Compare commits

..

No commits in common. "7863b019e8ede42640226eca83bb1af0f64e7988" and "6f06da5bfbff2e5b73b05597a625f28d48799fa7" have entirely different histories.

3 changed files with 42 additions and 42 deletions

Binary file not shown.

View file

@ -20,11 +20,11 @@ Expires: 29 October 2024
Abstract
This document describes a common output format of Passive DNS Servers
that clients can query. The output format description also includes
a common semantic for each Passive DNS system. By having multiple
Passive DNS Systems adhere to the same output format for queries,
users of multiple Passive DNS servers will be able to combine result
sets easily.
which clients can query. The output format description includes also
in addition a common semantic for each Passive DNS system. By having
multiple Passive DNS Systems adhere to the same output format for
queries, users of multiple Passive DNS servers will be able to
combine result sets easily.
Status of This Memo
@ -118,20 +118,20 @@ Internet-Draft Passive DNS - Common Output Format April 2024
Passive DNS is a technique described by Florian Weimer in 2005 in
Passive DNS replication, F Weimer - 17th Annual FIRST Conference on
Computer Security [WEIMERPDNS]. Since then, multiple Passive DNS
implementations were created and have evolved over time. Users of
these Passive DNS servers may query a server (often via WHOIS
[RFC3912] or HTTP REST [REST]), parse the results, and process them
in other applications.
Computer Security [WEIMERPDNS]. Since then multiple Passive DNS
implementations were created and evolved over time. Users of these
Passive DNS servers may query a server (often via WHOIS [RFC3912] or
HTTP REST [REST]), parse the results and process them in other
applications.
There are multiple implementations of Passive DNS software. Users of
Passive DNS query each implementation and aggregate the results for
passive DNS query each implementation and aggregate the results for
their search. This document describes the output format of four
Passive DNS Systems ([DNSDB], [DNSDBQ], [PDNSCERTAT], [PDNSCIRCL] and
[PDNSCOF]) that are in use today and that already share a nearly
[PDNSCOF]) which are in use today and which already share a nearly
identical output format. As the format and the meaning of output
fields from each Passive DNS need to be consistent, this document
proposes a solution to commonly name each field along with its
fields from each Passive DNS need to be consistent, we propose in
this document a solution to commonly name each field along with their
corresponding interpretation. The format follows a simple key-value
structure in JSON [RFC4627] format. The benefit of having a
consistent Passive DNS output format is that multiple client
@ -141,8 +141,8 @@ Internet-Draft Passive DNS - Common Output Format April 2024
standardization. The document does not describe the protocol (e.g.
WHOIS [RFC3912], HTTP REST [REST]) nor the query format used to query
the Passive DNS. Neither does this document describe "pre-recursor"
Passive DNS Systems. Each of these are separate topics and deserve
their own RFC documents. This document describes the current best
Passive DNS Systems. Both of these are separate topics and deserve
their own RFC document. The document describes the current best
practices implemented in various Passive DNS server implementations.
1.1. Requirements Language
@ -153,15 +153,15 @@ Internet-Draft Passive DNS - Common Output Format April 2024
2. Limitation
As Passive DNS servers can include protection mechanisms for their
As a Passive DNS servers can include protection mechanisms for their
operation, results might be different due to those protection
measures. These mechanisms filter out DNS answers if they fail some
criteria. The bailiwick algorithm [BAILIWICK] protects the Passive
DNS Database from cache poisoning attacks [CACHEPOISONING]. Another
limitation that clients querying the database need to be aware of is
that each query simply gets a snapshot-in-time answer at the time of
querying. Clients MUST NOT rely on existing answers from different
Passive DNS database. Nor should they assume that answers will be
that each query simply gets a snapshot-answer of the time of
querying. Clients MUST NOT rely on consistent answers. Nor must
they assume that answers must be identical across multiple Passive
@ -170,7 +170,7 @@ Dulaunoy, et al. Expires 29 October 2024 [Page 3]
Internet-Draft Passive DNS - Common Output Format April 2024
identical across multiple Passive DNS Servers.
DNS Servers.
3. Common Output Format
@ -226,9 +226,9 @@ Dulaunoy, et al. Expires 29 October 2024 [Page 4]
Internet-Draft Passive DNS - Common Output Format April 2024
Note that value is defined in JSON [RFC4627] and has the same
Note that value is defined in JSON [RFC4627] and has the exact same
specification as there. The same goes for the definition of string.
Note the changed definition of ws does not include CR or LF as those
Note the changed definition of ws dows not include CR or LF as those
are NOT allowed in NDJSON, and thus the definition here MUST be used
for other ABNF defitions in JSON [RFC4627].
@ -433,7 +433,7 @@ Internet-Draft Passive DNS - Common Output Format April 2024
6. Privacy Considerations
Passive DNS Servers capture DNS answers from multiple collection
Passive DNS Servers capture DNS answers from multiple collecting
points ("sensors") which are located on the Internet-facing side of
DNS recursors ("post-recursor passive DNS"). In this process, they
intentionally omit the source IP, source port, destination IP and
@ -451,15 +451,15 @@ Internet-Draft Passive DNS - Common Output Format April 2024
Servers are able to find out much about the actual person querying
the DNS records. In this sense, passive DNS Servers are similar to
keeping an archive of all previous phone books - if public DNS
records can be compared to phone numbers - as they often are.
Nevertheless, the authors strongly encourage Passive DNS implementors
to take special care of privacy issues. bortzmeyer-dnsop-dns-privacy
is an excellent starting point for this. Finally, the overall
recommendations in RFC6973 [RFC6973] should be taken into
consideration when designing any application which uses Passive DNS
data.
the DNS records nor who actually sent the query. In this sense,
passive DNS Servers are similar to keeping an archive of all previous
phone books - if public DNS records can be compared to phone numbers
- as they often are. Nevertheless, the authors strongly encourage
Passive DNS implementors to take special care of privacy issues.
bortzmeyer-dnsop-dns-privacy is an excellent starting point for this.
Finally, the overall recommendations in RFC6973 [RFC6973] should be
taken into consideration when designing any application which uses
Passive DNS data.
In the scope of the General Data Protection Regulation (GDPR -
Directive 95/46/EC), operators of Passive DNS Server needs to ensure

