mirror of
https://github.com/adulau/pdns-qof.git
synced 2024-11-22 01:57:07 +00:00
Initial WK edits
Mostly grammar and some typos. Also includes 2 questions (in square brackets)
This commit is contained in:
parent
6f06da5bfb
commit
83a2c5eb23
2 changed files with 43 additions and 43 deletions
|
@ -20,11 +20,11 @@ Expires: 29 October 2024
|
||||||
Abstract
|
Abstract
|
||||||
|
|
||||||
This document describes a common output format of Passive DNS Servers
|
This document describes a common output format of Passive DNS Servers
|
||||||
which clients can query. The output format description includes also
|
that clients can query. The output format description also includes
|
||||||
in addition a common semantic for each Passive DNS system. By having
|
a common semantic for each Passive DNS system. By having multiple
|
||||||
multiple Passive DNS Systems adhere to the same output format for
|
Passive DNS Systems adhere to the same output format for queries,
|
||||||
queries, users of multiple Passive DNS servers will be able to
|
users of multiple Passive DNS servers will be able to combine result
|
||||||
combine result sets easily.
|
sets easily.
|
||||||
|
|
||||||
Status of This Memo
|
Status of This Memo
|
||||||
|
|
||||||
|
@ -118,20 +118,20 @@ Internet-Draft Passive DNS - Common Output Format April 2024
|
||||||
|
|
||||||
Passive DNS is a technique described by Florian Weimer in 2005 in
|
Passive DNS is a technique described by Florian Weimer in 2005 in
|
||||||
Passive DNS replication, F Weimer - 17th Annual FIRST Conference on
|
Passive DNS replication, F Weimer - 17th Annual FIRST Conference on
|
||||||
Computer Security [WEIMERPDNS]. Since then multiple Passive DNS
|
Computer Security [WEIMERPDNS]. Since then, multiple Passive DNS
|
||||||
implementations were created and evolved over time. Users of these
|
implementations were created and have evolved over time. Users of
|
||||||
Passive DNS servers may query a server (often via WHOIS [RFC3912] or
|
these Passive DNS servers may query a server (often via WHOIS
|
||||||
HTTP REST [REST]), parse the results and process them in other
|
[RFC3912] or HTTP REST [REST]), parse the results, and process them
|
||||||
applications.
|
in other applications.
|
||||||
|
|
||||||
There are multiple implementations of Passive DNS software. Users of
|
There are multiple implementations of Passive DNS software. Users of
|
||||||
passive DNS query each implementation and aggregate the results for
|
Passive DNS query each implementation and aggregate the results for
|
||||||
their search. This document describes the output format of four
|
their search. This document describes the output format of four
|
||||||
Passive DNS Systems ([DNSDB], [DNSDBQ], [PDNSCERTAT], [PDNSCIRCL] and
|
Passive DNS Systems ([DNSDB], [DNSDBQ], [PDNSCERTAT], [PDNSCIRCL] and
|
||||||
[PDNSCOF]) which are in use today and which already share a nearly
|
[PDNSCOF]) that are in use today and that already share a nearly
|
||||||
identical output format. As the format and the meaning of output
|
identical output format. As the format and the meaning of output
|
||||||
fields from each Passive DNS need to be consistent, we propose in
|
fields from each Passive DNS need to be consistent, this document
|
||||||
this document a solution to commonly name each field along with their
|
proposes a solution to commonly name each field along with its
|
||||||
corresponding interpretation. The format follows a simple key-value
|
corresponding interpretation. The format follows a simple key-value
|
||||||
structure in JSON [RFC4627] format. The benefit of having a
|
structure in JSON [RFC4627] format. The benefit of having a
|
||||||
consistent Passive DNS output format is that multiple client
|
consistent Passive DNS output format is that multiple client
|
||||||
|
@ -141,8 +141,8 @@ Internet-Draft Passive DNS - Common Output Format April 2024
|
||||||
standardization. The document does not describe the protocol (e.g.
|
standardization. The document does not describe the protocol (e.g.
