adulau/pdns-qof
1
0
Fork 0
mirror of https://github.com/adulau/pdns-qof.git synced 2024-11-22 10:07:09 +00:00
Code Issues Projects Releases Packages Wiki Activity

Processed output generated

Browse source
This commit is contained in:
Alexandre Dulaunoy 2013-04-10 22:55:24 +02:00
parent 9b3e0f2d1e
commit a44b0594bd
1 changed files with 362 additions and 362 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

724
i-d/pdns-qof.txt
View file

@ -1,362 +1,362 @@
Internet Engineering Task Force Dulaunoy Internet Engineering Task Force Dulaunoy
Internet-Draft CIRCL Internet-Draft CIRCL
Intended status: Informational Kaplan Intended status: Informational Kaplan
Expires: July 15, 2013 CERT.at Expires: October 13, 2013 CERT.at
Vixie Vixie
ISC ISC
January 2013 hs Stern
Cisco
Passive DNS - Common Output Format April 2013
draft-ietf-dulaunoy-kaplan-pdns-cof-01
Passive DNS - Common Output Format
Abstract draft-ietf-dulaunoy-kaplan-pdns-cof-01
This document describes the output format used between Passive DNS Abstract
query interface. The output format description includes also a
common meaning per Passive DNS system. This document describes the output format used between Passive DNS
query interface. The output format description includes also a
Status of this Memo common meaning per Passive DNS system.
This Internet-Draft will expire on July 15, 2013. Status of this Memo
Copyright Notice This Internet-Draft will expire on October 13, 2013.
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright Notice
document authors. All rights reserved.
Copyright (c) 2013 IETF Trust and the persons identified as the
This document is subject to BCP 78 and the IETF Trust's Legal document authors. All rights reserved.
Provisions Relating to IETF Documents (http://trustee.ietf.org/
license-info) in effect on the date of publication of this document. This document is subject to BCP 78 and the IETF Trust's Legal
Please review these documents carefully, as they describe your rights Provisions Relating to IETF Documents (http://trustee.ietf.org/
and restrictions with respect to this document. Code Components license-info) in effect on the date of publication of this document.
extracted from this document must include Simplified BSD License text Please review these documents carefully, as they describe your rights
as described in Section 4.e of the Trust Legal Provisions and are and restrictions with respect to this document. Code Components
provided without warranty as described in the Simplified BSD License. extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
Table of Contents provided without warranty as described in the Simplified BSD License.
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 Table of Contents
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2
2. Limitation . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2
3.1. Output Format . . . . . . . . . . . . . . . . . . . . . . 3 2. Limitation . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3.1.1. JSON . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Common Output Format . . . . . . . . . . . . . . . . . . . . . 3
4. Mandatory Fields . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Overview and Example . . . . . . . . . . . . . . . . . . . 3
4.1. rrname . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2. Mandatory Fields . . . . . . . . . . . . . . . . . . . . . 3
4.2. rrtype . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2.1. rrname . . . . . . . . . . . . . . . . . . . . . . . . 3
4.3. rdata . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2.2. rrtype . . . . . . . . . . . . . . . . . . . . . . . . 3
4.4. time_first . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2.3. rdata . . . . . . . . . . . . . . . . . . . . . . . . 3
4.5. time_last . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2.4. time_first . . . . . . . . . . . . . . . . . . . . . . 4
5. Optional Fields . . . . . . . . . . . . . . . . . . . . . . . 4 3.2.5. time_last . . . . . . . . . . . . . . . . . . . . . . 4
5.1. count . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.3. Optional Fields . . . . . . . . . . . . . . . . . . . . . 4
5.2. bailiwick . . . . . . . . . . . . . . . . . . . . . . . . 5 3.3.1. count . . . . . . . . . . . . . . . . . . . . . . . . 4
Dulaunoy, Kaplan & Vixie info [Page 1] Dulaunoy, Kaplan, Vixie & Stern info [Page 1]
Internet-Draft Abbreviated Title January 2013 Internet-Draft Abbreviated Title April 2013
6. Additional Fields . . . . . . . . . . . . . . . . . . . . . . 5 3.3.2. bailiwick . . . . . . . . . . . . . . . . . . . . . . 4
6.1. x-sensor_id . . . . . . . . . . . . . . . . . . . . . . . 5 3.4. Additional Fields . . . . . . . . . . . . . . . . . . . . 4
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 5 3.4.1. sensor_id . . . . . . . . . . . . . . . . . . . . . . 4
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 4
9. Security Considerations . . . . . . . . . . . . . . . . . . . 5 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5
10.1. Normative References . . . . . . . . . . . . . . . . . . 5 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5
10.2. Informative References . . . . . . . . . . . . . . . . . 6 7.1. Normative References . . . . . . . . . . . . . . . . . . . 5
Appendix A. Additional Stuff . . . . . . . . . . . . . . . . . . . 6 7.2. Informative References . . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 6 Appendix A. Appendix . . . . . . . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction
1. Introduction
Passive DNS is a technique described by Florian Weimer in 2005 in
Passive DNS replication, F Weimer - 17th Annual FIRST Conference on Passive DNS is a technique described by Florian Weimer in 2005 in
Computer Security. Since then multiple Passive DNS implementations Passive DNS replication, F Weimer - 17th Annual FIRST Conference on
evolved over time. Users of these Passive DNS servers query a server Computer Security. Since then multiple Passive DNS implementations
(often via Whois [Ref: WHOIS]), parse the results and process them in evolved over time. Users of these Passive DNS servers query a server
other applications. (often via Whois [Ref: WHOIS] or HTTP and ReST), parse the results
and process them in other applications.
There are multiple implementation of Passive DNS software. Users of
passive DNS query each implementation and aggregate the results for There are multiple implementation of Passive DNS software. Users of
their search. This document describes the output format of three passive DNS query each implementation and aggregate the results for
Passive DNS Systems which are in use today and which already share a their search. This document describes the output format of three
nearly identical output format. As the format and the meaning of Passive DNS Systems which are in use today and which already share a
output fields from each Passive DNS need to be consistent, we propose nearly identical output format. As the format and the meaning of
in this document a solution to commonly name each field along with output fields from each Passive DNS need to be consistent, we propose
their corresponding interpretation. The format format is following a in this document a solution to commonly name each field along with
simple key-value structure. The benefit of having a consistent their corresponding interpretation. The format format is following a
Passive DNS output format is that multiple client implementations can simple key-value structure in JSON [RFC4627] format. The benefit of
query different servers without having to have a separate parser for having a consistent Passive DNS output format is that multiple client
each individual server. [http://code.google.com/p/passive-dns-query- implementations can query different servers without having to have a
tool/] currently implements multiple parsers due to a lack of separate parser for each individual server. [http://code.google.com/
standardization. The document does not describe the protocol (e.g. p/passive-dns-query-tool/] currently implements multiple parsers due
whois, HTTP REST or XMPP) used to query the Passive DNS. to a lack of standardization. The document does not describe the
protocol (e.g. whois, HTTP REST or XMPP) nor the query format used
1.1. Requirements Language to query the Passive DNS. Neither does this document describe "pre-
recursor" Passive DNS Systems.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 1.1. Requirements Language
document are to be interpreted as described in RFC 2119 [RFC2119].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
2. Limitation "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
As a Passive DNS can include protection mechanisms for their
operation, results might be different due to those protection 2. Limitation
measures. These mechanisms filter out DNS answers if they fail some
As a Passive DNS can include protection mechanisms for their
operation, results might be different due to those protection
measures. These mechanisms filter out DNS answers if they fail some
criteria. The bailiwick algorithm (c.f. http://www.isc.org/files/
passive_dns_hardening_handout.pdf) protects the Passive DNS Database
from cache poisoning attacks [ref: Dan Kaminsky]. Another
limitiation that clients querying the database need to be aware of is
Dulaunoy, Kaplan & Vixie info [Page 2] Dulaunoy, Kaplan, Vixie & Stern info [Page 2]
Internet-Draft Abbreviated Title January 2013 Internet-Draft Abbreviated Title April 2013
criteria. The bailiwick algorithm (c.f. http://www.isc.org/files/ that each query simply gets an snapshot-answer of the time of
passive_dns_hardening_handout.pdf) protects the Passive DNS Database querying. Clients MUST NOT rely on consistent answers.
from cache poisoning attacks [ref: Dan Kaminsky]. Another
limitiation that clients querying the database need to be aware of is 3. Common Output Format
that each query simply gets an snapshot-answer of the time of
querying. Clients MUST NOT rely on consistent answers. The formatting of the answer follows the JSON [RFC4627] format. The
order of the fields is not significant for the same resource type.
