From eb8acba3dd2fb0e25301f39f6f3c723e51ae4885 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 2 Apr 2013 17:39:32 +0200 Subject: [PATCH] Fix XML for compilation --- i-d/pdns-qof.xml | 665 ++++++++++++++++++++++++----------------------- 1 file changed, 334 insertions(+), 331 deletions(-) diff --git a/i-d/pdns-qof.xml b/i-d/pdns-qof.xml index 2473591..bca6d7f 100644 --- a/i-d/pdns-qof.xml +++ b/i-d/pdns-qof.xml @@ -1,331 +1,334 @@ - - - - - - - - - - - -]> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Passive DNS - Common Output Format - - CIRCL -
- - 41, avenue de la gare - Luxembourg - - L-1611 - LU - - (+352) 247 88444 - alexandre.dulaunoy@circl.lu - http://www.circl.lu/ - -
- - - - - CERT.at -
- - Karlsplatz 1/2/9 - Vienna - - A-1010 - AT - - +43 1 5056416 78 - kaplan@cert.at - http://www.cert.at/ -
- - - - ISC -
- - - - - - - - - vixie@isc.org - / - - - General - - Internet Engineering Task Force - - dns - - - - This document describes the output format used between Passive DNS query interface. The output format description includes also a common meaning per Passive DNS system. - - - - -
- Passive DNS is a technique described by Florian Weimer in 2005 in Passive DNS replication, F Weimer - 17th Annual FIRST Conference on Computer Security. Since then multiple Passive DNS implementations evolved over time. Users of these Passive DNS servers query a server (often via Whois [Ref: WHOIS]), parse the results and process them in other applications. - - There are multiple implementation of Passive DNS software. Users of passive DNS query each implementation and aggregate the results for their search. This document describes the output format of three Passive DNS Systems which are in use today and which already share a nearly identical output format. - -As the format and the meaning of output fields from each Passive DNS need to be consistent, we propose in this document a solution to commonly name each field along with their corresponding interpretation. The format format is following a simple key-value structure. -The benefit of having a consistent Passive DNS output format is that multiple client implementations can query different servers without having to have a separate parser for each -individual server. [http://code.google.com/p/passive-dns-query-tool/] currently implements multiple parsers due to a lack of standardization. - -The document does not describe the protocol (e.g. whois, HTTP REST or XMPP) used to query the Passive DNS. - - -
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in RFC 2119. -
-
- -
- As a Passive DNS can include protection mechanisms for their operation, results might be different due to those protection measures. These mechanisms filter out DNS answers if they fail some criteria. The bailiwick algorithm (c.f. http://www.isc.org/files/passive_dns_hardening_handout.pdf) protects the Passive DNS Database from cache poisoning attacks [ref: Dan Kaminsky]. - - Another limitiation that clients querying the database need to be aware of is that each query simply gets an snapshot-answer of the time of querying. Clients MUST NOT rely on consistent answers. - -
-
- A field is composed a key followed by a value separated by the single ':' character and a space before the value. The format is based on the initial work done by Florian Weimer and the RIPE whois format (ref:http://www.enyo.de/fw/software/dnslogger/whois.html). The order of the fields is not significant for the same resource type. That measn, the same name tuple plus timing information identifies a unique answer per server. -
A sample output using the common format:
-
- - Depending on the clients request, there might be one of three different answers from the server: Whois (human readable) output format (key-value), JSON output and optionally Bind zone file output format. XXX FIXME: how does the client select which answer format he wants? XXX - -
- The intent of this output format is to be easily parseable by scripts. Every implementation SHOULD support the JSON output format. -
A sample output using the JSON format:
-
-
-
-
- Implementation MUST support all the mandatory fields. - The tuple (rrtype,rrname,rdata) will always be unique within one answer per server. -
- This field returns the name of the queried resource. -
-
- This field returns the resource record type as seen by the passive DNS. The key is rrtype and the value is in the interpreted record type. If the value cannot be interpreted the - decimal value is returned. - - The resource record type can be any values as described by IANA in the DNS parameters document in the section 'DNS Label types' (http://www.iana.org/assignments/dns-parameters). - Currently known and supported textual descritptions of rrtypes are: A, AAAA, CNAME, PTR, SOA, TXT, DNAME, NS, SRV, RP, NAPTR, HINFO, A6 - A client MUST be able to understand these textual rtype values. In addition, a client MUST be able to handle a decimal value (as mentioned above) as answer. - - XXX reference to RFC 3597.XXX - -
-
- This field returns the data of the queried resource. In general, this is to be interpreted as string. Depending on the rtype, this can be an IPv4 or IPv6 address, a domain name (as in the case of CNAMEs), an SPF record, etc. A client MUST be able to interpret any value which is legal as the right hand side in a DNS zone file RFC 1035 and RFC 1034. - XXX reference to RFC 3597.XXX -
-
- This field returns the first time that the record / unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS. The date is expressed in seconds (decimal ascii) since 1st of January 1970 (unix timestamp). The time zone MUST be UTC. -
-
- This field returns the last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS. The date is XXXX. -
-
-
- Implementation SHOULD support one or more field. -
- #Specifies how many answers were received with the set of answers (i.e. same data). The number of requests is expressed as a decimal value. - Specifies the number of times this particular event denoted by the other type fields has been seen in the given time interval (between time_last and time_first). Decimal number. -
-
- The bailiwick is the best estimate of the apex of the zone where this data is authoritative. String. -
-
-
- Implementations MAY support the following fields: -
- This field returns the sensor information where the record was seen. The sensor_id is an opaque byte string as defined by RFC5001 (XXX ref)) -
-
- - -
- An x- prefixed key means that is an extension and a non-standard field defined by the implementation of the passive DNS. -
- - - - - - - - -
- Thanks to the Passive DNS developers who contributed to the document. - -
- - - -
- This memo includes no request to IANA. -
- -
- In some cases, Passive DNS output might contain confidential information and its access might be restricted. When an user is querying multiple Passive DNS and aggregating the data, the sensitivity of the data must be considered. - Authentication and signing of the output MAY be implemented on the server via an extended field, namely x-signature-sha265 which contains a SHA256 signature of the output text, signed with the ssh-key of the server sending the answer. - All drafts are required to have a security considerations section. - See RFC 3552 for a guide. -
- - - - - - - - - - - - &RFC2119; - &RFC1035; - &RFC1034; - &RFC4627; - - - - - - Minimal Reference - - - - - - - - - - - - - - &RFC2629; - - &RFC3552; - - &I-D.narten-iana-considerations-rfc2434bis; - - - - - - Ultimate Plan for Taking Over the World - - - Mad Dominators, Inc. - - - - - - - -
- This becomes an Appendix. -
- - - - + + + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Passive DNS - Common Output Format + + CIRCL +
+ + 41, avenue de la gare + Luxembourg + + L-1611 + LU + + (+352) 247 88444 + alexandre.dulaunoy@circl.lu + http://www.circl.lu/ + +
+ + + + + CERT.at +
+ + Karlsplatz 1/2/9 + Vienna + + A-1010 + AT + + +43 1 5056416 78 + kaplan@cert.at + http://www.cert.at/ +
+ + + + ISC +
+ + + + + + + + + vixie@isc.org + http://www.isc.org/ +
+ + + + + General + + Internet Engineering Task Force + + dns + + + + This document describes the output format used between Passive DNS query interface. The output format description includes also a common meaning per Passive DNS system. + + + + +
+ Passive DNS is a technique described by Florian Weimer in 2005 in Passive DNS replication, F Weimer - 17th Annual FIRST Conference on Computer Security. Since then multiple Passive DNS implementations evolved over time. Users of these Passive DNS servers query a server (often via Whois [Ref: WHOIS]), parse the results and process them in other applications. + + There are multiple implementation of Passive DNS software. Users of passive DNS query each implementation and aggregate the results for their search. This document describes the output format of three Passive DNS Systems which are in use today and which already share a nearly identical output format. + +As the format and the meaning of output fields from each Passive DNS need to be consistent, we propose in this document a solution to commonly name each field along with their corresponding interpretation. The format format is following a simple key-value structure. +The benefit of having a consistent Passive DNS output format is that multiple client implementations can query different servers without having to have a separate parser for each +individual server. [http://code.google.com/p/passive-dns-query-tool/] currently implements multiple parsers due to a lack of standardization. + +The document does not describe the protocol (e.g. whois, HTTP REST or XMPP) used to query the Passive DNS. + + +
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119. +
+
+ +
+ As a Passive DNS can include protection mechanisms for their operation, results might be different due to those protection measures. These mechanisms filter out DNS answers if they fail some criteria. The bailiwick algorithm (c.f. http://www.isc.org/files/passive_dns_hardening_handout.pdf) protects the Passive DNS Database from cache poisoning attacks [ref: Dan Kaminsky]. + + Another limitiation that clients querying the database need to be aware of is that each query simply gets an snapshot-answer of the time of querying. Clients MUST NOT rely on consistent answers. + +
+
+ A field is composed a key followed by a value separated by the single ':' character and a space before the value. The format is based on the initial work done by Florian Weimer and the RIPE whois format (ref:http://www.enyo.de/fw/software/dnslogger/whois.html). The order of the fields is not significant for the same resource type. That measn, the same name tuple plus timing information identifies a unique answer per server. +
A sample output using the common format:
+
+ + Depending on the clients request, there might be one of three different answers from the server: Whois (human readable) output format (key-value), JSON output and optionally Bind zone file output format. XXX FIXME: how does the client select which answer format he wants? XXX + +
+ The intent of this output format is to be easily parseable by scripts. Every implementation SHOULD support the JSON output format. +
A sample output using the JSON format:
+
+
+
+
+ Implementation MUST support all the mandatory fields. + The tuple (rrtype,rrname,rdata) will always be unique within one answer per server. +
+ This field returns the name of the queried resource. +
+
+ This field returns the resource record type as seen by the passive DNS. The key is rrtype and the value is in the interpreted record type. If the value cannot be interpreted the + decimal value is returned. + + The resource record type can be any values as described by IANA in the DNS parameters document in the section 'DNS Label types' (http://www.iana.org/assignments/dns-parameters). + Currently known and supported textual descritptions of rrtypes are: A, AAAA, CNAME, PTR, SOA, TXT, DNAME, NS, SRV, RP, NAPTR, HINFO, A6 + A client MUST be able to understand these textual rtype values. In addition, a client MUST be able to handle a decimal value (as mentioned above) as answer. + + XXX reference to RFC 3597.XXX + +
+
+ This field returns the data of the queried resource. In general, this is to be interpreted as string. Depending on the rtype, this can be an IPv4 or IPv6 address, a domain name (as in the case of CNAMEs), an SPF record, etc. A client MUST be able to interpret any value which is legal as the right hand side in a DNS zone file RFC 1035 and RFC 1034. + XXX reference to RFC 3597.XXX +
+
+ This field returns the first time that the record / unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS. The date is expressed in seconds (decimal ascii) since 1st of January 1970 (unix timestamp). The time zone MUST be UTC. +
+
+ This field returns the last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS. The date is XXXX. +
+
+
+ Implementation SHOULD support one or more field. +
+ Specifies how many answers were received with the set of answers (i.e. same data). The number of requests is expressed as a decimal value. + Specifies the number of times this particular event denoted by the other type fields has been seen in the given time interval (between time_last and time_first). Decimal number. +
+
+ The bailiwick is the best estimate of the apex of the zone where this data is authoritative. String. +
+
+
+ Implementations MAY support the following fields: +
+ This field returns the sensor information where the record was seen. The sensor_id is an opaque byte string as defined by RFC5001 (XXX ref)) +
+
+ + +
+ An x- prefixed key means that is an extension and a non-standard field defined by the implementation of the passive DNS. +
+ + + + + + + + +
+ Thanks to the Passive DNS developers who contributed to the document. + +
+ + + +
+ This memo includes no request to IANA. +
+ +
+ In some cases, Passive DNS output might contain confidential information and its access might be restricted. When an user is querying multiple Passive DNS and aggregating the data, the sensitivity of the data must be considered. + Authentication and signing of the output MAY be implemented on the server via an extended field, namely x-signature-sha265 which contains a SHA256 signature of the output text, signed with the ssh-key of the server sending the answer. + All drafts are required to have a security considerations section. + See RFC 3552 for a guide. +
+ + + + + + + + + + + + &RFC2119; + &RFC1035; + &RFC1034; + &RFC4627; + + + + + + Minimal Reference + + + + + + + + + + + + + + &RFC2629; + + &RFC3552; + + &I-D.narten-iana-considerations-rfc2434bis; + + + + + + Ultimate Plan for Taking Over the World + + + Mad Dominators, Inc. + + + + + + + +
+ This becomes an Appendix. +
+ + + +