diff --git a/i-d/pdns-qof.txt b/i-d/pdns-qof.txt
index 2ea30e0..47bd411 100644
--- a/i-d/pdns-qof.txt
+++ b/i-d/pdns-qof.txt
@@ -70,21 +70,22 @@ Table of Contents
1.1. Requirements Language . . . . . . . . . . . . . . . . . . . 3
2. Limitation . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Common Output Format . . . . . . . . . . . . . . . . . . . . . 4
- 3.1. Overview and Example . . . . . . . . . . . . . . . . . . . 4
- 3.2. Mandatory Fields . . . . . . . . . . . . . . . . . . . . . 4
- 3.2.1. rrname . . . . . . . . . . . . . . . . . . . . . . . . 4
- 3.2.2. rrtype . . . . . . . . . . . . . . . . . . . . . . . . 4
- 3.2.3. rdata . . . . . . . . . . . . . . . . . . . . . . . . . 5
- 3.2.4. time_first . . . . . . . . . . . . . . . . . . . . . . 5
- 3.2.5. time_last . . . . . . . . . . . . . . . . . . . . . . . 5
- 3.3. Optional Fields . . . . . . . . . . . . . . . . . . . . . . 5
- 3.3.1. count . . . . . . . . . . . . . . . . . . . . . . . . . 5
- 3.3.2. Bailiwick . . . . . . . . . . . . . . . . . . . . . . . 5
- 3.4. Additional Fields . . . . . . . . . . . . . . . . . . . . . 5
- 3.4.1. sensor_id . . . . . . . . . . . . . . . . . . . . . . . 6
- 3.4.2. zone_time_first . . . . . . . . . . . . . . . . . . . . 6
- 3.4.3. zone_time_last . . . . . . . . . . . . . . . . . . . . 6
- 3.5. Additional Fields Registry . . . . . . . . . . . . . . . . 6
+ 3.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 3.2. Example . . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 3.3. Mandatory Fields . . . . . . . . . . . . . . . . . . . . . 4
+ 3.3.1. rrname . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 3.3.2. rrtype . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 3.3.3. rdata . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 3.3.4. time_first . . . . . . . . . . . . . . . . . . . . . . 5
+ 3.3.5. time_last . . . . . . . . . . . . . . . . . . . . . . . 5
+ 3.4. Optional Fields . . . . . . . . . . . . . . . . . . . . . . 5
+ 3.4.1. count . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 3.4.2. Bailiwick . . . . . . . . . . . . . . . . . . . . . . . 5
+ 3.5. Additional Fields . . . . . . . . . . . . . . . . . . . . . 6
+ 3.5.1. sensor_id . . . . . . . . . . . . . . . . . . . . . . . 6
+ 3.5.2. zone_time_first . . . . . . . . . . . . . . . . . . . . 6
+ 3.5.3. zone_time_last . . . . . . . . . . . . . . . . . . . . 6
+ 3.6. Additional Fields Registry . . . . . . . . . . . . . . . . 6
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
6. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
@@ -107,7 +108,6 @@ Table of Contents
-
Dulaunoy, et al. Expires June 28, 2014 [Page 2]
Internet-Draft Passive DNS - Common Output Format December 2013
@@ -171,16 +171,18 @@ Internet-Draft Passive DNS - Common Output Format December 2013
3. Common Output Format
+3.1. Overview
+
The formatting of the answer follows the JSON [RFC4627] format. The
order of the fields is not significant for the same resource type.
That means, the same name tuple plus timing information identifies a
unique answer per server.
-3.1. Overview and Example
-
The intent of this output format is to be easily parsable by scripts.
Every implementation MUST support the JSON output format.
+3.2. Example
+
A sample output using the JSON format:
... (list of )...
@@ -191,18 +193,18 @@ Internet-Draft Passive DNS - Common Output Format December 2013
"time_last": "1386405372" }
... (separated by newline)...
-3.2. Mandatory Fields
+3.3. Mandatory Fields
Implementation MUST support all the mandatory fields.
The tuple (rrname,rrtype,rdata) will always be unique within one
answer per server.
-3.2.1. rrname
+3.3.1. rrname
This field returns the name of the queried resource.
-3.2.2. rrtype
+3.3.2. rrtype
This field returns the resource record type as seen by the passive
DNS. The key is rrtype and the value is in the interpreted record
@@ -215,8 +217,6 @@ Internet-Draft Passive DNS - Common Output Format December 2013
AAAA, CNAME, PTR, SOA, TXT, DNAME, NS, SRV, RP, NAPTR, HINFO, A6. A
client MUST be able to understand these textual rtype values. In
addition, a client MUST be able to handle a decimal value (as
- mentioned above) as answer.
-
@@ -225,7 +225,9 @@ Dulaunoy, et al. Expires June 28, 2014 [Page 4]
Internet-Draft Passive DNS - Common Output Format December 2013
-3.2.3. rdata
+ mentioned above) as answer.