3. Format That means, the same name tuple plus timing information identifies a
unique answer per server.
A field is composed a key followed by a value separated by the single
':' character and a space before the value. The format is based on 3.1. Overview and Example
the initial work done by Florian Weimer and the RIPE whois format
(ref:http://www.enyo.de/fw/software/dnslogger/whois.html). The order The intent of this output format is to be easily parseable by
of the fields is not significant for the same resource type. That scripts. Every implementation MUST support the JSON output format.
measn, the same name tuple plus timing information identifies a
unique answer per server. A sample output using the JSON format:
A sample output using the common format: ... (list of )...
{ "count": 97167,
rrname: www.foo.be "time_first": "2010-06-25 17:07:02",
rrtype: AAAA "rrtype": "A", "rrname": "google-public-dns-a.google.com.",
rdata: 2001:6f8:202:2df::2 "rdata": "8.8.8.8",
time_first: 2010-07-26 13:04:01 "time_last": "2013-02-05 17:34:03" }
time_last: 2012-02-06 09:59:00 ... (separated by newline)...
count: 87
3.2. Mandatory Fields
3.1. Output Format
Implementation MUST support all the mandatory fields.
Depending on the clients request, there might be one of three
different answers from the server: Whois (human readable) output The tuple (rrtype,rrname,rdata) will always be unique within one
format (key-value), JSON [RFC4627] output and optionally Bind zone answer per server.
file output format. XXX FIXME: how does the client select which
answer format he wants? XXX 3.2.1. rrname
3.1.1. JSON This field returns the name of the queried resource.
The intent of this output format is to be easily parseable by 3.2.2. rrtype
scripts. Every implementation SHOULD support the JSON output format.
This field returns the resource record type as seen by the passive
A sample output using the JSON format: DNS. The key is rrtype and the value is in the interpreted record
type. If the value cannot be interpreted the decimal value is
... (list of )... returned following the principle of transparency as described in RFC
{ "count": 97167, 3597 [RFC3597]. The resource record type can be any values as
"time_first": "2010-06-25 17:07:02", described by IANA in the DNS parameters document in the section 'DNS
"rrtype": "A", "rrname": "google-public-dns-a.google.com.", Label types' (http://www.iana.org/assignments/dns-parameters).
"rdata": "8.8.8.8", Currently known and supported textual descritptions of rrtypes are:
"time_last": "2013-02-05 17:34:03" } A, AAAA, CNAME, PTR, SOA, TXT, DNAME, NS, SRV, RP, NAPTR, HINFO, A6 A
... (separated by newline)... client MUST be able to understand these textual rtype values. In
addition, a client MUST be able to handle a decimal value (as
4. Mandatory Fields mentioned above) as answer.
Implementation MUST support all the mandatory fields. 3.2.3. rdata
The tuple (rrtype,rrname,rdata) will always be unique within one
answer per server.
Dulaunoy, Kaplan & Vixie info [Page 3] Dulaunoy, Kaplan, Vixie & Stern info [Page 3]
Internet-Draft Abbreviated Title January 2013 Internet-Draft Abbreviated Title April 2013
4.1. rrname This field returns the data of the queried resource. In general,
this is to be interpreted as string. Depending on the rtype, this
This field returns the name of the queried resource. can be an IPv4 or IPv6 address, a domain name (as in the case of
CNAMEs), an SPF record, etc. A client MUST be able to interpret any
4.2. rrtype value which is legal as the right hand side in a DNS zone file RFC
1035 [RFC1035] and RFC 1034 [RFC1034]. If the rdata came from an
This field returns the resource record type as seen by the passive unknown DNS resource records, the server must follow the transparency
DNS. The key is rrtype and the value is in the interpreted record principle as described in RFC 3597 [RFC3597]. (binary stream if any?
