adulau/pdns-qof
1
0
Fork 0
mirror of https://github.com/adulau/pdns-qof.git synced 2024-10-06 06:21:41 +00:00
Code Issues Projects Releases Packages Wiki Activity

follow up on TODO from meeting -> put Examples into it's own section

Browse source
This commit is contained in:
Aaron Kaplan 2013-12-25 17:13:20 +01:00
parent 5a6fa89768
commit 8a24d5f0cd
2 changed files with 49 additions and 47 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

92
i-d/pdns-qof.txt
View file

@ -70,21 +70,22 @@ Table of Contents
1.1. Requirements Language . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . . 3
2. Limitation . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Limitation . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Common Output Format . . . . . . . . . . . . . . . . . . . . . 4 3. Common Output Format . . . . . . . . . . . . . . . . . . . . . 4
3.1. Overview and Example . . . . . . . . . . . . . . . . . . . 4 3.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.2. Mandatory Fields . . . . . . . . . . . . . . . . . . . . . 4 3.2. Example . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.2.1. rrname . . . . . . . . . . . . . . . . . . . . . . . . 4 3.3. Mandatory Fields . . . . . . . . . . . . . . . . . . . . . 4
3.2.2. rrtype . . . . . . . . . . . . . . . . . . . . . . . . 4 3.3.1. rrname . . . . . . . . . . . . . . . . . . . . . . . . 4
3.2.3. rdata . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.3.2. rrtype . . . . . . . . . . . . . . . . . . . . . . . . 4
3.2.4. time_first . . . . . . . . . . . . . . . . . . . . . . 5 3.3.3. rdata . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2.5. time_last . . . . . . . . . . . . . . . . . . . . . . . 5 3.3.4. time_first . . . . . . . . . . . . . . . . . . . . . . 5
3.3. Optional Fields . . . . . . . . . . . . . . . . . . . . . . 5 3.3.5. time_last . . . . . . . . . . . . . . . . . . . . . . . 5
3.3.1. count . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.4. Optional Fields . . . . . . . . . . . . . . . . . . . . . . 5
3.3.2. Bailiwick . . . . . . . . . . . . . . . . . . . . . . . 5 3.4.1. count . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.4. Additional Fields . . . . . . . . . . . . . . . . . . . . . 5 3.4.2. Bailiwick . . . . . . . . . . . . . . . . . . . . . . . 5
3.4.1. sensor_id . . . . . . . . . . . . . . . . . . . . . . . 6 3.5. Additional Fields . . . . . . . . . . . . . . . . . . . . . 6
3.4.2. zone_time_first . . . . . . . . . . . . . . . . . . . . 6 3.5.1. sensor_id . . . . . . . . . . . . . . . . . . . . . . . 6
3.4.3. zone_time_last . . . . . . . . . . . . . . . . . . . . 6 3.5.2. zone_time_first . . . . . . . . . . . . . . . . . . . . 6
3.5. Additional Fields Registry . . . . . . . . . . . . . . . . 6 3.5.3. zone_time_last . . . . . . . . . . . . . . . . . . . . 6
3.6. Additional Fields Registry . . . . . . . . . . . . . . . . 6
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
6. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
@ -107,7 +108,6 @@ Table of Contents
Dulaunoy, et al. Expires June 28, 2014 [Page 2] Dulaunoy, et al. Expires June 28, 2014 [Page 2]
Internet-Draft Passive DNS - Common Output Format December 2013 Internet-Draft Passive DNS - Common Output Format December 2013
@ -171,16 +171,18 @@ Internet-Draft Passive DNS - Common Output Format December 2013
3. Common Output Format 3. Common Output Format
3.1. Overview
The formatting of the answer follows the JSON [RFC4627] format. The The formatting of the answer follows the JSON [RFC4627] format. The
order of the fields is not significant for the same resource type. order of the fields is not significant for the same resource type.
That means, the same name tuple plus timing information identifies a That means, the same name tuple plus timing information identifies a
unique answer per server. unique answer per server.
3.1. Overview and Example
The intent of this output format is to be easily parsable by scripts. The intent of this output format is to be easily parsable by scripts.
Every implementation MUST support the JSON output format. Every implementation MUST support the JSON output format.
3.2. Example
A sample output using the JSON format: A sample output using the JSON format:
... (list of )... ... (list of )...
@ -191,18 +193,18 @@ Internet-Draft Passive DNS - Common Output Format December 2013
"time_last": "1386405372" } "time_last": "1386405372" }
... (separated by newline)... ... (separated by newline)...
3.2. Mandatory Fields 3.3. Mandatory Fields
Implementation MUST support all the mandatory fields. Implementation MUST support all the mandatory fields.
The tuple (rrname,rrtype,rdata) will always be unique within one The tuple (rrname,rrtype,rdata) will always be unique within one
answer per server. answer per server.
3.2.1. rrname 3.3.1. rrname
This field returns the name of the queried resource. This field returns the name of the queried resource.
3.2.2. rrtype 3.3.2. rrtype
This field returns the resource record type as seen by the passive This field returns the resource record type as seen by the passive
DNS. The key is rrtype and the value is in the interpreted record DNS. The key is rrtype and the value is in the interpreted record
@ -215,8 +217,6 @@ Internet-Draft Passive DNS - Common Output Format December 2013
AAAA, CNAME, PTR, SOA, TXT, DNAME, NS, SRV, RP, NAPTR, HINFO, A6. A AAAA, CNAME, PTR, SOA, TXT, DNAME, NS, SRV, RP, NAPTR, HINFO, A6. A
client MUST be able to understand these textual rtype values. In client MUST be able to understand these textual rtype values. In
addition, a client MUST be able to handle a decimal value (as addition, a client MUST be able to handle a decimal value (as
mentioned above) as answer.
@ -225,7 +225,9 @@ Dulaunoy, et al. Expires June 28, 2014 [Page 4]
Internet-Draft Passive DNS - Common Output Format December 2013 Internet-Draft Passive DNS - Common Output Format December 2013
3.2.3. rdata mentioned above) as answer.
3.3.3. rdata
This field returns the data of the queried resource. In general, This field returns the data of the queried resource. In general,
this is to be interpreted as string. Depending on the rtype, this this is to be interpreted as string. Depending on the rtype, this
@ -236,25 +238,25 @@ Internet-Draft Passive DNS - Common Output Format December 2013