View file

@ -144,21 +144,21 @@
<abstract>
<t>This document describes a common output format of Passive DNS Servers that clients can query. The output format description also includes a common semantic for each Passive DNS system. By having multiple Passive DNS Systems adhere to the same output format for queries, users of multiple Passive DNS servers will be able to combine result sets easily.</t>
<t>This document describes a common output format of Passive DNS Servers which clients can query. The output format description includes also in addition a common semantic for each Passive DNS system. By having multiple Passive DNS Systems adhere to the same output format for queries, users of multiple Passive DNS servers will be able to combine result sets easily.</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>Passive DNS is a technique described by Florian Weimer in 2005 in <xref target="WEIMERPDNS">Passive DNS replication, F Weimer - 17th Annual FIRST Conference on Computer Security</xref>. Since then, multiple Passive DNS implementations were created and have evolved over time. Users of these Passive DNS servers may query a server (often via <xref target="RFC3912">WHOIS</xref> or HTTP <xref target="REST">REST</xref>), parse the results, and process them in other applications.</t>
<t>Passive DNS is a technique described by Florian Weimer in 2005 in <xref target="WEIMERPDNS">Passive DNS replication, F Weimer - 17th Annual FIRST Conference on Computer Security</xref>. Since then multiple Passive DNS implementations were created and evolved over time. Users of these Passive DNS servers may query a server (often via <xref target="RFC3912">WHOIS</xref> or HTTP <xref target="REST">REST</xref>), parse the results and process them in other applications.</t>
<t>
There are multiple implementations of Passive DNS software. Users of Passive DNS query each implementation and aggregate the results for their search. This document describes the output format of four Passive DNS Systems (<xref target="DNSDB"/>, <xref target="DNSDBQ"/>, <xref target="PDNSCERTAT"/>, <xref target="PDNSCIRCL"/> and <xref target="PDNSCOF"/>) that are in use today and that already share a nearly identical output format.
There are multiple implementations of Passive DNS software. Users of passive DNS query each implementation and aggregate the results for their search. This document describes the output format of four Passive DNS Systems (<xref target="DNSDB"/>, <xref target="DNSDBQ"/>, <xref target="PDNSCERTAT"/>, <xref target="PDNSCIRCL"/> and <xref target="PDNSCOF"/>) which are in use today and which already share a nearly identical output format.
As the format and the meaning of output fields from each Passive DNS need to be consistent, this document proposes a solution to commonly name each field along with its corresponding interpretation. The format follows a simple key-value structure in <xref target="RFC4627">JSON</xref> format.
As the format and the meaning of output fields from each Passive DNS need to be consistent, we propose in this document a solution to commonly name each field along with their corresponding interpretation. The format follows a simple key-value structure in <xref target="RFC4627">JSON</xref> format.
The benefit of having a consistent Passive DNS output format is that multiple client implementations can query different servers without having to have a separate parser for each
individual server. <xref target="PDNSCLIENT">passivedns-client</xref> currently implements multiple parsers due to a lack of standardization.
The document does not describe the protocol (e.g. <xref target="RFC3912">WHOIS</xref>, HTTP <xref target="REST">REST</xref>) nor the query format used to query the Passive DNS. Neither does this document describe "pre-recursor" Passive DNS Systems. Each of these are separate topics and deserve their own RFC documents. This document describes the current best practices implemented in various Passive DNS server implementations.
The document does not describe the protocol (e.g. <xref target="RFC3912">WHOIS</xref>, HTTP <xref target="REST">REST</xref>) nor the query format used to query the Passive DNS. Neither does this document describe "pre-recursor" Passive DNS Systems. Both of these are separate topics and deserve their own RFC document. The document describes the current best practices implemented in various Passive DNS server implementations.
</t>
<section title="Requirements Language">
@ -170,9 +170,9 @@ The document does not describe the protocol (e.g. <xref target="RFC3912">WHOIS</