type. If the value cannot be interpreted the decimal value is base64?)
returned following the principle of transparency as described in RFC
3597 [RFC3597]. The resource record type can be any values as 3.2.4. time_first
described by IANA in the DNS parameters document in the section 'DNS
Label types' (http://www.iana.org/assignments/dns-parameters). This field returns the first time that the record / unique tuple
Currently known and supported textual descritptions of rrtypes are: (rrname, rrtype, rdata) has been seen by the passive DNS. The date is
A, AAAA, CNAME, PTR, SOA, TXT, DNAME, NS, SRV, RP, NAPTR, HINFO, A6 A expressed in seconds (decimal ascii) since 1st of January 1970 (unix
client MUST be able to understand these textual rtype values. In timestamp). The time zone MUST be UTC.
addition, a client MUST be able to handle a decimal value (as
mentioned above) as answer. 3.2.5. time_last
4.3. rdata This field returns the last time that the unique tuple (rrname,
rrtype, rdata) record has been seen by the passive DNS. The date is
This field returns the data of the queried resource. In general, expressed in seconds (decimal ascii) since 1st of January 1970 (unix
this is to be interpreted as string. Depending on the rtype, this timestamp). The time zone MUST be UTC..
can be an IPv4 or IPv6 address, a domain name (as in the case of
CNAMEs), an SPF record, etc. A client MUST be able to interpret any 3.3. Optional Fields
value which is legal as the right hand side in a DNS zone file RFC
1035 [RFC1035] and RFC 1034 [RFC1034]. If the rdata came from an Implementation SHOULD support one or more field.
unknown DNS resource records, the server must follow the transparency
principle as described in RFC 3597 [RFC3597]. (binary stream if any? 3.3.1. count
base64?)
Specifies how many answers were received with the set of answers
4.4. time_first (i.e. same data). The number of requests is expressed as a decimal
value.
This field returns the first time that the record / unique tuple
(rrname, rrtype, rdata) has been seen by the passive DNS. The date is Specifies the number of times this particular event denoted by the
expressed in seconds (decimal ascii) since 1st of January 1970 (unix other type fields has been seen in the given time interval (between
timestamp). The time zone MUST be UTC. time_last and time_first). Decimal number.
4.5. time_last 3.3.2. bailiwick
This field returns the last time that the unique tuple (rrname, The bailiwick is the best estimate of the apex of the zone where this
rrtype, rdata) record has been seen by the passive DNS. The date is data is authoritative. String.
expressed in seconds (decimal ascii) since 1st of January 1970 (unix
timestamp). The time zone MUST be UTC.. 3.4. Additional Fields
5. Optional Fields Implementations MAY support the following fields:
Implementation SHOULD support one or more field. 3.4.1. sensor_id
5.1. count This field returns the sensor information where the record was seen.
The sensor_id is an opaque byte string as defined by RFC 5001 in
Specifies how many answers were received with the set of answers section 2.3 [RFC5001].
(i.e. same data). The number of requests is expressed as a decimal
value. 4. Acknowledgements
Dulaunoy, Kaplan & Vixie info [Page 4] Dulaunoy, Kaplan, Vixie & Stern info [Page 4]
Internet-Draft Abbreviated Title January 2013 Internet-Draft Abbreviated Title April 2013
Specifies the number of times this particular event denoted by the Thanks to the Passive DNS developers who contributed to the document.
other type fields has been seen in the given time interval (between
time_last and time_first). Decimal number. 5. IANA Considerations
5.2. bailiwick This memo includes no request to IANA.
The bailiwick is the best estimate of the apex of the zone where this 6. Security Considerations
data is authoritative. String.
In some cases, Passive DNS output might contain confidential
6. Additional Fields information and its access might be restricted. When an user is
querying multiple Passive DNS and aggregating the data, the
Implementations MAY support the following fields: sensitivity of the data must be considered.
6.1. x-sensor_id 7. References
This field returns the sensor information where the record was seen. 7.1. Normative References
The sensor_id is an opaque byte string as defined by RFC 5001 in
section 2.3 [RFC5001]. [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987.