unknown DNS resource records, the server must follow the transparency unknown DNS resource records, the server must follow the transparency
principle as described in RFC 3597 [RFC3597]. principle as described in RFC 3597 [RFC3597].
3.2.4. time_first 3.3.4. time_first
This field returns the first time that the record / unique tuple This field returns the first time that the record / unique tuple
(rrname, rrtype, rdata) has been seen by the passive DNS. The date (rrname, rrtype, rdata) has been seen by the passive DNS. The date
is expressed in seconds (decimal ASCII) since 1st of January 1970 is expressed in seconds (decimal ASCII) since 1st of January 1970
(Unix timestamp). The time zone MUST be UTC. (Unix timestamp). The time zone MUST be UTC.
3.2.5. time_last 3.3.5. time_last
This field returns the last time that the unique tuple (rrname, This field returns the last time that the unique tuple (rrname,
rrtype, rdata) record has been seen by the passive DNS. The date is rrtype, rdata) record has been seen by the passive DNS. The date is
expressed in seconds (decimal ASCII) since 1st of January 1970 (Unix expressed in seconds (decimal ASCII) since 1st of January 1970 (Unix
timestamp). The time zone MUST be UTC. timestamp). The time zone MUST be UTC.
3.3. Optional Fields 3.4. Optional Fields
Implementations SHOULD support one or more field. Implementations SHOULD support one or more field.
3.3.1. count 3.4.1. count
Specifies how many authoritative DNS answers were received at the Specifies how many authoritative DNS answers were received at the
Passive DNS Server's collectors with the set of answers (i.e. same Passive DNS Server's collectors with the set of answers (i.e. same
@ -264,14 +266,12 @@ Internet-Draft Passive DNS - Common Output Format December 2013
other type fields has been seen in the given time interval (between other type fields has been seen in the given time interval (between
time_last and time_first). Decimal number. time_last and time_first). Decimal number.
3.3.2. Bailiwick 3.4.2. Bailiwick
The bailiwick is the best estimate of the apex of the zone where this The bailiwick is the best estimate of the apex of the zone where this
data is authoritative. String. data is authoritative. String.
3.4. Additional Fields
Implementations MAY support the following fields:
@ -281,27 +281,31 @@ Dulaunoy, et al. Expires June 28, 2014 [Page 5]
Internet-Draft Passive DNS - Common Output Format December 2013 Internet-Draft Passive DNS - Common Output Format December 2013
3.4.1. sensor_id 3.5. Additional Fields
Implementations MAY support the following fields:
3.5.1. sensor_id
This field returns the sensor information where the record was seen. This field returns the sensor information where the record was seen.
The sensor_id is an opaque byte string as defined by RFC 5001 in The sensor_id is an opaque byte string as defined by RFC 5001 in
section 2.3 [RFC5001]. section 2.3 [RFC5001].
3.4.2. zone_time_first 3.5.2. zone_time_first
This field returns the first time that the unique tuple (rrname, This field returns the first time that the unique tuple (rrname,
rrtype, rdata) record has been seen via zone file import. The date rrtype, rdata) record has been seen via zone file import. The date
is expressed in seconds (decimal ASCII) since 1st of January 1970 is expressed in seconds (decimal ASCII) since 1st of January 1970
(Unix timestamp). The time zone MUST be UTC. (Unix timestamp). The time zone MUST be UTC.
3.4.3. zone_time_last 3.5.3. zone_time_last
This field returns the last time that the unique tuple (rrname, This field returns the last time that the unique tuple (rrname,
rrtype, rdata) record has been seen via zone file import. The date rrtype, rdata) record has been seen via zone file import. The date
is expressed in seconds (decimal ASCII) since 1st of January 1970 is expressed in seconds (decimal ASCII) since 1st of January 1970
(Unix timestamp). The time zone MUST be UTC. (Unix timestamp). The time zone MUST be UTC.
3.5. Additional Fields Registry 3.6. Additional Fields Registry
In accordance with [RFC6648], designers of new passive DNS In accordance with [RFC6648], designers of new passive DNS
applications that would need additional fields can request and applications that would need additional fields can request and
@ -327,16 +331,14 @@ Internet-Draft Passive DNS - Common Output Format December 2013
sensitivity of the data must be considered. sensitivity of the data must be considered.
7. References
Dulaunoy, et al. Expires June 28, 2014 [Page 6] Dulaunoy, et al. Expires June 28, 2014 [Page 6]
Internet-Draft Passive DNS - Common Output Format December 2013 Internet-Draft Passive DNS - Common Output Format December 2013
7. References
7.1. Normative References 7.1. Normative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities", [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
@ -383,8 +385,6 @@ Internet-Draft Passive DNS - Common Output Format December 2013
agenda/attachment/rd4-papst-passive_dns.pdf>. agenda/attachment/rd4-papst-passive_dns.pdf>.
[PDNSCIRCL] [PDNSCIRCL]
"CIRCL Passive DNS", 2012, <http://pdns.circl.lu/>.
@ -393,6 +393,8 @@ Dulaunoy, et al. Expires June 28, 2014 [Page 7]
Internet-Draft Passive DNS - Common Output Format December 2013 Internet-Draft Passive DNS - Common Output Format December 2013
"CIRCL Passive DNS", 2012, <http://pdns.circl.lu/>.
[PDNSCLIENT] [PDNSCLIENT]
"Queries 5 major Passive DNS databases: BFK, CERTEE, "Queries 5 major Passive DNS databases: BFK, CERTEE,
DNSParse, ISC, and VirusTotal.", 2013, DNSParse, ISC, and VirusTotal.", 2013,
@ -442,8 +444,6 @@ Authors' Addresses
Dulaunoy, et al. Expires June 28, 2014 [Page 8] Dulaunoy, et al. Expires June 28, 2014 [Page 8]
Internet-Draft Passive DNS - Common Output Format December 2013 Internet-Draft Passive DNS - Common Output Format December 2013
@ -462,7 +462,9 @@ Internet-Draft Passive DNS - Common Output Format December 2013
Paul Vixie Paul Vixie
Farsight Security, Inc. Farsight Security, Inc.
11400 La Honda Road
Woodside, California 94062
U.S.A.
Phone: Phone:
Email: paul@redbarn.org Email: paul@redbarn.org
@ -496,8 +498,6 @@ Internet-Draft Passive DNS - Common Output Format December 2013
Dulaunoy, et al. Expires June 28, 2014 [Page 9] Dulaunoy, et al. Expires June 28, 2014 [Page 9]

