRUHMdMVcL6XN ;; 2X263BehAzcJIj+fe46eI3rWJcHP9I5l0YoF ;; LnXjPqmNsUEnwlIr4W8B9gFQeNnmiVEoq2o2 ;; fp/WjPvl19grODvmMH9xTO9s7NVn9NTUEacV ;; octWwApZLTHWGmdXGApybJF8McJOgQ== ;; ) ; Key ID = 38577 ;; dnssec.se. 300 IN DNSKEY 256 3 5 ( ;; AQPcYh4LTPd7VBzZYz+Z0GoIdqcklqUP6aSm ;; IxXVQfuzp/x8PQWRIU3as/V56JusLvcpFHdC ;; 7uY/kv0XKFGyLTs10hCMvY32nVV8Z2IUnhb8 ;; OKMo0xxpIXoS+Aeajl7WUBQZ9baEH+0A1EtQ ;; BgEjIV1NcOIDpEUD9l0yHrzIv+1utw== ;; ) ; Key ID = 18476 ;; dnssec.se. 300 IN DNSKEY 257 3 3 ( ;; AKUJoB5D0ucsobRDSc1H2Ga4I+QPo6CcOhba ;; xW0VqM4GOIL2+M9YAI+NmiZNpF5/fECOqbXi ;; cq11I3INOUJvm2Hwo//sGs0I/eX7sWgLzPhN ;; Nk4qI1NpbX2AFUeRn1XvgeGFHP/B61IU+jvi ;; bNbPue8yt4va+j+QPtD4espCNwRbx43onodW ;; gsewvCWhUWPChmgkWq1pmNAmRcOuNZqCc7tj ;; uhw923vzOR4dBHtKxOwDDAoH0FAMugXP+K6/ ;; Ee1dcOkt6jR1f3eod0aHKaVMy1RnSGPi ;; ) ; Key ID = 57551 ;; Using next RR type: NSEC ;; Using signature RR type: RRSIG ;; First SOA: dnssec.se. 300 IN SOA ns1.dnssec.se. jakob.nic.se. ( 2005091200 ; Serial 3600 ; Refresh 600 ; Retry 3600 ; Expire 300 ) ; Minimum TTL ;; Getting NXT/NSEC for dnssec.se. ;; Thu Sep 22 10:03:46 2005 ;; dnssec.se. 300 IN NSEC bind.dnssec.se DNSKEY NS NSEC RRSIG SOA ;; Looking at type DNSKEY for domain dnssec.se. dnssec.se. 300 IN DNSKEY 256 3 5 ( AQPcYh4LTPd7VBzZYz+Z0GoIdqcklqUP6aSm IxXVQfuzp/x8PQWRIU3as/V56JusLvcpFHdC 7uY/kv0XKFGyLTs10hCMvY32nVV8Z2IUnhb8 OKMo0xxpIXoS+Aeajl7WUBQZ9baEH+0A1EtQ BgEjIV1NcOIDpEUD9l0yHrzIv+1utw== ) ; Key ID = 18476 dnssec.se. 300 IN DNSKEY 257 3 1 ( AQO9cBGWVBhvrONPJ8cLtigL1yYR2RYL/hLs /GpTksVZ5rSDrr4WLLGCqkPuauczDTGUDOv8 F4If71PU4oNPlpq/ ) ; Key ID = 38554 dnssec.se. 300 IN DNSKEY 257 3 3 ( AKUJoB5D0ucsobRDSc1H2Ga4I+QPo6CcOhba xW0VqM4GOIL2+M9YAI+NmiZNpF5/fECOqbXi cq11I3INOUJvm2Hwo//sGs0I/eX7sWgLzPhN Nk4qI1NpbX2AFUeRn1XvgeGFHP/B61IU+jvi bNbPue8yt4va+j+QPtD4espCNwRbx43onodW gsewvCWhUWPChmgkWq1pmNAmRcOuNZqCc7tj uhw923vzOR4dBHtKxOwDDAoH0FAMugXP+K6/ Ee1dcOkt6jR1f3eod0aHKaVMy1RnSGPi ) ; Key ID = 57551 dnssec.se. 300 IN DNSKEY 257 3 5 ( AQPAt5E2t/Pf3Yz8/4fRp6r1eN4vIUIpvcrE 23B9ldrsWYcyD4s6EXoErqTqdf4XVwMhGfLu ZjPpmfaTzGE9vC4v0OR9rS9QfY/l6FpXksFS 97n7ypGF7JFG2xViQwXpxflVV32+W0Qy+Fn+ y84VzUrASm5t0IKn2lAeFCkMNFtZUQ== ) ; Key ID = 47940 dnssec.se. 300 IN DNSKEY 257 3 5 ( AQPQDE29ghF/wcdlfbKLGLvsRUHMdMVcL6XN 