7. Acknowledgements
[RFC1035] Mockapetris, P., "Domain names - implementation and
Thanks to the Passive DNS developers who contributed to the document. specification", STD 13, RFC 1035, November 1987.
8. IANA Considerations [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
This memo includes no request to IANA.
[RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record
9. Security Considerations (RR) Types", RFC 3597, September 2003.
In some cases, Passive DNS output might contain confidential [RFC4627] Crockford, D., "The application/json Media Type for
information and its access might be restricted. When an user is JavaScript Object Notation (JSON)", RFC 4627, July 2006.
querying multiple Passive DNS and aggregating the data, the
sensitivity of the data must be considered. [RFC5001] Austein, R., "DNS Name Server Identifier (NSID) Option",
RFC 5001, August 2007.
10. References
[min_ref] authSurName, authInitials, "Minimal Reference", 2006.
10.1. Normative References
7.2. Informative References
[RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987. [I-D.narten-iana-considerations-rfc2434bis]
Narten, T and H Alvestrand, "Guidelines for Writing an
[RFC1035] Mockapetris, P., "Domain names - implementation and IANA Considerations Section in RFCs", Internet-Draft
specification", STD 13, RFC 1035, November 1987. draft-narten-iana-considerations-rfc2434bis-09, March
2008.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2629] Rose, M.T., "Writing I-Ds and RFCs using XML", RFC 2629,
June 1999.
[RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource Record
(RR) Types", RFC 3597, September 2003. [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC
Text on Security Considerations", BCP 72, RFC 3552, July
[RFC4627] Crockford, D., "The application/json Media Type for 2003.
JavaScript Object Notation (JSON)", RFC 4627, July 2006.
Appendix A. Appendix
[RFC5001] Austein, R., "DNS Name Server Identifier (NSID) Option",
RFC 5001, August 2007. This becomes an Appendix.
Dulaunoy, Kaplan & Vixie info [Page 5] Dulaunoy, Kaplan, Vixie & Stern info [Page 5]
Internet-Draft Abbreviated Title January 2013 Internet-Draft Abbreviated Title April 2013
[min_ref] authSurName, authInitials, "Minimal Reference", 2006. Authors' Addresses
10.2. Informative References Alexandre Dulaunoy
CIRCL
[I-D.narten-iana-considerations-rfc2434bis] 41, avenue de la gare
Narten, T and H Alvestrand, "Guidelines for Writing an Luxembourg, L-1611
IANA Considerations Section in RFCs", Internet-Draft LU
draft-narten-iana-considerations-rfc2434bis-09, March
2008. Phone: (+352) 247 88444
Email: alexandre.dulaunoy@circl.lu
[RFC2629] Rose, M.T., "Writing I-Ds and RFCs using XML", RFC 2629, URI: http://www.circl.lu/
June 1999.
[RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC Leon Aaron Kaplan
Text on Security Considerations", BCP 72, RFC 3552, July CERT.at
2003. Karlsplatz 1/2/9
Vienna, A-1010
Appendix A. Additional Stuff AT
This becomes an Appendix. Phone: +43 1 5056416 78
Email: kaplan@cert.at
Authors' Addresses URI: http://www.cert.at/
Alexandre Dulaunoy
CIRCL Paul Vixie
41, avenue de la gare ISC
Luxembourg, L-1611
LU Email: vixie@isc.org
URI: /
Phone: (+352) 247 88444
Email: alexandre.dulaunoy@circl.lu
URI: http://www.circl.lu/ Henry Stern
Cisco
1741 Brunswick Street, Suite 500
Leon Aaron Kaplan Halifax, Nova Scotia B3J 3X8
CERT.at Canada
Karlsplatz 1/2/9
Vienna, A-1010 Phone: +1 408 922 4555
AT Email: hestern@cisco.com
URI: http://www.cisco.com/security
Phone: +43 1 5056416 78
Email: kaplan@cert.at
URI: http://www.cert.at/
Paul Vixie
ISC
Email: vixie@isc.org
URI: /
Dulaunoy, Kaplan & Vixie info [Page 6] Dulaunoy, Kaplan, Vixie & Stern info [Page 6]