</section>
<section title="Limitation">
<t> As Passive DNS servers can include protection mechanisms for their operation, results might be different due to those protection measures. These mechanisms filter out DNS answers if they fail some criteria. The <xref target="BAILIWICK">bailiwick algorithm</xref> protects the Passive DNS Database from <xref target="CACHEPOISONING">cache poisoning attacks</xref>.
<t> As a Passive DNS servers can include protection mechanisms for their operation, results might be different due to those protection measures. These mechanisms filter out DNS answers if they fail some criteria. The <xref target="BAILIWICK">bailiwick algorithm</xref> protects the Passive DNS Database from <xref target="CACHEPOISONING">cache poisoning attacks</xref>.
Another limitation that clients querying the database need to be aware of is that each query simply gets a snapshot-in-time answer at the time of querying. Clients MUST NOT rely on existing answers from different Passive DNS database. Nor should they assume that answers will be identical across multiple Passive DNS Servers.
Another limitation that clients querying the database need to be aware of is that each query simply gets a snapshot-answer of the time of querying. Clients MUST NOT rely on consistent answers. Nor must they assume that answers must be identical across multiple Passive DNS Servers.
</t>
</section>
<section title="Common Output Format">
@ -206,7 +206,7 @@ ws = *(
)
]]></artwork></figure>
<t>Note that value is defined in <xref target="RFC4627">JSON</xref> and has the same specification as there. The same goes for the definition of string. Note the changed definition of ws does not include CR or LF as those are NOT allowed in NDJSON, and thus the definition here MUST be used for other ABNF defitions in <xref target="RFC4627">JSON</xref>.</t>
<t>Note that value is defined in <xref target="RFC4627">JSON</xref> and has the exact same specification as there. The same goes for the definition of string. Note the changed definition of ws dows not include CR or LF as those are NOT allowed in NDJSON, and thus the definition here MUST be used for other ABNF defitions in <xref target="RFC4627">JSON</xref>.</t>
</section>
<section title="Mandatory Fields">
<t>Implementation MUST support all the mandatory fields.</t>
@ -297,7 +297,7 @@ ws = *(
</section>
<section anchor="Privacy" title="Privacy Considerations">
<t>Passive DNS Servers capture DNS answers from multiple collection points ("sensors") which are located on the Internet-facing side of DNS recursors ("post-recursor passive DNS"). In this process, they intentionally omit the source IP, source port, destination IP and destination port from the captured packets. Since the data is captured "post-recursor", the timing information (who queries what) is lost, since the recursor will cache the results. Furthermore, since multiple sensors feed into a passive DNS server, the resulting data gets mixed together, reducing the likelihood that Passive DNS Servers are able to find out much about the actual person querying the DNS records. In this sense, passive DNS Servers are similar to keeping an archive of all previous phone books - if public DNS records can be compared to phone numbers - as they often are.
<t>Passive DNS Servers capture DNS answers from multiple collecting points ("sensors") which are located on the Internet-facing side of DNS recursors ("post-recursor passive DNS"). In this process, they intentionally omit the source IP, source port, destination IP and destination port from the captured packets. Since the data is captured "post-recursor", the timing information (who queries what) is lost, since the recursor will cache the results. Furthermore, since multiple sensors feed into a passive DNS server, the resulting data gets mixed together, reducing the likelihood that Passive DNS Servers are able to find out much about the actual person querying the DNS records nor who actually sent the query. In this sense, passive DNS Servers are similar to keeping an archive of all previous phone books - if public DNS records can be compared to phone numbers - as they often are.
Nevertheless, the authors strongly encourage Passive DNS implementors to take special care of privacy issues. bortzmeyer-dnsop-dns-privacy is an excellent starting point for this.
Finally, the overall recommendations in <xref target="RFC6973">RFC6973</xref> should be taken into consideration when designing any application which uses Passive DNS data.</t>