|
||||||
WHOIS [RFC3912], HTTP REST [REST]) nor the query format used to query
|
WHOIS [RFC3912], HTTP REST [REST]) nor the query format used to query
|
||||||
the Passive DNS. Neither does this document describe "pre-recursor"
|
the Passive DNS. Neither does this document describe "pre-recursor"
|
||||||
Passive DNS Systems. Both of these are separate topics and deserve
|
Passive DNS Systems. Each of these are separate topics and deserve
|
||||||
their own RFC document. The document describes the current best
|
their own RFC documents. This document describes the current best
|
||||||
practices implemented in various Passive DNS server implementations.
|
practices implemented in various Passive DNS server implementations.
|
||||||
|
|
||||||
1.1. Requirements Language
|
1.1. Requirements Language
|
||||||
|
@ -153,15 +153,15 @@ Internet-Draft Passive DNS - Common Output Format April 2024
|
||||||
|
|
||||||
2. Limitation
|
2. Limitation
|
||||||
|
|
||||||
As a Passive DNS servers can include protection mechanisms for their
|
As Passive DNS servers can include protection mechanisms for their
|
||||||
operation, results might be different due to those protection
|
operation, results might be different due to those protection
|
||||||
measures. These mechanisms filter out DNS answers if they fail some
|
measures. These mechanisms filter out DNS answers if they fail some
|
||||||
criteria. The bailiwick algorithm [BAILIWICK] protects the Passive
|
criteria. The bailiwick algorithm [BAILIWICK] protects the Passive
|
||||||
DNS Database from cache poisoning attacks [CACHEPOISONING]. Another
|
DNS Database from cache poisoning attacks [CACHEPOISONING]. Another
|
||||||
limitation that clients querying the database need to be aware of is
|
limitation that clients querying the database need to be aware of is
|
||||||
that each query simply gets a snapshot-answer of the time of
|
that each query simply gets a snapshot-in-time answer at the time of
|
||||||
querying. Clients MUST NOT rely on consistent answers. Nor must
|
querying. Clients MUST NOT rely on consistent [what does
|
||||||
they assume that answers must be identical across multiple Passive
|
"consistent" mean in this context? Coherent?] answers. Nor should
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -170,6 +170,7 @@ Dulaunoy, et al. Expires 29 October 2024 [Page 3]
|
||||||
Internet-Draft Passive DNS - Common Output Format April 2024
|
Internet-Draft Passive DNS - Common Output Format April 2024
|
||||||
|
|
||||||
|
|
||||||
|
they assume that answers will be identical across multiple Passive
|
||||||
DNS Servers.
|
DNS Servers.
|
||||||
|
|
||||||
3. Common Output Format
|
3. Common Output Format
|
||||||
|
@ -220,15 +221,14 @@ Internet-Draft Passive DNS - Common Output Format April 2024
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy, et al. Expires 29 October 2024 [Page 4]
|
Dulaunoy, et al. Expires 29 October 2024 [Page 4]
|
||||||
|
|
||||||
Internet-Draft Passive DNS - Common Output Format April 2024
|
Internet-Draft Passive DNS - Common Output Format April 2024
|
||||||
|
|
||||||
|
|
||||||
Note that value is defined in JSON [RFC4627] and has the exact same
|
Note that value is defined in JSON [RFC4627] and has the same
|
||||||
specification as there. The same goes for the definition of string.
|
specification as there. The same goes for the definition of string.
|
||||||
Note the changed definition of ws dows not include CR or LF as those
|
Note the changed definition of ws does not include CR or LF as those
|
||||||
are NOT allowed in NDJSON, and thus the definition here MUST be used
|
are NOT allowed in NDJSON, and thus the definition here MUST be used
|
||||||
for other ABNF defitions in JSON [RFC4627].
|
for other ABNF defitions in JSON [RFC4627].