2X263BehAzcJIj+fe46eI3rWJcHP9I5l0YoF LnXjPqmNsUEnwlIr4W8B9gFQeNnmiVEoq2o2 fp/WjPvl19grODvmMH9xTO9s7NVn9NTUEacV octWwApZLTHWGmdXGApybJF8McJOgQ== ) ; Key ID = 38577 dnssec.se. 300 IN DNSKEY 256 3 5 ( AQPMj1b/Qn/0YAsqlsU6Ei69Sq0zjmSCKnOj 6fx3iMYaXUwBbq+L+iO16FOIkEBm86lL6UWT 2aHNQuR4Xn2nI+TmFphcI+WctHXaG7AmozxM 4EZr8vE7JkQnbBzGGxeTyCS4j3mGdtkWlNpp QSV6iYzaTBGrh/eFACnIws1N+9L4kQ== ) ; Key ID = 32672 dnssec.se. 300 IN RRSIG DNSKEY 5 2 300 20051111130901 ( 20050912130901 32672 dnssec.se. sQ0TmA4c+IVpnKOcfyZb0UCnoaOjBgK7cJTfjt/apjazM DLRJ+gKvmD5VbgqCefAn4poAZC1GAoZUJvW9WF2ucSUhG A3JzxzuO9amszC518eJWB1OpxyWLPz2kQbZBMomb9Gy0z 3hrtBsqbLD7G9vSAeHDhGYszR8vQ3GTVNEWs= ) dnssec.se. 300 IN RRSIG DNSKEY 5 2 300 20051111130901 ( 20050912130901 38577 dnssec.se. A9DGMW/BgxjX1kgRY89t7bZSLuyenQZ/XkV1FqNOONqXg 8SL3IYzqBw2fSKxe/vT03JhV+awA9Now33rPvjS11UW24 Q9M0qzJ7A5mD3XItzzuPerKKqGv5EMrBTWMw1DRoaXU58 ao1zeQQNTAfSI8Il0rNUBG2Md/ce+QsjHufE= ) dnssec.se. 300 IN RRSIG DNSKEY 5 2 300 20051111130901 ( 20050912130901 47940 dnssec.se. ZleFtA+3+pVroQ4h35n8ezEsWgjjgB6elVAK0zQmVwDmv XNZfh/SLB6EWGROIsYEOAN4ZIN436Z1GdsMv3+KvWsSrx J3pGd4cLMRYdgYQTRVyg9kqdDTefWrJPenjd3Lw6k+UZV qZs6qwuhVmrgNWd2diSdIuNeSaWl4yBAYMyE= ) ;; verify ok (key 32672) ;; verify ok (key 47940) ;; verify ok (key 38577) ;; Looking at type NS for domain dnssec.se. dnssec.se. 300 IN NS ns1.dnssec.se. dnssec.se. 300 IN NS ns2.dnssec.se. dnssec.se. 300 IN RRSIG NS 5 2 300 20051111130901 ( 20050912130901 32672 dnssec.se. kc/ywUShTYoFEsZBGwtLLd0He0D6V41egCWiKuoiZF3+K U8QkMJH6ZptqCnf4B/V4r82EUJK20m074GeI5YPxrIqOI IB++ueJB48Fje4Oa6N7u3FdvgJQInjvEYGkmxSqPA48DI TSvuBPPcN5SLuD8c4HMJgtQyNPCUEcsuxEG8= ) ;; verify ok (key 32672) ;; Looking at type NSEC for domain dnssec.se. dnssec.se. 300 IN NSEC bind.dnssec.se DNSKEY NS NSEC RRSIG SOA dnssec.se. 300 IN RRSIG NSEC 5 2 300 20051111130901 ( 20050912130901 32672 dnssec.se. K349ZYno74X2LNemskeeN+0K5UUvprEbxtoOnP8sSMbFH d9teEcT/r+uRC79nt06S13ftbJxhaIVm7Ewoa9mmAwZU1 T0+TVeaAA+yBV/uvvDho5XVHYkPsOHZ6buFQZR7vvh7rY FR/G3AuAjKOMn/9Q8Z7qnyLV773VuilnUGHs= ) ;; verify ok (key 32672) ;; Getting NXT/NSEC for bind.dnssec.se. ;; Thu Sep 22 10:03:46 2005 ;; bind.dnssec.se. 300 IN NSEC cns.dnssec.se A NSEC RRSIG ;; Looking at type A for domain bind.dnssec.se. bind.dnssec.se. 300 