adulau/pdns-qof
1
0
Fork 0
mirror of https://github.com/adulau/pdns-qof.git synced 2024-11-22 10:07:09 +00:00
Code Issues Projects Releases Packages Wiki Activity

Cross-references added, updated and fixed.

Browse source
This commit is contained in:
Alexandre Dulaunoy 2013-12-25 10:44:27 +01:00
parent 8d5a88b084
commit 05566c0a71
2 changed files with 164 additions and 197 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

328
i-d/pdns-qof.txt
View file

@ -1,15 +1,16 @@
Internet Engineering Task Force Dulaunoy Internet Engineering Task Force Dulaunoy
Internet-Draft CIRCL Internet-Draft CIRCL
Intended status: Informational Kaplan Intended status: Informational Kaplan
Expires: June 20, 2014 CERT.at Expires: June 28, 2014 CERT.at
Vixie Vixie
Farsight Security, Inc. Farsight Security, Inc.
hs. Stern hs. Stern
Cisco Cisco
December 17, 2013 December 25, 2013
Passive DNS - Common Output Format Passive DNS - Common Output Format
@ -21,12 +22,10 @@ Abstract
query interface. The output format description includes also a query interface. The output format description includes also a
common meaning per Passive DNS system. common meaning per Passive DNS system.
Status of this Memo Status of This Memo
By submitting this Internet-Draft, each author represents that any This Internet-Draft is submitted in full conformance with the
applicable patent or other IPR claims of which he or she is aware provisions of BCP 78 and BCP 79.
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
@ -38,80 +37,61 @@ Status of this Memo
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 20, 2014. This Internet-Draft will expire on June 28, 2014.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Dulaunoy, et al. Expires June 28, 2014 [Page 1]
Dulaunoy, et al. Expires June 20, 2014 [Page 1]
Internet-Draft Abbreviated Title December 2013 Internet-Draft Abbreviated Title December 2013
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Limitation . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Limitation . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Common Output Format . . . . . . . . . . . . . . . . . . . . . 4 3. Common Output Format . . . . . . . . . . . . . . . . . . . . 3
3.1. Overview and Example . . . . . . . . . . . . . . . . . . . 4 3.1. Overview and Example . . . . . . . . . . . . . . . . . . 3
3.2. Mandatory Fields . . . . . . . . . . . . . . . . . . . . . 4 3.2. Mandatory Fields . . . . . . . . . . . . . . . . . . . . 4
3.2.1. rrname . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2.1. rrname . . . . . . . . . . . . . . . . . . . . . . . 4
3.2.2. rrtype . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2.2. rrtype . . . . . . . . . . . . . . . . . . . . . . . 4
3.2.3. rdata . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.2.3. rdata . . . . . . . . . . . . . . . . . . . . . . . . 4
3.2.4. time_first . . . . . . . . . . . . . . . . . . . . . . 5 3.2.4. time_first . . . . . . . . . . . . . . . . . . . . . 4
3.2.5. time_last . . . . . . . . . . . . . . . . . . . . . . . 5 3.2.5. time_last . . . . . . . . . . . . . . . . . . . . . . 5
3.3. Optional Fields . . . . . . . . . . . . . . . . . . . . . . 5 3.3. Optional Fields . . . . . . . . . . . . . . . . . . . . . 5
3.3.1. count . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.3.1. count . . . . . . . . . . . . . . . . . . . . . . . . 5
3.3.2. bailiwick . . . . . . . . . . . . . . . . . . . . . . . 5 3.3.2. bailiwick . . . . . . . . . . . . . . . . . . . . . . 5
3.4. Additional Fields . . . . . . . . . . . . . . . . . . . . . 5 3.4. Additional Fields . . . . . . . . . . . . . . . . . . . . 5
3.4.1. sensor_id . . . . . . . . . . . . . . . . . . . . . . . 6 3.4.1. sensor_id . . . . . . . . . . . . . . . . . . . . . . 5
3.4.2. zone_time_first . . . . . . . . . . . . . . . . . . . . 6 3.4.2. zone_time_first . . . . . . . . . . . . . . . . . . . 5
3.4.3. zone_time_last . . . . . . . . . . . . . . . . . . . . 6 3.4.3. zone_time_last . . . . . . . . . . . . . . . . . . . 6
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
6. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.1. Normative References . . . . . . . . . . . . . . . . . . . 6 7.1. Normative References . . . . . . . . . . . . . . . . . . 6
7.2. Informative References . . . . . . . . . . . . . . . . . . 7 7.2. References . . . . . . . . . . . . . . . . . . . . . . . 7
Appendix A. Appendix . . . . . . . . . . . . . . . . . . . . . . . 7 7.3. References . . . . . . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 7.4. Informative References . . . . . . . . . . . . . . . . . 7
Intellectual Property and Copyright Statements . . . . . . . . . . 9 Appendix A. Appendix . . . . . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
Dulaunoy, et al. Expires June 20, 2014 [Page 2]
Internet-Draft Abbreviated Title December 2013
1. Introduction 1. Introduction
@ -119,13 +99,21 @@ Internet-Draft Abbreviated Title December 2013
Passive DNS replication, F Weimer - 17th Annual FIRST Conference on Passive DNS replication, F Weimer - 17th Annual FIRST Conference on
Computer Security. Since then multiple Passive DNS implementations Computer Security. Since then multiple Passive DNS implementations
evolved over time. Users of these Passive DNS servers query a server evolved over time. Users of these Passive DNS servers query a server
(often via Whois [Ref: WHOIS] or HTTP and ReST), parse the results (often via WHOIS [RFC3912] or HTTP and ReST), parse the results and
and process them in other applications. process them in other applications.
There are multiple implementation of Passive DNS software. Users of There are multiple implementation of Passive DNS software. Users of
passive DNS query each implementation and aggregate the results for passive DNS query each implementation and aggregate the results for
their search. This document describes the output format of three their search. This document describes the output format of three
Passive DNS Systems which are in use today and which already share a Passive DNS Systems which are in use today and which already share a
Dulaunoy, et al. Expires June 28, 2014 [Page 2]
Internet-Draft Abbreviated Title December 2013
nearly identical output format. As the format and the meaning of nearly identical output format. As the format and the meaning of
output fields from each Passive DNS need to be consistent, we propose output fields from each Passive DNS need to be consistent, we propose
in this document a solution to commonly name each field along with in this document a solution to commonly name each field along with
@ -133,12 +121,12 @@ Internet-Draft Abbreviated Title December 2013
simple key-value structure in JSON [RFC4627] format. The benefit of simple key-value structure in JSON [RFC4627] format. The benefit of
having a consistent Passive DNS output format is that multiple client having a consistent Passive DNS output format is that multiple client
implementations can query different servers without having to have a implementations can query different servers without having to have a
separate parser for each individual server. separate parser for each individual server. [https://github.com/
[https://github.com/chrislee35/passivedns-client] currently chrislee35/passivedns-client] currently implements multiple parsers
implements multiple parsers due to a lack of standardization. The due to a lack of standardization. The document does not describe the
document does not describe the protocol (e.g. whois, HTTP REST or protocol (e.g. WHOIS [RFC3912], HTTP REST or XMPP) nor the query
XMPP) nor the query format used to query the Passive DNS. Neither format used to query the Passive DNS. Neither does this document
does this document describe "pre-recursor" Passive DNS Systems. describe "pre-recursor" Passive DNS Systems.
1.1. Requirements Language 1.1. Requirements Language
@ -146,28 +134,16 @@ Internet-Draft Abbreviated Title December 2013
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
2. Limitation 2. Limitation
As a Passive DNS can include protection mechanisms for their As a Passive DNS can include protection mechanisms for their
operation, results might be different due to those protection operation, results might be different due to those protection
measures. These mechanisms filter out DNS answers if they fail some measures. These mechanisms filter out DNS answers if they fail some
criteria. The bailiwick algorithm (c.f. criteria. The bailiwick algorithm [BAILIWICK] protects the Passive
http://www.isc.org/files/passive_dns_hardening_handout.pdf) protects DNS Database from cache poisoning attacks [CACHEPOISONING]. Another
the Passive DNS Database from cache poisoning attacks [ref: Dan limitiation that clients querying the database need to be aware of is
Kaminsky]. Another limitiation that clients querying the database that each query simply gets an snapshot-answer of the time of
need to be aware of is that each query simply gets an snapshot-answer querying. Clients MUST NOT rely on consistent answers.
of the time of querying. Clients MUST NOT rely on consistent
answers.
Dulaunoy, et al. Expires June 20, 2014 [Page 3]
Internet-Draft Abbreviated Title December 2013
3. Common Output Format 3. Common Output Format
@ -183,6 +159,17 @@ Internet-Draft Abbreviated Title December 2013
A sample output using the JSON format: A sample output using the JSON format:
Dulaunoy, et al. Expires June 28, 2014 [Page 3]
Internet-Draft Abbreviated Title December 2013
... (list of )... ... (list of )...