|
||||||
|
|
||||||
|
@ -433,7 +433,7 @@ Internet-Draft Passive DNS - Common Output Format April 2024
|
||||||
|
|
||||||
6. Privacy Considerations
|
6. Privacy Considerations
|
||||||
|
|
||||||
Passive DNS Servers capture DNS answers from multiple collecting
|
Passive DNS Servers capture DNS answers from multiple collection
|
||||||
points ("sensors") which are located on the Internet-facing side of
|
points ("sensors") which are located on the Internet-facing side of
|
||||||
DNS recursors ("post-recursor passive DNS"). In this process, they
|
DNS recursors ("post-recursor passive DNS"). In this process, they
|
||||||
intentionally omit the source IP, source port, destination IP and
|
intentionally omit the source IP, source port, destination IP and
|
||||||
|
@ -451,15 +451,16 @@ Internet-Draft Passive DNS - Common Output Format April 2024
|
||||||
|
|
||||||
|
|
||||||
Servers are able to find out much about the actual person querying
|
Servers are able to find out much about the actual person querying
|
||||||
the DNS records nor who actually sent the query. In this sense,
|
the DNS records nor who actually sent the query [is the "person"
|
||||||
passive DNS Servers are similar to keeping an archive of all previous
|
querying the DNS records not the same as the "who" actually sent the
|
||||||
phone books - if public DNS records can be compared to phone numbers
|
query?]. In this sense, passive DNS Servers are similar to keeping
|
||||||
- as they often are. Nevertheless, the authors strongly encourage
|
an archive of all previous phone books - if public DNS records can be
|
||||||
Passive DNS implementors to take special care of privacy issues.
|
compared to phone numbers - as they often are. Nevertheless, the
|
||||||
bortzmeyer-dnsop-dns-privacy is an excellent starting point for this.
|
authors strongly encourage Passive DNS implementors to take special
|
||||||
Finally, the overall recommendations in RFC6973 [RFC6973] should be
|
care of privacy issues. bortzmeyer-dnsop-dns-privacy is an excellent
|
||||||
taken into consideration when designing any application which uses
|
starting point for this. Finally, the overall recommendations in
|
||||||
Passive DNS data.
|
RFC6973 [RFC6973] should be taken into consideration when designing
|
||||||
|
any application which uses Passive DNS data.
|
||||||
|
|
||||||
In the scope of the General Data Protection Regulation (GDPR -
|
In the scope of the General Data Protection Regulation (GDPR -
|
||||||
Directive 95/46/EC), operators of Passive DNS Server needs to ensure
|
Directive 95/46/EC), operators of Passive DNS Server needs to ensure
|
||||||
|
@ -500,7 +501,6 @@ Internet-Draft Passive DNS - Common Output Format April 2024
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy, et al. Expires 29 October 2024 [Page 9]
|
Dulaunoy, et al. Expires 29 October 2024 [Page 9]
|
||||||
|
|
||||||
Internet-Draft Passive DNS - Common Output Format April 2024
|
Internet-Draft Passive DNS - Common Output Format April 2024
|
||||||
|
|
|
@ -144,21 +144,21 @@
|
||||||
|
|
||||||
|
|
||||||
<abstract>
|
<abstract>
|
||||||
<t>This document describes a common output format of Passive DNS Servers which clients can query. The output format description includes also in addition a common semantic for each Passive DNS system. By having multiple Passive DNS Systems adhere to the same output format for queries, users of multiple Passive DNS servers will be able to combine result sets easily.</t>
|
<t>This document describes a common output format of Passive DNS Servers that clients can query. The output format description also includes a common semantic for each Passive DNS system. By having multiple Passive DNS Systems adhere to the same output format for queries, users of multiple Passive DNS servers will be able to combine result sets easily.</t>
|
||||||
</abstract>
|
</abstract>
|
||||||
</front>
|
</front>
|
||||||
|
|
||||||
<middle>
|
<middle>
|
||||||
<section title="Introduction">
|
<section title="Introduction">
|
||||||
<t>Passive DNS is a technique described by Florian Weimer in 2005 in <xref target="WEIMERPDNS">Passive DNS replication, F Weimer - 17th Annual FIRST Conference on Computer Security</xref>. Since then multiple Passive DNS implementations were created and evolved over time. Users of these Passive DNS servers may query a server (often via <xref target="RFC3912">WHOIS</xref> or HTTP <xref target="REST">REST</xref>), parse the results and process them in other applications.</t>
|
<t>Passive DNS is a technique described by Florian Weimer in 2005 in <xref target="WEIMERPDNS">Passive DNS replication, F Weimer - 17th Annual FIRST Conference on Computer Security</xref>. Since then, multiple Passive DNS implementations were created and have evolved over time. Users of these Passive DNS servers may query a server (often via <xref target="RFC3912">WHOIS</xref> or HTTP <xref target="REST">REST</xref>), parse the results, and process them in other applications.</t>
|
||||||
<t>
|
<t>
|
||||||
There are multiple implementations of Passive DNS software. Users of passive DNS query each implementation and aggregate the results for their search. This document describes the output format of four Passive DNS Systems (<xref target="DNSDB"/>, <xref target="DNSDBQ"/>, <xref target="PDNSCERTAT"/>, <xref target="PDNSCIRCL"/> and <xref target="PDNSCOF"/>) which are in use today and which already share a nearly identical output format.