IN A 212.247.204.243 bind.dnssec.se. 300 IN RRSIG A 5 3 300 20051111130901 ( 20050912130901 32672 dnssec.se. OOT3LNPz79btkmMb90xNNE3tXmvmXc3BuRzVBXlexmj69 OUMJbWSuHSrQVki6AnrggoEKcySQs6sjpqX3wbWrrtp0t WRC7UtklOP9U+MoTrjp6cGMMcCGtyfrrypAjC1dbpzIwA Vvk79zyF+BKjNJm0ij5JNVnHlsNmCRN6ntWM= ) ;; verify ok (key 32672) ;; Looking at type NSEC for domain bind.dnssec.se. bind.dnssec.se. 300 IN NSEC cns.dnssec.se A NSEC RRSIG bind.dnssec.se. 300 IN RRSIG NSEC 5 3 300 20051111130901 ( 20050912130901 32672 dnssec.se. T9n4suTCcbMz/3CdgkAFtg2o5kUR+9UvJYDp8CFogOk4g CxdeYQoQjX7n8bon4IgPzFpdF3l61TGkWAaxVi9BbJX9v 9MQsHCmxivf8hPkSBMy/JKqMpUKkjts9sKz3XBq3myr87 7HNVZEPWWhZsCOh6ggw5pKT90gjG/sn2H1Pw= ) ;; verify ok (key 32672) ;; Getting NXT/NSEC for cns.dnssec.se. ;; Thu Sep 22 10:03:46 2005 ;; cns.dnssec.se. 300 IN NSEC ns1.dnssec.se A NSEC RRSIG ;; Looking at type A for domain cns.dnssec.se. cns.dnssec.se. 300 IN A 212.247.204.244 cns.dnssec.se. 300 IN RRSIG A 5 3 300 20051111130901 ( 20050912130901 32672 dnssec.se. ss/iqq8Wq4H8pa6BZ6k+WT2pk6WCuWsnoUxZJkYX7/D4/ Ebi886NbjtbQ0TipC8luTMbIqUymEo0/aRRwkYJ7Baj/g zIJ+9JaltIfLZTeLMeka6WxDTp1mqiZSNcMNzO6xCTrNT mb34qcp9Syrt7pNOMKILkdNqMt6UjXwqe2eY= ) ;; verify ok (key 32672) ;; Looking at type NSEC for domain cns.dnssec.se. cns.dnssec.se. 300 IN NSEC ns1.dnssec.se A NSEC RRSIG cns.dnssec.se. 300 IN RRSIG NSEC 5 3 300 20051111130901 ( 20050912130901 32672 dnssec.se. QoL7uVU7NaD9VmIWMAKBP6szvewXKZaxWaDmCE+BnLPE1 CLRLDTjw6qzu4MsL46Kg1UDy8oLrkYEPL2awzqYZZ4SIJ c6wzsVAirJ7WGUW3Xj4JKlpNI9UC+TDBZdnOCUJFZ2XWV qSnKOt6313iUe5h9Q9RdfFXF/E0aPmhsTbz4= ) ;; verify ok (key 32672) ;; Getting NXT/NSEC for ns1.dnssec.se. ;; Thu Sep 22 10:03:46 2005 ;; ns1.dnssec.se. 300 IN NSEC ns2.dnssec.se A NSEC RRSIG ;; Looking at type A for domain ns1.dnssec.se. ns1.dnssec.se. 300 IN A 212.247.204.242 ns1.dnssec.se. 300 IN RRSIG A 5 3 300 20051111130901 ( 20050912130901 32672 dnssec.se. JCDwdXO98jnMwwtLE+77iHJL4o865mS7yv5LxFyuRS7Tx 5IriBoYV0SW5ZdCja/j1FthrMGrcs9RkBG0FFtzZI8hfL sNJ2Cfcruk+Vg9nSDWDTfQEu2qUOOyHZQMsyvZfMY7Nyu 75JYNKzLh/dg9vz+bXgWAxtOFOAbTN05tV5A= ) ;; verify ok (key 32672) ;; Looking at type NSEC for domain ns1.dnssec.se. ns1.dnssec.se. 300 IN NSEC ns2.dnssec.se A NSEC RRSIG ns1.dnssec.se. 300 IN RRSIG NSEC 5 3 