+
+3.3.3. rdata
This field returns the data of the queried resource. In general,
this is to be interpreted as string. Depending on the rtype, this
@@ -236,25 +238,25 @@ Internet-Draft Passive DNS - Common Output Format December 2013
unknown DNS resource records, the server must follow the transparency
principle as described in RFC 3597 [RFC3597].
-3.2.4. time_first
+3.3.4. time_first
This field returns the first time that the record / unique tuple
(rrname, rrtype, rdata) has been seen by the passive DNS. The date
is expressed in seconds (decimal ASCII) since 1st of January 1970
(Unix timestamp). The time zone MUST be UTC.
-3.2.5. time_last
+3.3.5. time_last
This field returns the last time that the unique tuple (rrname,
rrtype, rdata) record has been seen by the passive DNS. The date is
expressed in seconds (decimal ASCII) since 1st of January 1970 (Unix
timestamp). The time zone MUST be UTC.
-3.3. Optional Fields
+3.4. Optional Fields
Implementations SHOULD support one or more field.
-3.3.1. count
+3.4.1. count
Specifies how many authoritative DNS answers were received at the
Passive DNS Server's collectors with the set of answers (i.e. same
@@ -264,14 +266,12 @@ Internet-Draft Passive DNS - Common Output Format December 2013
other type fields has been seen in the given time interval (between
time_last and time_first). Decimal number.
-3.3.2. Bailiwick
+3.4.2. Bailiwick
The bailiwick is the best estimate of the apex of the zone where this
data is authoritative. String.
-3.4. Additional Fields
- Implementations MAY support the following fields:
@@ -281,27 +281,31 @@ Dulaunoy, et al. Expires June 28, 2014 [Page 5]
Internet-Draft Passive DNS - Common Output Format December 2013
-3.4.1. sensor_id
+3.5. Additional Fields
+
+ Implementations MAY support the following fields:
+
+3.5.1. sensor_id
This field returns the sensor information where the record was seen.
The sensor_id is an opaque byte string as defined by RFC 5001 in
section 2.3 [RFC5001].
-3.4.2. zone_time_first
+3.5.2. zone_time_first
This field returns the first time that the unique tuple (rrname,
rrtype, rdata) record has been seen via zone file import. The date
is expressed in seconds (decimal ASCII) since 1st of January 1970
(Unix timestamp). The time zone MUST be UTC.
-3.4.3. zone_time_last
+3.5.3. zone_time_last
This field returns the last time that the unique tuple (rrname,
rrtype, rdata) record has been seen via zone file import. The date
is expressed in seconds (decimal ASCII) since 1st of January 1970
(Unix timestamp). The time zone MUST be UTC.
-3.5. Additional Fields Registry
+3.6. Additional Fields Registry
In accordance with [RFC6648], designers of new passive DNS
applications that would need additional fields can request and
@@ -327,16 +331,14 @@ Internet-Draft Passive DNS - Common Output Format December 2013
sensitivity of the data must be considered.
-7. References
-
-
-
Dulaunoy, et al. Expires June 28, 2014 [Page 6]
Internet-Draft Passive DNS - Common Output Format December 2013
+7. References
+
7.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
@@ -383,8 +385,6 @@ Internet-Draft Passive DNS - Common Output Format December 2013
agenda/attachment/rd4-papst-passive_dns.pdf>.
[PDNSCIRCL]
- "CIRCL Passive DNS", 2012, .
-
@@ -393,6 +393,8 @@ Dulaunoy, et al. Expires June 28, 2014 [Page 7]
Internet-Draft Passive DNS - Common Output Format December 2013
+ "CIRCL Passive DNS", 2012, .
+
[PDNSCLIENT]
"Queries 5 major Passive DNS databases: BFK, CERTEE,
DNSParse, ISC, and VirusTotal.", 2013,
@@ -442,8 +444,6 @@ Authors' Addresses
-
-
Dulaunoy, et al. Expires June 28, 2014 [Page 8]
Internet-Draft Passive DNS - Common Output Format December 2013
@@ -462,7 +462,9 @@ Internet-Draft Passive DNS - Common Output Format December 2013
Paul Vixie
Farsight Security, Inc.
-
+ 11400 La Honda Road
+ Woodside, California 94062
+ U.S.A.
Phone:
Email: paul@redbarn.org
@@ -496,8 +498,6 @@ Internet-Draft Passive DNS - Common Output Format December 2013
-
-
Dulaunoy, et al. Expires June 28, 2014 [Page 9]
diff --git a/i-d/pdns-qof.xml b/i-d/pdns-qof.xml
index 22e3a0b..4fa3eb8 100644
--- a/i-d/pdns-qof.xml
+++ b/i-d/pdns-qof.xml
@@ -164,9 +164,11 @@ The document does not describe the protocol (e.g. WHOIS
+ The formatting of the answer follows the JSON format. The order of the fields is not significant for the same resource type. That means, the same name tuple plus timing information identifies a unique answer per server.
- The intent of this output format is to be easily parsable by scripts. Every implementation MUST support the JSON output format.
+
+ A sample output using the JSON format: