adulau/pdns-qof
1
0
Fork 0
mirror of https://github.com/adulau/pdns-qof.git synced 2024-11-22 18:17:04 +00:00
Code Issues Projects Releases Packages Wiki Activity

the link is outdated

Browse source
This commit is contained in:
Fyodor Y 2013-11-21 13:34:47 +08:00
parent 74ee14ba96
commit f46b6a543d
2 changed files with 241 additions and 99 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

338
i-d/pdns-qof.txt
View file

@ -4,13 +4,14 @@
Internet Engineering Task Force Dulaunoy Internet Engineering Task Force Dulaunoy
Internet-Draft CIRCL Internet-Draft CIRCL
Intended status: Informational Kaplan Intended status: Informational Kaplan
Expires: October 13, 2013 CERT.at Expires: October 3, 2013 CERT.at
Vixie Vixie
ISC Farsight Security, Inc.
hs Stern hs. Stern
Cisco Cisco
April 2013 April 2013
Passive DNS - Common Output Format Passive DNS - Common Output Format
draft-ietf-dulaunoy-kaplan-pdns-cof-01 draft-ietf-dulaunoy-kaplan-pdns-cof-01
@ -22,53 +23,95 @@ Abstract
Status of this Memo Status of this Memo
This Internet-Draft will expire on October 13, 2013. By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Copyright Notice Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Copyright (c) 2013 IETF Trust and the persons identified as the Internet-Drafts are draft documents valid for a maximum of six months
document authors. All rights reserved. and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 3, 2013.
Dulaunoy, et al. Expires October 3, 2013 [Page 1]
Internet-Draft Abbreviated Title April 2013
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (http://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . . 3
2. Limitation . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Limitation . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Common Output Format . . . . . . . . . . . . . . . . . . . . . 3 3. Common Output Format . . . . . . . . . . . . . . . . . . . . . 4
3.1. Overview and Example . . . . . . . . . . . . . . . . . . . 3 3.1. Overview and Example . . . . . . . . . . . . . . . . . . . 4
3.2. Mandatory Fields . . . . . . . . . . . . . . . . . . . . . 3 3.2. Mandatory Fields . . . . . . . . . . . . . . . . . . . . . 4
3.2.1. rrname . . . . . . . . . . . . . . . . . . . . . . . . 3 3.2.1. rrname . . . . . . . . . . . . . . . . . . . . . . . . 4
3.2.2. rrtype . . . . . . . . . . . . . . . . . . . . . . . . 3 3.2.2. rrtype . . . . . . . . . . . . . . . . . . . . . . . . 4
3.2.3. rdata . . . . . . . . . . . . . . . . . . . . . . . . 3 3.2.3. rdata . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2.4. time_first . . . . . . . . . . . . . . . . . . . . . . 4 3.2.4. time_first . . . . . . . . . . . . . . . . . . . . . . 5
3.2.5. time_last . . . . . . . . . . . . . . . . . . . . . . 4 3.2.5. time_last . . . . . . . . . . . . . . . . . . . . . . . 5
3.3. Optional Fields . . . . . . . . . . . . . . . . . . . . . 4 3.3. Optional Fields . . . . . . . . . . . . . . . . . . . . . . 5
3.3.1. count . . . . . . . . . . . . . . . . . . . . . . . . 4 3.3.1. count . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.3.2. bailiwick . . . . . . . . . . . . . . . . . . . . . . . 5
3.4. Additional Fields . . . . . . . . . . . . . . . . . . . . . 6
3.4.1. sensor_id . . . . . . . . . . . . . . . . . . . . . . . 6
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
6. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.1. Normative References . . . . . . . . . . . . . . . . . . . 6
7.2. Informative References . . . . . . . . . . . . . . . . . . 7
Appendix A. Appendix . . . . . . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7
Intellectual Property and Copyright Statements . . . . . . . . . . 9
Dulaunoy, Kaplan, Vixie & Stern info [Page 1]
Dulaunoy, et al. Expires October 3, 2013 [Page 2]
Internet-Draft Abbreviated Title April 2013 Internet-Draft Abbreviated Title April 2013
3.3.2. bailiwick . . . . . . . . . . . . . . . . . . . . . . 4
3.4. Additional Fields . . . . . . . . . . . . . . . . . . . . 4
3.4.1. sensor_id . . . . . . . . . . . . . . . . . . . . . . 4
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 4
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
6. Security Considerations . . . . . . . . . . . . . . . . . . . 5
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5
7.1. Normative References . . . . . . . . . . . . . . . . . . . 5
7.2. Informative References . . . . . . . . . . . . . . . . . . 5
Appendix A. Appendix . . . . . . . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction 1. Introduction
@ -90,12 +133,12 @@ Internet-Draft Abbreviated Title April 2013
simple key-value structure in JSON [RFC4627] format. The benefit of simple key-value structure in JSON [RFC4627] format. The benefit of
having a consistent Passive DNS output format is that multiple client having a consistent Passive DNS output format is that multiple client
implementations can query different servers without having to have a implementations can query different servers without having to have a
separate parser for each individual server. [http://code.google.com/ separate parser for each individual server.
p/passive-dns-query-tool/] currently implements multiple parsers due [https://github.com/chrislee35/passivedns-client] currently
to a lack of standardization. The document does not describe the implements multiple parsers due to a lack of standardization. The
protocol (e.g. whois, HTTP REST or XMPP) nor the query format used document does not describe the protocol (e.g. whois, HTTP REST or
to query the Passive DNS. Neither does this document describe "pre- XMPP) nor the query format used to query the Passive DNS. Neither
recursor" Passive DNS Systems. does this document describe "pre-recursor" Passive DNS Systems.
1.1. Requirements Language 1.1. Requirements Language
@ -103,24 +146,28 @@ Internet-Draft Abbreviated Title April 2013
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
2. Limitation 2. Limitation
As a Passive DNS can include protection mechanisms for their As a Passive DNS can include protection mechanisms for their
operation, results might be different due to those protection operation, results might be different due to those protection
measures. These mechanisms filter out DNS answers if they fail some measures. These mechanisms filter out DNS answers if they fail some
criteria. The bailiwick algorithm (c.f. http://www.isc.org/files/ criteria. The bailiwick algorithm (c.f.
passive_dns_hardening_handout.pdf) protects the Passive DNS Database http://www.isc.org/files/passive_dns_hardening_handout.pdf) protects
from cache poisoning attacks [ref: Dan Kaminsky]. Another the Passive DNS Database from cache poisoning attacks [ref: Dan
limitiation that clients querying the database need to be aware of is Kaminsky]. Another limitiation that clients querying the database
need to be aware of is that each query simply gets an snapshot-answer
of the time of querying. Clients MUST NOT rely on consistent
answers.
Dulaunoy, Kaplan, Vixie & Stern info [Page 2]
Dulaunoy, et al. Expires October 3, 2013 [Page 3]
Internet-Draft Abbreviated Title April 2013 Internet-Draft Abbreviated Title April 2013
that each query simply gets an snapshot-answer of the time of
querying. Clients MUST NOT rely on consistent answers.
3. Common Output Format 3. Common Output Format
@ -158,7 +205,7 @@ Internet-Draft Abbreviated Title April 2013
3.2.2. rrtype 3.2.2. rrtype
This field returns the resource record type as seen by the passive This field returns the resource record type as seen by the passive
DNS. The key is rrtype and the value is in the interpreted record DNS. The key is rrtype and the value is in the interpreted record
type. If the value cannot be interpreted the decimal value is type. If the value cannot be interpreted the decimal value is
returned following the principle of transparency as described in RFC returned following the principle of transparency as described in RFC
3597 [RFC3597]. The resource record type can be any values as 3597 [RFC3597]. The resource record type can be any values as
@ -170,40 +217,39 @@ Internet-Draft Abbreviated Title April 2013
addition, a client MUST be able to handle a decimal value (as addition, a client MUST be able to handle a decimal value (as
mentioned above) as answer. mentioned above) as answer.
3.2.3. rdata
Dulaunoy, et al. Expires October 3, 2013 [Page 4]
Dulaunoy, Kaplan, Vixie & Stern info [Page 3]
Internet-Draft Abbreviated Title April 2013 Internet-Draft Abbreviated Title April 2013
3.2.3. rdata
This field returns the data of the queried resource. In general, This field returns the data of the queried resource. In general,
this is to be interpreted as string. Depending on the rtype, this this is to be interpreted as string. Depending on the rtype, this
can be an IPv4 or IPv6 address, a domain name (as in the case of can be an IPv4 or IPv6 address, a domain name (as in the case of
CNAMEs), an SPF record, etc. A client MUST be able to interpret any CNAMEs), an SPF record, etc. A client MUST be able to interpret any
value which is legal as the right hand side in a DNS zone file RFC value which is legal as the right hand side in a DNS zone file RFC
1035 [RFC1035] and RFC 1034 [RFC1034]. If the rdata came from an 1035 [RFC1035] and RFC 1034 [RFC1034]. If the rdata came from an
unknown DNS resource records, the server must follow the transparency unknown DNS resource records, the server must follow the transparency
principle as described in RFC 3597 [RFC3597]. (binary stream if any? principle as described in RFC 3597 [RFC3597]. (binary stream if any?
base64?) base64?)
3.2.4. time_first 3.2.4. time_first
This field returns the first time that the record / unique tuple This field returns the first time that the record / unique tuple
(rrname, rrtype, rdata) has been seen by the passive DNS. The date is (rrname, rrtype, rdata) has been seen by the passive DNS. The date
expressed in seconds (decimal ascii) since 1st of January 1970 (unix is expressed in seconds (decimal ascii) since 1st of January 1970
timestamp). The time zone MUST be UTC. (unix timestamp). The time zone MUST be UTC.
3.2.5. time_last 3.2.5. time_last
This field returns the last time that the unique tuple (rrname, This field returns the last time that the unique tuple (rrname,
rrtype, rdata) record has been seen by the passive DNS. The date is rrtype, rdata) record has been seen by the passive DNS. The date is
expressed in seconds (decimal ascii) since 1st of January 1970 (unix expressed in seconds (decimal ascii) since 1st of January 1970 (unix
timestamp). The time zone MUST be UTC.. timestamp). The time zone MUST be UTC..
3.3. Optional Fields 3.3. Optional Fields
@ -212,18 +258,29 @@ Internet-Draft Abbreviated Title April 2013
3.3.1. count 3.3.1. count
Specifies how many answers were received with the set of answers Specifies how many answers were received with the set of answers
(i.e. same data). The number of requests is expressed as a decimal (i.e. same data). The number of requests is expressed as a decimal
value. value.
Specifies the number of times this particular event denoted by the Specifies the number of times this particular event denoted by the
other type fields has been seen in the given time interval (between other type fields has been seen in the given time interval (between
time_last and time_first). Decimal number. time_last and time_first). Decimal number.
3.3.2. bailiwick 3.3.2. bailiwick
The bailiwick is the best estimate of the apex of the zone where this The bailiwick is the best estimate of the apex of the zone where this
data is authoritative. String. data is authoritative. String.
Dulaunoy, et al. Expires October 3, 2013 [Page 5]
Internet-Draft Abbreviated Title April 2013
3.4. Additional Fields 3.4. Additional Fields
Implementations MAY support the following fields: Implementations MAY support the following fields:
@ -234,20 +291,17 @@ Internet-Draft Abbreviated Title April 2013
The sensor_id is an opaque byte string as defined by RFC 5001 in The sensor_id is an opaque byte string as defined by RFC 5001 in
section 2.3 [RFC5001]. section 2.3 [RFC5001].
4. Acknowledgements 4. Acknowledgements
Dulaunoy, Kaplan, Vixie & Stern info [Page 4]
Internet-Draft Abbreviated Title April 2013
Thanks to the Passive DNS developers who contributed to the document. Thanks to the Passive DNS developers who contributed to the document.
5. IANA Considerations 5. IANA Considerations
This memo includes no request to IANA. This memo includes no request to IANA.
6. Security Considerations 6. Security Considerations
In some cases, Passive DNS output might contain confidential In some cases, Passive DNS output might contain confidential
@ -255,6 +309,7 @@ Internet-Draft Abbreviated Title April 2013
querying multiple Passive DNS and aggregating the data, the querying multiple Passive DNS and aggregating the data, the
sensitivity of the data must be considered. sensitivity of the data must be considered.
7. References 7. References
7.1. Normative References 7.1. Normative References
@ -274,72 +329,96 @@ Internet-Draft Abbreviated Title April 2013
[RFC4627] Crockford, D., "The application/json Media Type for [RFC4627] Crockford, D., "The application/json Media Type for
JavaScript Object Notation (JSON)", RFC 4627, July 2006. JavaScript Object Notation (JSON)", RFC 4627, July 2006.
Dulaunoy, et al. Expires October 3, 2013 [Page 6]
Internet-Draft Abbreviated Title April 2013
[RFC5001] Austein, R., "DNS Name Server Identifier (NSID) Option", [RFC5001] Austein, R., "DNS Name Server Identifier (NSID) Option",
RFC 5001, August 2007. RFC 5001, August 2007.
[min_ref] authSurName, authInitials, "Minimal Reference", 2006. [min_ref] authSurName, authInitials., "Minimal Reference", 2006.
7.2. Informative References 7.2. Informative References
[I-D.narten-iana-considerations-rfc2434bis] [I-D.narten-iana-considerations-rfc2434bis]
Narten, T and H Alvestrand, "Guidelines for Writing an Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", Internet-Draft IANA Considerations Section in RFCs",
draft-narten-iana-considerations-rfc2434bis-09, March draft-narten-iana-considerations-rfc2434bis-09 (work in
2008. progress), March 2008.
[RFC2629] Rose, M.T., "Writing I-Ds and RFCs using XML", RFC 2629, [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629,
June 1999. June 1999.
[RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC
Text on Security Considerations", BCP 72, RFC 3552, July Text on Security Considerations", BCP 72, RFC 3552,
2003. July 2003.
Appendix A. Appendix Appendix A. Appendix
This becomes an Appendix. This becomes an Appendix.
Dulaunoy, Kaplan, Vixie & Stern info [Page 5]
Internet-Draft Abbreviated Title April 2013
Authors' Addresses Authors' Addresses
Alexandre Dulaunoy Alexandre Dulaunoy
CIRCL CIRCL
41, avenue de la gare 41, avenue de la gare
Luxembourg, L-1611 Luxembourg, L-1611
LU LU
Phone: (+352) 247 88444 Phone: (+352) 247 88444
Email: alexandre.dulaunoy@circl.lu Email: alexandre.dulaunoy@circl.lu
URI: http://www.circl.lu/ URI: http://www.circl.lu/
Dulaunoy, et al. Expires October 3, 2013 [Page 7]
Internet-Draft Abbreviated Title April 2013
Leon Aaron Kaplan Leon Aaron Kaplan
CERT.at CERT.at
Karlsplatz 1/2/9 Karlsplatz 1/2/9
Vienna, A-1010 Vienna, A-1010
AT AT
Phone: +43 1 5056416 78 Phone: +43 1 5056416 78
Email: kaplan@cert.at Email: kaplan@cert.at
URI: http://www.cert.at/ URI: http://www.cert.at/
Paul Vixie Paul Vixie
ISC Farsight Security, Inc.
Email: vixie@isc.org
Phone:
Email: paul@redbarn.org
URI: / URI: /
Henry Stern Henry Stern
Cisco Cisco
1741 Brunswick Street, Suite 500 1741 Brunswick Street, Suite 500
Halifax, Nova Scotia B3J 3X8 Halifax, Nova Scotia B3J 3X8
Canada Canada
Phone: +1 408 922 4555 Phone: +1 408 922 4555
Email: hestern@cisco.com Email: hestern@cisco.com
URI: http://www.cisco.com/security URI: http://www.cisco.com/security
@ -359,4 +438,67 @@ Authors' Addresses
Dulaunoy, Kaplan, Vixie & Stern info [Page 6]
Dulaunoy, et al. Expires October 3, 2013 [Page 8]
Internet-Draft Abbreviated Title April 2013
Full Copyright Statement
Copyright (C) The IETF Trust (2013).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Dulaunoy, et al. Expires October 3, 2013 [Page 9]

2
i-d/pdns-qof.xml
View file

@ -141,7 +141,7 @@
As the format and the meaning of output fields from each Passive DNS need to be consistent, we propose in this document a solution to commonly name each field along with their corresponding interpretation. The format format is following a simple key-value structure in <xref target="RFC4627">JSON</xref> format. As the format and the meaning of output fields from each Passive DNS need to be consistent, we propose in this document a solution to commonly name each field along with their corresponding interpretation. The format format is following a simple key-value structure in <xref target="RFC4627">JSON</xref> format.
The benefit of having a consistent Passive DNS output format is that multiple client implementations can query different servers without having to have a separate parser for each The benefit of having a consistent Passive DNS output format is that multiple client implementations can query different servers without having to have a separate parser for each
individual server. [http://code.google.com/p/passive-dns-query-tool/] currently implements multiple parsers due to a lack of standardization. individual server. [https://github.com/chrislee35/passivedns-client] currently implements multiple parsers due to a lack of standardization.
The document does not describe the protocol (e.g. whois, HTTP REST or XMPP) nor the query format used to query the Passive DNS. Neither does this document describe "pre-recursor" Passive DNS Systems. The document does not describe the protocol (e.g. whois, HTTP REST or XMPP) nor the query format used to query the Passive DNS. Neither does this document describe "pre-recursor" Passive DNS Systems.
</t> </t>