300 20051111130901 ( 20050912130901 32672 dnssec.se. fxJB60R1c7byFSLqIyhZDUqGlC74/w4rDvzaSxN3YOVKt M/lIu+wsnB/nqkhYb3Wz4EkdaRh/Y81VO9Vf+Gv0f9mEH V284nF8mBk32uwWgiVAeKrBXFKOleBb/Zgva5e5kpRAZt yTs/lFfX5AYt5RahFNMh58vi7yKoYGrEeY/w= ) ;; verify ok (key 32672) ;; Getting NXT/NSEC for ns2.dnssec.se. ;; Thu Sep 22 10:03:46 2005 ;; ns2.dnssec.se. 300 IN NSEC version.dnssec.se A NSEC RRSIG ;; Looking at type A for domain ns2.dnssec.se. ns2.dnssec.se. 300 IN A 195.47.254.20 ns2.dnssec.se. 300 IN RRSIG A 5 3 300 20051111130901 ( 20050912130901 32672 dnssec.se. fduUKZMvKvxECqImtbif8sSpEWUYZ4bvi8usdoqth0siY I2/Ff6jL9W3E1/RTIAwk17yHbDcW8SzIIlYoBfNSCeGv1 uttEpx9ts1SILZuGy+0vIXAiIOC9H0B+PXb19VORQzrOy aM95cxbUWCtsOmMbh1/30R14RHDbrPO2wnfM= ) ;; verify ok (key 32672) ;; Looking at type NSEC for domain ns2.dnssec.se. ns2.dnssec.se. 300 IN NSEC version.dnssec.se A NSEC RRSIG ns2.dnssec.se. 300 IN RRSIG NSEC 5 3 300 20051111130901 ( 20050912130901 32672 dnssec.se. aRiFCaCVIQ/PGRpjpxdxTk1HqOSY29MIA0UxLCVcvL/TV 7wEhiqaxZWUith7/xOrPK08tIwXBIV3JvF/VkRdeg80QG ANiRS6Jfai8265uTh4ebqjkM6leBrxhUg+CCQGtICFM9h Ap0ea+HAxQdLBO4NNVavncmc5KUd2yomiheI= ) ;; verify ok (key 32672) ;; Getting NXT/NSEC for version.dnssec.se. ;; Thu Sep 22 10:03:46 2005 ;; version.dnssec.se. 300 IN NSEC dnssec.se NSEC RRSIG TXT ;; Looking at type NSEC for domain version.dnssec.se. version.dnssec.se. 300 IN NSEC dnssec.se NSEC RRSIG TXT version.dnssec.se. 300 IN RRSIG NSEC 5 3 300 20051111130901 ( 20050912130901 32672 dnssec.se. Aa9bnii2fkUOkA7NSLv/RBG0bqr5SAdz1qtFPY/gh/ntJ kxIqWiQjF8zDw68uXfLNLLTaDccdJVNLHc7PJonucJw61 IihhHXYZqv2MibQR6S0oyxtiuDj1pg4KiBwfxIDd/pwuN /8g4XN57GZ4Uq9izlMXtWP5H7XdDinJv91rE= ) ;; verify ok (key 32672) ;; Looking at type TXT for domain version.dnssec.se. version.dnssec.se. 300 IN TXT "$Revision: 1.46 $" version.dnssec.se. 300 IN RRSIG TXT 5 3 300 20051111130901 ( 20050912130901 32672 dnssec.se. u3Lje403MHDwGWj4BTgTvBUmrXQqzKX2QuDdz/E2Fb3d8 3yMLFzCG9F6cXhvYlQjYQIoGyoO1sG2g7rZd+V7Q12v4r QtMcdTu1UG58TQfRZqYd14pdQR9WucCiE907t0j3Wv3dV /WUvctr+Kq56hpeSjZZabC5ULfeYSwcwO+lE= ) ;; verify ok (key 32672) ;; Last SOA: dnssec.se. 300 IN SOA ns1.dnssec.se. jakob.nic.se. ( 2005091200 ; Serial 3600 ; Refresh 600 ; Retry 3600 ; Expire 300 ) ; Minimum TTL jas@latte:~$