{ "count": 97167, { "count": 97167,
"time_first": "1277353744", "time_first": "1277353744",
@ -217,14 +204,6 @@ Internet-Draft Abbreviated Title December 2013
addition, a client MUST be able to handle a decimal value (as addition, a client MUST be able to handle a decimal value (as
mentioned above) as answer. mentioned above) as answer.
Dulaunoy, et al. Expires June 20, 2014 [Page 4]
Internet-Draft Abbreviated Title December 2013
3.2.3. rdata 3.2.3. rdata
This field returns the data of the queried resource. In general, This field returns the data of the queried resource. In general,
@ -238,6 +217,15 @@ Internet-Draft Abbreviated Title December 2013
3.2.4. time_first 3.2.4. time_first
Dulaunoy, et al. Expires June 28, 2014 [Page 4]
Internet-Draft Abbreviated Title December 2013
This field returns the first time that the record / unique tuple This field returns the first time that the record / unique tuple
(rrname, rrtype, rdata) has been seen by the passive DNS. The date (rrname, rrtype, rdata) has been seen by the passive DNS. The date
is expressed in seconds (decimal ascii) since 1st of January 1970 is expressed in seconds (decimal ascii) since 1st of January 1970
@ -273,14 +261,6 @@ Internet-Draft Abbreviated Title December 2013
Implementations MAY support the following fields: Implementations MAY support the following fields:
Dulaunoy, et al. Expires June 20, 2014 [Page 5]
Internet-Draft Abbreviated Title December 2013
3.4.1. sensor_id 3.4.1. sensor_id
This field returns the sensor information where the record was seen. This field returns the sensor information where the record was seen.
@ -294,6 +274,14 @@ Internet-Draft Abbreviated Title December 2013
is expressed in seconds (decimal ascii) since 1st of January 1970 is expressed in seconds (decimal ascii) since 1st of January 1970
(unix timestamp). The time zone MUST be UTC. (unix timestamp). The time zone MUST be UTC.
Dulaunoy, et al. Expires June 28, 2014 [Page 5]
Internet-Draft Abbreviated Title December 2013
3.4.3. zone_time_last 3.4.3. zone_time_last
This field returns the last time that the unique tuple (rrname, This field returns the last time that the unique tuple (rrname,
@ -301,17 +289,14 @@ Internet-Draft Abbreviated Title December 2013
is expressed in seconds (decimal ascii) since 1st of January 1970 is expressed in seconds (decimal ascii) since 1st of January 1970
(unix timestamp). The time zone MUST be UTC. (unix timestamp). The time zone MUST be UTC.
4. Acknowledgements 4. Acknowledgements
Thanks to the Passive DNS developers who contributed to the document. Thanks to the Passive DNS developers who contributed to the document.
5. IANA Considerations 5. IANA Considerations
This memo includes no request to IANA. This memo includes no request to IANA.
6. Security Considerations 6. Security Considerations
In some cases, Passive DNS output might contain confidential In some cases, Passive DNS output might contain confidential
@ -319,7 +304,6 @@ Internet-Draft Abbreviated Title December 2013
querying multiple Passive DNS and aggregating the data, the querying multiple Passive DNS and aggregating the data, the
sensitivity of the data must be considered. sensitivity of the data must be considered.
7. References 7. References
7.1. Normative References 7.1. Normative References
@ -330,19 +314,15 @@ Internet-Draft Abbreviated Title December 2013
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987. specification", STD 13, RFC 1035, November 1987.
Dulaunoy, et al. Expires June 20, 2014 [Page 6]
Internet-Draft Abbreviated Title December 2013
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record
(RR) Types", RFC 3597, September 2003. (RR) Types", RFC 3597, September 2003.
[RFC3912] Daigle, L., "WHOIS Protocol Specification", RFC 3912,
September 2004.
[RFC4627] Crockford, D., "The application/json Media Type for [RFC4627] Crockford, D., "The application/json Media Type for
JavaScript Object Notation (JSON)", RFC 4627, July 2006. JavaScript Object Notation (JSON)", RFC 4627, July 2006.
@ -351,33 +331,54 @@ Internet-Draft Abbreviated Title December 2013
[min_ref] authSurName, authInitials., "Minimal Reference", 2006. [min_ref] authSurName, authInitials., "Minimal Reference", 2006.
7.2. Informative References
Dulaunoy, et al. Expires June 28, 2014 [Page 6]
Internet-Draft Abbreviated Title December 2013
7.2. References
[CACHEPOISONING]
"Black ops 2008: It's the end of the cache as we know
it.", 2008, <http://kurser.lobner.dk/dDist/DMK_BO2K8.pdf>.
7.3. References
[BAILIWICK]
"Passive DNS Hardening", 2010, <https://
archive.farsightsecurity.com/Passive_DNS/
passive_dns_hardening_handout.pdf>.
7.4. Informative References
[I-D.narten-iana-considerations-rfc2434bis] [I-D.narten-iana-considerations-rfc2434bis]
Narten, T. and H. Alvestrand, "Guidelines for Writing an Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", IANA Considerations Section in RFCs", draft-narten-iana-
draft-narten-iana-considerations-rfc2434bis-09 (work in considerations-rfc2434bis-09 (work in progress), March
progress), March 2008. 2008.
[RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629,
June 1999. June 1999.
[RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC
Text on Security Considerations", BCP 72, RFC 3552, Text on Security Considerations", BCP 72, RFC 3552, July
July 2003. 2003.
[RFC3912] Daigle, L., "WHOIS Protocol Specification", RFC 3912,
September 2004.
Appendix A. Appendix Appendix A. Appendix
This becomes an Appendix. This becomes an Appendix.
Authors' Addresses Authors' Addresses
Alexandre Dulaunoy Alexandre Dulaunoy
CIRCL CIRCL
41, avenue de la gare 41, avenue de la gare
Luxembourg, L-1611 Luxembourg L-1611
LU LU
Phone: (+352) 247 88444 Phone: (+352) 247 88444
@ -388,7 +389,7 @@ Authors' Addresses
Dulaunoy, et al. Expires June 20, 2014 [Page 7] Dulaunoy, et al. Expires June 28, 2014 [Page 7]
Internet-Draft Abbreviated Title December 2013 Internet-Draft Abbreviated Title December 2013
@ -396,7 +397,7 @@ Internet-Draft Abbreviated Title December 2013
Leon Aaron Kaplan Leon Aaron Kaplan
CERT.at CERT.at
Karlsplatz 1/2/9 Karlsplatz 1/2/9
Vienna, A-1010 Vienna A-1010
AT AT
Phone: +43 1 5056416 78 Phone: +43 1 5056416 78
@ -407,8 +408,6 @@ Internet-Draft Abbreviated Title December 2013
Paul Vixie Paul Vixie
Farsight Security, Inc. Farsight Security, Inc.
Phone:
Email: paul@redbarn.org Email: paul@redbarn.org
URI: / URI: /
@ -444,61 +443,6 @@ Internet-Draft Abbreviated Title December 2013
Dulaunoy, et al. Expires June 20, 2014 [Page 8]
Internet-Draft Abbreviated Title December 2013
Full Copyright Statement Dulaunoy, et al. Expires June 28, 2014 [Page 8]
Copyright (C) The IETF Trust (2013).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Dulaunoy, et al. Expires June 20, 2014 [Page 9]

33
i-d/pdns-qof.xml
View file

@ -14,6 +14,7 @@
<!ENTITY RFC4627 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4627.xml"> <!ENTITY RFC4627 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4627.xml">
<!ENTITY RFC5001 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5001.xml"> <!ENTITY RFC5001 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5001.xml">
<!ENTITY RFC3597 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3597.xml"> <!ENTITY RFC3597 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3597.xml">
<!ENTITY RFC3912 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3912.xml">
<!ENTITY I-D.narten-iana-considerations-rfc2434bis SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.narten-iana-considerations-rfc2434bis.xml"> <!ENTITY I-D.narten-iana-considerations-rfc2434bis SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.narten-iana-considerations-rfc2434bis.xml">
]> ]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
@ -41,7 +42,7 @@
<?rfc subcompact="no" ?> <?rfc subcompact="no" ?>
<!-- keep one blank line between list items --> <!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions --> <!-- end of list of popular I-D processing instructions -->
<rfc category="info" docName="draft-ietf-dulaunoy-kaplan-pdns-cof-01" ipr="full3978"> <rfc category="info" docName="draft-ietf-dulaunoy-kaplan-pdns-cof-01" ipr="trust200902">
<!-- category values: std, bcp, info, exp, and historic <!-- category values: std, bcp, info, exp, and historic
ipr values: full3667, noModification3667, noDerivatives3667 ipr values: full3667, noModification3667, noDerivatives3667
you can add the attributes updates="NNNN" and obsoletes="NNNN" you can add the attributes updates="NNNN" and obsoletes="NNNN"
@ -135,7 +136,7 @@
<middle> <middle>
<section title="Introduction"> <section title="Introduction">
<t>Passive DNS is a technique described by Florian Weimer in 2005 in Passive DNS replication, F Weimer - 17th Annual FIRST Conference on Computer Security. Since then multiple Passive DNS implementations evolved over time. Users of these Passive DNS servers query a server (often via Whois [Ref: WHOIS] or HTTP and ReST), parse the results and process them in other applications.</t> <t>Passive DNS is a technique described by Florian Weimer in 2005 in Passive DNS replication, F Weimer - 17th Annual FIRST Conference on Computer Security. Since then multiple Passive DNS implementations evolved over time. Users of these Passive DNS servers query a server (often via <xref target="RFC3912">WHOIS</xref> or HTTP and ReST), parse the results and process them in other applications.</t>
<t> <t>
There are multiple implementation of Passive DNS software. Users of passive DNS query each implementation and aggregate the results for their search. This document describes the output format of three Passive DNS Systems which are in use today and which already share a nearly identical output format. There are multiple implementation of Passive DNS software. Users of passive DNS query each implementation and aggregate the results for their search. This document describes the output format of three Passive DNS Systems which are in use today and which already share a nearly identical output format.