4
i-d/pdns-qof.xml
View file

@ -164,9 +164,11 @@ The document does not describe the protocol (e.g. <xref target="RFC3912">WHOIS</
</t> </t>
</section> </section>
<section title="Common Output Format"> <section title="Common Output Format">
<section title="Overview">
<t>The formatting of the answer follows the <xref target="RFC4627">JSON</xref> format. The order of the fields is not significant for the same resource type. That means, the same name tuple plus timing information identifies a unique answer per server.</t> <t>The formatting of the answer follows the <xref target="RFC4627">JSON</xref> format. The order of the fields is not significant for the same resource type. That means, the same name tuple plus timing information identifies a unique answer per server.</t>
<section title="Overview and Example">
<t>The intent of this output format is to be easily parsable by scripts. Every implementation MUST support the JSON output format.</t> <!-- note: it is "parsable" if you want to be really nit-picking. See: https://en.wiktionary.org/wiki/parsable --> <t>The intent of this output format is to be easily parsable by scripts. Every implementation MUST support the JSON output format.</t> <!-- note: it is "parsable" if you want to be really nit-picking. See: https://en.wiktionary.org/wiki/parsable -->
</section>
<section title="Example">
<figure><preamble>A sample output using the JSON format:</preamble><artwork><![CDATA[ <figure><preamble>A sample output using the JSON format:</preamble><artwork><![CDATA[
... (list of )... ... (list of )...
{ "count": 97167, { "count": 97167,