|
There are multiple implementations of Passive DNS software. Users of Passive DNS query each implementation and aggregate the results for their search. This document describes the output format of four Passive DNS Systems (<xref target="DNSDB"/>, <xref target="DNSDBQ"/>, <xref target="PDNSCERTAT"/>, <xref target="PDNSCIRCL"/> and <xref target="PDNSCOF"/>) that are in use today and that already share a nearly identical output format.
|
||||||
|
|
||||||
As the format and the meaning of output fields from each Passive DNS need to be consistent, we propose in this document a solution to commonly name each field along with their corresponding interpretation. The format follows a simple key-value structure in <xref target="RFC4627">JSON</xref> format.
|
As the format and the meaning of output fields from each Passive DNS need to be consistent, this document proposes a solution to commonly name each field along with its corresponding interpretation. The format follows a simple key-value structure in <xref target="RFC4627">JSON</xref> format.
|
||||||
The benefit of having a consistent Passive DNS output format is that multiple client implementations can query different servers without having to have a separate parser for each
|
The benefit of having a consistent Passive DNS output format is that multiple client implementations can query different servers without having to have a separate parser for each
|
||||||
individual server. <xref target="PDNSCLIENT">passivedns-client</xref> currently implements multiple parsers due to a lack of standardization.
|
individual server. <xref target="PDNSCLIENT">passivedns-client</xref> currently implements multiple parsers due to a lack of standardization.
|
||||||
|
|
||||||
The document does not describe the protocol (e.g. <xref target="RFC3912">WHOIS</xref>, HTTP <xref target="REST">REST</xref>) nor the query format used to query the Passive DNS. Neither does this document describe "pre-recursor" Passive DNS Systems. Both of these are separate topics and deserve their own RFC document. The document describes the current best practices implemented in various Passive DNS server implementations.
|
The document does not describe the protocol (e.g. <xref target="RFC3912">WHOIS</xref>, HTTP <xref target="REST">REST</xref>) nor the query format used to query the Passive DNS. Neither does this document describe "pre-recursor" Passive DNS Systems. Each of these are separate topics and deserve their own RFC documents. This document describes the current best practices implemented in various Passive DNS server implementations.
|
||||||
</t>
|
</t>
|
||||||
|
|
||||||
<section title="Requirements Language">
|
<section title="Requirements Language">
|
||||||
|
@ -170,9 +170,9 @@ The document does not describe the protocol (e.g. <xref target="RFC3912">WHOIS</
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section title="Limitation">
|
<section title="Limitation">
|
||||||
<t> As a Passive DNS servers can include protection mechanisms for their operation, results might be different due to those protection measures. These mechanisms filter out DNS answers if they fail some criteria. The <xref target="BAILIWICK">bailiwick algorithm</xref> protects the Passive DNS Database from <xref target="CACHEPOISONING">cache poisoning attacks</xref>.
|
<t> As Passive DNS servers can include protection mechanisms for their operation, results might be different due to those protection measures. These mechanisms filter out DNS answers if they fail some criteria. The <xref target="BAILIWICK">bailiwick algorithm</xref> protects the Passive DNS Database from <xref target="CACHEPOISONING">cache poisoning attacks</xref>.
|
||||||
|
|
||||||
Another limitation that clients querying the database need to be aware of is that each query simply gets a snapshot-answer of the time of querying. Clients MUST NOT rely on consistent answers. Nor must they assume that answers must be identical across multiple Passive DNS Servers.
|
Another limitation that clients querying the database need to be aware of is that each query simply gets a snapshot-in-time answer at the time of querying. Clients MUST NOT rely on consistent [what does "consistent" mean in this context? Coherent?] answers. Nor should they assume that answers will be identical across multiple Passive DNS Servers.
|
||||||
</t>
|
</t>
|
||||||
</section>
|
</section>
|
||||||
<section title="Common Output Format">
|
<section title="Common Output Format">
|
||||||
|
@ -206,7 +206,7 @@ ws = *(
|
||||||
)
|
)
|
||||||
|
|
||||||
]]></artwork></figure>
|
]]></artwork></figure>
|
||||||
<t>Note that value is defined in <xref target="RFC4627">JSON</xref> and has the exact same specification as there. The same goes for the definition of string. Note the changed definition of ws dows not include CR or LF as those are NOT allowed in NDJSON, and thus the definition here MUST be used for other ABNF defitions in <xref target="RFC4627">JSON</xref>.</t>
|
<t>Note that value is defined in <xref target="RFC4627">JSON</xref> and has the same specification as there. The same goes for the definition of string. Note the changed definition of ws does not include CR or LF as those are NOT allowed in NDJSON, and thus the definition here MUST be used for other ABNF defitions in <xref target="RFC4627">JSON</xref>.</t>
|
||||||
</section>
|
</section>
|
||||||
<section title="Mandatory Fields">
|
<section title="Mandatory Fields">
|
||||||
<t>Implementation MUST support all the mandatory fields.</t>
|
<t>Implementation MUST support all the mandatory fields.</t>
|
||||||
|
@ -297,7 +297,7 @@ ws = *(
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section anchor="Privacy" title="Privacy Considerations">
|
<section anchor="Privacy" title="Privacy Considerations">
|
||||||
<t>Passive DNS Servers capture DNS answers from multiple collecting points ("sensors") which are located on the Internet-facing side of DNS recursors ("post-recursor passive DNS"). In this process, they intentionally omit the source IP, source port, destination IP and destination port from the captured packets. Since the data is captured "post-recursor", the timing information (who queries what) is lost, since the recursor will cache the results. Furthermore, since multiple sensors feed into a passive DNS server, the resulting data gets mixed together, reducing the likelihood that Passive DNS Servers are able to find out much about the actual person querying the DNS records nor who actually sent the query. In this sense, passive DNS Servers are similar to keeping an archive of all previous phone books - if public DNS records can be compared to phone numbers - as they often are.
|
<t>Passive DNS Servers capture DNS answers from multiple collection points ("sensors") which are located on the Internet-facing side of DNS recursors ("post-recursor passive DNS"). In this process, they intentionally omit the source IP, source port, destination IP and destination port from the captured packets. Since the data is captured "post-recursor", the timing information (who queries what) is lost, since the recursor will cache the results. Furthermore, since multiple sensors feed into a passive DNS server, the resulting data gets mixed together, reducing the likelihood that Passive DNS Servers are able to find out much about the actual person querying the DNS records nor who actually sent the query [is the "person" querying the DNS records not the same as the "who" actually sent the query?]. In this sense, passive DNS Servers are similar to keeping an archive of all previous phone books - if public DNS records can be compared to phone numbers - as they often are.
|
||||||
|
|
||||||
Nevertheless, the authors strongly encourage Passive DNS implementors to take special care of privacy issues. bortzmeyer-dnsop-dns-privacy is an excellent starting point for this.
|
Nevertheless, the authors strongly encourage Passive DNS implementors to take special care of privacy issues. bortzmeyer-dnsop-dns-privacy is an excellent starting point for this.
|
||||||
Finally, the overall recommendations in <xref target="RFC6973">RFC6973</xref> should be taken into consideration when designing any application which uses Passive DNS data.</t>
|
Finally, the overall recommendations in <xref target="RFC6973">RFC6973</xref> should be taken into consideration when designing any application which uses Passive DNS data.</t>
|
||||||
|
|
Loading…
Reference in a new issue