@ -143,7 +144,7 @@
The benefit of having a consistent Passive DNS output format is that multiple client implementations can query different servers without having to have a separate parser for each The benefit of having a consistent Passive DNS output format is that multiple client implementations can query different servers without having to have a separate parser for each
individual server. [https://github.com/chrislee35/passivedns-client] currently implements multiple parsers due to a lack of standardization. individual server. [https://github.com/chrislee35/passivedns-client] currently implements multiple parsers due to a lack of standardization.
The document does not describe the protocol (e.g. whois, HTTP REST or XMPP) nor the query format used to query the Passive DNS. Neither does this document describe "pre-recursor" Passive DNS Systems. The document does not describe the protocol (e.g. <xref target="RFC3912">WHOIS</xref>, HTTP REST or XMPP) nor the query format used to query the Passive DNS. Neither does this document describe "pre-recursor" Passive DNS Systems.
</t> </t>
<section title="Requirements Language"> <section title="Requirements Language">
@ -155,7 +156,7 @@ The document does not describe the protocol (e.g. whois, HTTP REST or XMPP) nor
</section> </section>
<section title="Limitation"> <section title="Limitation">
<t> As a Passive DNS can include protection mechanisms for their operation, results might be different due to those protection measures. These mechanisms filter out DNS answers if they fail some criteria. The bailiwick algorithm (c.f. http://www.isc.org/files/passive_dns_hardening_handout.pdf) protects the Passive DNS Database from cache poisoning attacks [ref: Dan Kaminsky]. <t> As a Passive DNS can include protection mechanisms for their operation, results might be different due to those protection measures. These mechanisms filter out DNS answers if they fail some criteria. The <xref target="BAILIWICK">bailiwick algorithm</xref> protects the Passive DNS Database from <xref target="CACHEPOISONING">cache poisoning attacks</xref>.
Another limitiation that clients querying the database need to be aware of is that each query simply gets an snapshot-answer of the time of querying. Clients MUST NOT rely on consistent answers. Another limitiation that clients querying the database need to be aware of is that each query simply gets an snapshot-answer of the time of querying. Clients MUST NOT rely on consistent answers.
</t> </t>
@ -268,7 +269,8 @@ The document does not describe the protocol (e.g. whois, HTTP REST or XMPP) nor
&RFC2119; &RFC2119;
&RFC1035; &RFC1035;
&RFC1034; &RFC1034;
&RFC4627; &RFC3912;
&RFC4627;
&RFC5001; &RFC5001;
&RFC3597; &RFC3597;
@ -286,6 +288,25 @@ The document does not describe the protocol (e.g. whois, HTTP REST or XMPP) nor
</front> </front>
</reference> </reference>
</references> </references>
<references>
<reference anchor="CACHEPOISONING" target="http://kurser.lobner.dk/dDist/DMK_BO2K8.pdf">
<front>
<title>Black ops 2008: It&#8217;s the end of the cache as we know it.</title>
<author fullname="Dan Kaminsky"/>
<date year="2008"/>
</front>
</reference>
</references>
<references>
<reference anchor="BAILIWICK" target="https://archive.farsightsecurity.com/Passive_DNS/passive_dns_hardening_handout.pdf">
<front>
<title>Passive DNS Hardening</title>
<author fullname="Robert Edmonds"/>
<date year="2010"/>
</front>
</reference>
</references>
<references title="Informative References"> <references title="Informative References">
<!-- Here we use entities that we defined at the beginning. --> <!-- Here we use entities that we defined at the beginning. -->
@ -294,6 +315,8 @@ The document does not describe the protocol (e.g. whois, HTTP REST or XMPP) nor
&RFC3552; &RFC3552;
&RFC3912;
&I-D.narten-iana-considerations-rfc2434bis; &I-D.narten-iana-considerations-rfc2434bis;
</references> </references>