draft-ietf-dnsop-dns-capture-format-05.txt   draft-ietf-dnsop-dns-capture-format-06.txt 
dnsop J. Dickinson dnsop J. Dickinson
Internet-Draft J. Hague Internet-Draft J. Hague
Intended status: Standards Track S. Dickinson Intended status: Standards Track S. Dickinson
Expires: August 26, 2018 Sinodun IT Expires: September 6, 2018 Sinodun IT
T. Manderson T. Manderson
J. Bond J. Bond
ICANN ICANN
February 22, 2018 March 5, 2018
C-DNS: A DNS Packet Capture Format C-DNS: A DNS Packet Capture Format
draft-ietf-dnsop-dns-capture-format-05 draft-ietf-dnsop-dns-capture-format-06
Abstract Abstract
This document describes a data representation for collections of DNS This document describes a data representation for collections of DNS
messages. The format is designed for efficient storage and messages. The format is designed for efficient storage and
transmission of large packet captures of DNS traffic; it attempts to transmission of large packet captures of DNS traffic; it attempts to
minimize the size of such packet capture files but retain the full minimize the size of such packet capture files but retain the full
DNS message contents along with the most useful transport metadata. DNS message contents along with the most useful transport metadata.
It is intended to assist with the development of DNS traffic It is intended to assist with the development of DNS traffic
monitoring applications. monitoring applications.
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 26, 2018. This Internet-Draft will expire on September 6, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 23 skipping to change at page 2, line 23
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Data collection use cases . . . . . . . . . . . . . . . . . . 5 3. Data collection use cases . . . . . . . . . . . . . . . . . . 5
4. Design considerations . . . . . . . . . . . . . . . . . . . . 7 4. Design considerations . . . . . . . . . . . . . . . . . . . . 7
5. Choice of CBOR . . . . . . . . . . . . . . . . . . . . . . . 8 5. Choice of CBOR . . . . . . . . . . . . . . . . . . . . . . . 8
6. C-DNS format conceptual overview . . . . . . . . . . . . . . 9 6. C-DNS format conceptual overview . . . . . . . . . . . . . . 9
6.1. Block Parameters . . . . . . . . . . . . . . . . . . . . 10 6.1. Block Parameters . . . . . . . . . . . . . . . . . . . . 10
6.2. Storage Parameters . . . . . . . . . . . . . . . . . . . 10 6.2. Storage Parameters . . . . . . . . . . . . . . . . . . . 10
6.2.1. Optional data items . . . . . . . . . . . . . . . . . 10 6.2.1. Optional data items . . . . . . . . . . . . . . . . . 10
6.2.2. Optional RRs and OPCODES . . . . . . . . . . . . . . 11 6.2.2. Optional RRs and OPCODES . . . . . . . . . . . . . . 11
6.2.3. Sampling and anonymisation . . . . . . . . . . . . . 12 6.2.3. Storage flags . . . . . . . . . . . . . . . . . . . . 12
6.2.4. IP Address storage . . . . . . . . . . . . . . . . . 12 6.2.4. IP Address storage . . . . . . . . . . . . . . . . . 12
7. C-DNS format detailed description . . . . . . . . . . . . . . 12 7. C-DNS format detailed description . . . . . . . . . . . . . . 12
7.1. Map quantities and indexes . . . . . . . . . . . . . . . 12 7.1. Map quantities and indexes . . . . . . . . . . . . . . . 12
7.2. Tabular representation . . . . . . . . . . . . . . . . . 12 7.2. Tabular representation . . . . . . . . . . . . . . . . . 13
7.3. "File" . . . . . . . . . . . . . . . . . . . . . . . . . 13 7.3. "File" . . . . . . . . . . . . . . . . . . . . . . . . . 14
7.4. "FilePreamble" . . . . . . . . . . . . . . . . . . . . . 14 7.4. "FilePreamble" . . . . . . . . . . . . . . . . . . . . . 14
7.4.1. "BlockParameters" . . . . . . . . . . . . . . . . . . 14 7.4.1. "BlockParameters" . . . . . . . . . . . . . . . . . . 15
7.4.2. "CollectionParameters" . . . . . . . . . . . . . . . 18 7.4.2. "CollectionParameters" . . . . . . . . . . . . . . . 18
7.5. "Block" . . . . . . . . . . . . . . . . . . . . . . . . . 19 7.5. "Block" . . . . . . . . . . . . . . . . . . . . . . . . . 19
7.5.1. "BlockPreamble" . . . . . . . . . . . . . . . . . . . 20 7.5.1. "BlockPreamble" . . . . . . . . . . . . . . . . . . . 20
7.5.2. "BlockStatistics" . . . . . . . . . . . . . . . . . . 21 7.5.2. "BlockStatistics" . . . . . . . . . . . . . . . . . . 21
7.5.3. "BlockTables" . . . . . . . . . . . . . . . . . . . . 22 7.5.3. "BlockTables" . . . . . . . . . . . . . . . . . . . . 22
7.6. "QueryResponse" . . . . . . . . . . . . . . . . . . . . . 27 7.6. "QueryResponse" . . . . . . . . . . . . . . . . . . . . . 27
7.6.1. "ResponseProcessingData" . . . . . . . . . . . . . . 29 7.6.1. "ResponseProcessingData" . . . . . . . . . . . . . . 29
7.6.2. "QueryResponseExtended" . . . . . . . . . . . . . . . 29 7.6.2. "QueryResponseExtended" . . . . . . . . . . . . . . . 29
7.7. "AddressEventCount" . . . . . . . . . . . . . . . . . . . 30 7.7. "AddressEventCount" . . . . . . . . . . . . . . . . . . . 30
7.8. "MalformedMessage" . . . . . . . . . . . . . . . . . . . 31 7.8. "MalformedMessage" . . . . . . . . . . . . . . . . . . . 31
skipping to change at page 3, line 21 skipping to change at page 3, line 21
12. Implementation status . . . . . . . . . . . . . . . . . . . . 38 12. Implementation status . . . . . . . . . . . . . . . . . . . . 38
12.1. DNS-STATS Compactor . . . . . . . . . . . . . . . . . . 39 12.1. DNS-STATS Compactor . . . . . . . . . . . . . . . . . . 39
13. IANA considerations . . . . . . . . . . . . . . . . . . . . . 39 13. IANA considerations . . . . . . . . . . . . . . . . . . . . . 39
14. Security considerations . . . . . . . . . . . . . . . . . . . 39 14. Security considerations . . . . . . . . . . . . . . . . . . . 39
15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 39 15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 39
16. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 40 16. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 40
17. References . . . . . . . . . . . . . . . . . . . . . . . . . 42 17. References . . . . . . . . . . . . . . . . . . . . . . . . . 42
17.1. Normative References . . . . . . . . . . . . . . . . . . 42 17.1. Normative References . . . . . . . . . . . . . . . . . . 42
17.2. Informative References . . . . . . . . . . . . . . . . . 42 17.2. Informative References . . . . . . . . . . . . . . . . . 42
17.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 43 17.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Appendix A. CDDL . . . . . . . . . . . . . . . . . . . . . . . . 44 Appendix A. CDDL . . . . . . . . . . . . . . . . . . . . . . . . 45
Appendix B. DNS Name compression example . . . . . . . . . . . . 54 Appendix B. DNS Name compression example . . . . . . . . . . . . 54
B.1. NSD compression algorithm . . . . . . . . . . . . . . . . 55 B.1. NSD compression algorithm . . . . . . . . . . . . . . . . 55
B.2. Knot Authoritative compression algorithm . . . . . . . . 55 B.2. Knot Authoritative compression algorithm . . . . . . . . 56
B.3. Observed differences . . . . . . . . . . . . . . . . . . 56 B.3. Observed differences . . . . . . . . . . . . . . . . . . 56
Appendix C. Comparison of Binary Formats . . . . . . . . . . . . 56 Appendix C. Comparison of Binary Formats . . . . . . . . . . . . 56
C.1. Comparison with full PCAP files . . . . . . . . . . . . . 59 C.1. Comparison with full PCAP files . . . . . . . . . . . . . 59
C.2. Simple versus block coding . . . . . . . . . . . . . . . 59 C.2. Simple versus block coding . . . . . . . . . . . . . . . 60
C.3. Binary versus text formats . . . . . . . . . . . . . . . 59 C.3. Binary versus text formats . . . . . . . . . . . . . . . 60
C.4. Performance . . . . . . . . . . . . . . . . . . . . . . . 60 C.4. Performance . . . . . . . . . . . . . . . . . . . . . . . 60
C.5. Conclusions . . . . . . . . . . . . . . . . . . . . . . . 60 C.5. Conclusions . . . . . . . . . . . . . . . . . . . . . . . 61
C.6. Block size choice . . . . . . . . . . . . . . . . . . . . 60 C.6. Block size choice . . . . . . . . . . . . . . . . . . . . 61
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 61 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 62
1. Introduction 1. Introduction
There has long been a need to collect DNS queries and responses on There has long been a need to collect DNS queries and responses on
authoritative and recursive name servers for monitoring and analysis. authoritative and recursive name servers for monitoring and analysis.
This data is used in a number of ways including traffic monitoring, This data is used in a number of ways including traffic monitoring,
analyzing network attacks and "day in the life" (DITL) [ditl] analyzing network attacks and "day in the life" (DITL) [ditl]
analysis. analysis.
A wide variety of tools already exist that facilitate the collection A wide variety of tools already exist that facilitate the collection
skipping to change at page 10, line 35 skipping to change at page 10, line 35
These parameters include: These parameters include:
o The sub-second timing resolution used by the data. o The sub-second timing resolution used by the data.
o Information (hints) on which optional data items can be expected o Information (hints) on which optional data items can be expected
to appear in the data. See Section 6.2.1. to appear in the data. See Section 6.2.1.
o Recorded OPCODES and RR types. See Section 6.2.2. o Recorded OPCODES and RR types. See Section 6.2.2.
o Flags indicating whether the data is sampled or anonymised. See o Flags indicating, for example, whether the data is sampled or
Section 6.2.3. anonymised. See Section 6.2.3.
o Client and server IPv4 and IPv6 address prefixes. See o Client and server IPv4 and IPv6 address prefixes. See
Section 6.2.4 Section 6.2.4
6.2.1. Optional data items 6.2.1. Optional data items
To enable applications to store data to their precise requirements in To enable applications to store data to their precise requirements in
as space-efficient manner as possible, all fields in the following as space-efficient manner as possible, all fields in the following
arrays are optional: arrays are optional:
skipping to change at page 11, line 48 skipping to change at page 11, line 48
RDATA be optional? RDATA be optional?
6.2.2. Optional RRs and OPCODES 6.2.2. Optional RRs and OPCODES
Also included in the Storage Parameters is an explicit array of the Also included in the Storage Parameters is an explicit array of the
RR types and OPCODES that were recorded. Using an explicit array RR types and OPCODES that were recorded. Using an explicit array
removes any ambiguity about whether the OPCODE/RR type was not removes any ambiguity about whether the OPCODE/RR type was not
recognised by the collecting implementation or whether it was recognised by the collecting implementation or whether it was
specifically configured not to record it. specifically configured not to record it.
In the case of RR records, each record must be parsable, including
parsing the record RDATA, to determine whether it is correctly
formed. Otherwise it has to be regarded as at least potentially
partially malformed. See Section 8 for further discussion of storing
partially parsed messages.
For the case of unrecognised OPCODES the message may be parsable (for For the case of unrecognised OPCODES the message may be parsable (for
example, if it has a format similar enough to the one described in example, if it has a format similar enough to the one described in
[RFC1035]) or it may not. See Section 8 for further discussion of [RFC1035]) or it may not. See Section 8 for further discussion of
storing partially parsed messages. storing partially parsed messages.
6.2.3. Sampling and anonymisation 6.2.3. Storage flags
The format contains flags that can be used to indicate if the data is The Storage Parameters contains flags that can be used to indicate
either anonymised or produced from sample data. if:
QUESTION: Should fields be added to indicate the sampling/ o the data is anonymised,
anonymisation method used? If so, it is proposed to use a text
string and RECOMMEND it contain a URI pointing to a resource
describing the method used.
QUESTION: Should there be another flag to indicate that names have o the data is produced from sample data, or
been normalised (e.g. converted to uniform case)?
o names in the data have been normalised (converted to uniform
case).
The Storage Parameters also contains optional fields holding details
of the sampling method used and the anonymisation method used. It is
RECOMMENDED these fields contain URIs pointing to resources
describing the methods used.
6.2.4. IP Address storage 6.2.4. IP Address storage
The format contains fields to indicate if only IP prefixes were The format contains fields to indicate if only IP prefixes were
stored. If IP address prefixes are given, only the prefix bits of stored. If IP address prefixes are given, only the prefix bits of
addresses are stored. For example, if a client IPv4 prefix of 16 is addresses are stored. For example, if a client IPv4 prefix of 16 is
specified, a client address of 192.0.2.1 will be stored as 0xc000 specified, a client address of 192.0.2.1 will be stored as 0xc000
(192.0), reducing address storage space requirements. (192.0), reducing address storage space requirements.
7. C-DNS format detailed description 7. C-DNS format detailed description
The CDDL definition for the C-DNS format is given in Appendix A. The CDDL definition for the C-DNS format is given in Appendix A.
7.1. Map quantities and indexes 7.1. Map quantities and indexes
All map keys are integers with values specified in the CDDL. String All map keys are integers with values specified in the CDDL. String
keys would significantly bloat the file size. keys would significantly bloat the file size.
All key values specified are positive integers under 24, so their All key values specified are positive integers under 24, so their
CBOR representation is a single byte. CBOR representation is a single byte. Positive integer values not
currently used as keys in a map are reserved for use in future
standard extensions.
Implementations may choose to add additional implementation-specific Implementations may choose to add additional implementation-specific
entries to any map. Negative integer map keys are reserved for these entries to any map. Negative integer map keys are reserved for these
values. Key values from -1 to -24 also have a single byte CBOR values. Key values from -1 to -24 also have a single byte CBOR
representation, so such implementation-specific extensions are not at representation, so such implementation-specific extensions are not at
any space efficiency disadvantage. any space efficiency disadvantage.
An item described as an index is the index of the data item in the An item described as an index is the index of the data item in the
referenced array. Indexes are 0-based. referenced array. Indexes are 0-based.
skipping to change at page 14, line 48 skipping to change at page 15, line 8
| | | | least one entry. (The "block- | | | | | least one entry. (The "block- |
| | | | parameters-index" item in each | | | | | parameters-index" item in each |
| | | | "BlockPreamble" indicates which | | | | | "BlockPreamble" indicates which |
| | | | array entry applies to that | | | | | array entry applies to that |
| | | | "Block".) | | | | | "Block".) |
+----------------------+---+---+------------------------------------+ +----------------------+---+---+------------------------------------+
7.4.1. "BlockParameters" 7.4.1. "BlockParameters"
Parameters relating to data storage and collection which apply to one Parameters relating to data storage and collection which apply to one
or more items of type "Block". An array containing the following: or more items of type "Block". A map containing the following:
+-----------------------+---+---+-----------------------------------+ +-----------------------+---+---+-----------------------------------+
| Field | O | T | Description | | Field | O | T | Description |
+-----------------------+---+---+-----------------------------------+ +-----------------------+---+---+-----------------------------------+
| storage-parameters | M | M | Parameters relating to data | | storage-parameters | M | M | Parameters relating to data |
| | | | storage in a "Block" item. Map | | | | | storage in a "Block" item. Map |
| | | | of type "StorageParameters", see | | | | | of type "StorageParameters", see |
| | | | Section 7.4.1.1. | | | | | Section 7.4.1.1. |
| | | | | | | | | |
| collection-parameters | O | M | Parameters relating to collection | | collection-parameters | O | M | Parameters relating to collection |
skipping to change at page 16, line 24 skipping to change at page 15, line 49
| | | | (Q/R items, address event counts or | | | | | (Q/R items, address event counts or |
| | | | malformed messages). An indication to | | | | | malformed messages). An indication to |
| | | | a decoder of the resources needed to | | | | | a decoder of the resources needed to |
| | | | process the file. | | | | | process the file. |
| | | | | | | | | |
| storage-hints | M | M | Collection of hints as to which fields | | storage-hints | M | M | Collection of hints as to which fields |
| | | | are present in the arrays that have | | | | | are present in the arrays that have |
| | | | optional fields. Map of type | | | | | optional fields. Map of type |
| | | | "StorageHints", see Section 7.4.1.1.1. | | | | | "StorageHints", see Section 7.4.1.1.1. |
| | | | | | | | | |
| opcodes | M | A | Array of OPCODES [opcodes] (unsigned | | opcodes | M | A | Array of OPCODES (unsigned integers) |
| | | | integers) recorded by the collection | | | | | recorded by the collection |
| | | | application. | | | | | application. See Section 6.2.2. |
| | | | | | | | | |
| rr-types | M | A | Array of RR types [rrtypes] (unsigned | | rr-types | M | A | Array of RR types (unsigned integers) |
| | | | integers) recorded by the collection | | | | | recorded by the collection |
| | | | application. | | | | | application. See Section 6.2.2. |
| | | | | | | | | |
| storage-flags | O | U | Bit flags indicating attributes of | | storage-flags | O | U | Bit flags indicating attributes of |
| | | | stored data. | | | | | stored data. |
| | | | Bit 0. The data has been anonymised. | | | | | Bit 0. The data has been anonymised. |
| | | | Bit 1. The data is sampled data. | | | | | Bit 1. The data is sampled data. |
| | | | Bit 2. Names have been normalised |
| | | | (converted to uniform case). |
| | | | | | | | | |
| client-address | O | U | IPv4 client address prefix length. If | | client-address | O | U | IPv4 client address prefix length. If |
| -prefix-ipv4 | | | specified, only the address prefix | | -prefix-ipv4 | | | specified, only the address prefix |
| | | | bits are stored. | | | | | bits are stored. |
| | | | | | | | | |
| client-address | O | U | IPv6 client address prefix length. If | | client-address | O | U | IPv6 client address prefix length. If |
| -prefix-ipv6 | | | specified, only the address prefix | | -prefix-ipv6 | | | specified, only the address prefix |
| | | | bits are stored. | | | | | bits are stored. |
| | | | | | | | | |
| server-address | O | U | IPv4 server address prefix length. If | | server-address | O | U | IPv4 server address prefix length. If |
| -prefix-ipv4 | | | specified, only the address prefix | | -prefix-ipv4 | | | specified, only the address prefix |
| | | | bits are stored. | | | | | bits are stored. |
| | | | | | | | | |
| server-address | O | U | IPv6 server address prefix length. If | | server-address | O | U | IPv6 server address prefix length. If |
| -prefix-ipv6 | | | specified, only the address prefix | | -prefix-ipv6 | | | specified, only the address prefix |
| | | | bits are stored. | | | | | bits are stored. |
| | | | |
| sampling-method | O | T | Information on the sampling method |
| | | | used. See Section 6.2.3. |
| | | | |
| anonymisation | O | T | Information on the anonymisation |
| -method | | | method used. See Section 6.2.3. |
+------------------+---+---+----------------------------------------+ +------------------+---+---+----------------------------------------+
7.4.1.1.1. "StorageHints" 7.4.1.1.1. "StorageHints"
An indicator of which fields the collecting application stores in the An indicator of which fields the collecting application stores in the
arrays with optional fields. A map containing the following: arrays with optional fields. A map containing the following:
+------------------+---+---+----------------------------------------+ +------------------+---+---+----------------------------------------+
| Field | O | T | Description | | Field | O | T | Description |
+------------------+---+---+----------------------------------------+ +------------------+---+---+----------------------------------------+
skipping to change at page 18, line 9 skipping to change at page 17, line 43
| | | | Bit 8. query-class-type | | | | | Bit 8. query-class-type |
| | | | Bit 9. query-qdcount | | | | | Bit 9. query-qdcount |
| | | | Bit 10. query-ancount | | | | | Bit 10. query-ancount |
| | | | Bit 11. query-nscount | | | | | Bit 11. query-nscount |
| | | | Bit 12. query-arcount | | | | | Bit 12. query-arcount |
| | | | Bit 13. query-edns-version | | | | | Bit 13. query-edns-version |
| | | | Bit 14. query-udp-size | | | | | Bit 14. query-udp-size |
| | | | Bit 15. query-opt-rdata | | | | | Bit 15. query-opt-rdata |
| | | | Bit 16. response-rcode | | | | | Bit 16. response-rcode |
| | | | | | | | | |
| rr-hints | M | U | Hints indicating which optional "RR" |
| | | | fields are stored, see Section |
| | | | 7.5.3.4. If the data type is stored |
| | | | the bit is set. |
| | | | Bit 0. ttl |
| other-data-hints | M | U | Hints indicating which other data | | other-data-hints | M | U | Hints indicating which other data |
| | | | types are stored. If the data type is | | | | | types are stored. If the data type is |
| | | | stored the bit is set. | | | | | stored the bit is set. |
| | | | Bit 0. malformed-messages | | | | | Bit 0. malformed-messages |
| | | | Bit 1. address-event-counts | | | | | Bit 1. address-event-counts |
+------------------+---+---+----------------------------------------+ +------------------+---+---+----------------------------------------+
TODO: For completeness the other-data-hints need to cover optional TODO: Revise non-QueryResponse hints to cover optional fields in
fields in malformed message data maps. malformed message data maps.
7.4.2. "CollectionParameters" 7.4.2. "CollectionParameters"
Parameters relating to how data in the file was collected. Parameters relating to how data in the file was collected.
These parameters have no default. If they do not appear, nothing can These parameters have no default. If they do not appear, nothing can
be inferred about their value. be inferred about their value.
A map containing the following items: A map containing the following items:
skipping to change at page 26, line 14 skipping to change at page 26, line 14
| | | | incorporates any | | | | | incorporates any |
| | | | EXTENDED_RCODE_VALUE. | | | | | EXTENDED_RCODE_VALUE. |
+--------------------+---+---+--------------------------------------+ +--------------------+---+---+--------------------------------------+
QUESTION: Currently we collect OPT RDATA as a blob as this is QUESTION: Currently we collect OPT RDATA as a blob as this is
consistent with and re-uses the generic mechanism for RDATA storage. consistent with and re-uses the generic mechanism for RDATA storage.
Should we break individual EDNS(0) options into Option code and data Should we break individual EDNS(0) options into Option code and data
and store the data separately in a new array within the Block type? and store the data separately in a new array within the Block type?
This would potentially allow exploitation of option data commonality. This would potentially allow exploitation of option data commonality.
QUESTION: No EDNS(0) option currently includes a name, however if one
were to include a name and permit name compression then both these
mechanisms would fail.
7.5.3.3. "Question" 7.5.3.3. "Question"
Details on individual Questions in a Question section. A map Details on individual Questions in a Question section. A map
containing the following: containing the following:
+-----------------+---+---+-----------------------------------------+ +-----------------+---+---+-----------------------------------------+
| Field | O | T | Description | | Field | O | T | Description |
+-----------------+---+---+-----------------------------------------+ +-----------------+---+---+-----------------------------------------+
| name-index | M | U | The index in the "name-rdata" array of | | name-index | M | U | The index in the "name-rdata" array of |
| | | | the QNAME. See Section 7.5.3. | | | | | the QNAME. See Section 7.5.3. |
skipping to change at page 27, line 15 skipping to change at page 26, line 45
+-----------------+---+---+-----------------------------------------+ +-----------------+---+---+-----------------------------------------+
| Field | O | T | Description | | Field | O | T | Description |
+-----------------+---+---+-----------------------------------------+ +-----------------+---+---+-----------------------------------------+
| name-index | M | U | The index in the "name-rdata" array of | | name-index | M | U | The index in the "name-rdata" array of |
| | | | the NAME. See Section 7.5.3. | | | | | the NAME. See Section 7.5.3. |
| | | | | | | | | |
| classtype-index | M | U | The index in the "classtype" array of | | classtype-index | M | U | The index in the "classtype" array of |
| | | | the CLASS and TYPE of the RR. See | | | | | the CLASS and TYPE of the RR. See |
| | | | Section 7.5.3. | | | | | Section 7.5.3. |
| | | | | | | | | |
| ttl | M | U | The RR Time to Live. | | ttl | O | U | The RR Time to Live. |
| | | | | | | | | |
| rdata-index | M | U | The index in the "name-rdata" array of | | rdata-index | M | U | The index in the "name-rdata" array of |
| | | | the RR RDATA. See Section 7.5.3. | | | | | the RR RDATA. See Section 7.5.3. |
+-----------------+---+---+-----------------------------------------+ +-----------------+---+---+-----------------------------------------+
7.5.3.5. "MalformedMessageData" 7.5.3.5. "MalformedMessageData"
Details on malformed message items in this "Block" item. A map Details on malformed message items in this "Block" item. A map
containing the following: containing the following:
skipping to change at page 37, line 49 skipping to change at page 37, line 49
11. Implementation guidance 11. Implementation guidance
Whilst this document makes no specific recommendations with respect Whilst this document makes no specific recommendations with respect
to Canonical CBOR (see Section 3.9 of [RFC7049]) the following to Canonical CBOR (see Section 3.9 of [RFC7049]) the following
guidance may be of use to implementors. guidance may be of use to implementors.
Adherence to the first two rules given in Section 3.9 of [RFC7049] Adherence to the first two rules given in Section 3.9 of [RFC7049]
will minimise file sizes. will minimise file sizes.
Adherence to the second two rules given in Section 3.9 of [RFC7049] Adherence to the last two rules given in Section 3.9 of [RFC7049] for
for all maps and arrays would unacceptably constrain implementations, all maps and arrays would unacceptably constrain implementations, for
for example, in the use case of real-time data collection in example, in the use case of real-time data collection in constrained
constrained environments. environments.
NOTE: With this clarification to the use of Canonical CBOR, we could NOTE: With this clarification to the use of Canonical CBOR, we could
consider re-ordering fields in maps to improve readability. consider re-ordering fields in maps to improve readability.
11.1. Optional data 11.1. Optional data
When decoding data some items required for a particular function the When decoding data some items required for a particular function the
consumer wishes to perform may be missing. Consumers should consider consumer wishes to perform may be missing. Consumers should consider
providing configurable default values to be used in place of the providing configurable default values to be used in place of the
missing values in their output. missing values in their output.
skipping to change at page 40, line 12 skipping to change at page 40, line 12
name compression and Paul Hoffman for a detailed review of the name compression and Paul Hoffman for a detailed review of the
document and the C-DNS CDDL. document and the C-DNS CDDL.
Thanks also to Robert Edmonds, Jerry Lundstroem, Richard Gibson, Thanks also to Robert Edmonds, Jerry Lundstroem, Richard Gibson,
Stephane Bortzmeyer and many other members of DNSOP for review. Stephane Bortzmeyer and many other members of DNSOP for review.
Also, Miek Gieben for mmark [11] Also, Miek Gieben for mmark [11]
16. Changelog 16. Changelog
draft-ietf-dnsop-dns-capture-format-06
o Correct BlockParameters type to map
o Make RR ttl optional
o Add storage flag indicating name normalisation
o Add storage parameter fields for sampling and anonymisation
methods
o Editorial clarifications and improvements
draft-ietf-dnsop-dns-capture-format-05 draft-ietf-dnsop-dns-capture-format-05
o Make all data items in Q/R, QuerySignature and Malformed Message o Make all data items in Q/R, QuerySignature and Malformed Message
arrays optional arrays optional
o Re-structure the FilePreamble and ConfigurationParameters into o Re-structure the FilePreamble and ConfigurationParameters into
BlockParameters BlockParameters
o BlockParameters has separate Storage and Collection Parameters o BlockParameters has separate Storage and Collection Parameters
skipping to change at page 42, line 5 skipping to change at page 42, line 17
o Added a TODO: Need to develop optional representation of malformed o Added a TODO: Need to develop optional representation of malformed
messages within C-DNS and what this means for packet matching. messages within C-DNS and what this means for packet matching.
This may influence which fields are optional in the rest of the This may influence which fields are optional in the rest of the
representation. representation.
o Added section on design goals to Introduction o Added section on design goals to Introduction
o Added a TODO: Can Class be optimised? Should a class of IN be o Added a TODO: Can Class be optimised? Should a class of IN be
inferred if not present? inferred if not present?
draft-dickinson-dnsop-dns-capture-format-00
o Initial commit o Initial commit
17. References 17. References
17.1. Normative References 17.1. Normative References
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
November 1987, <https://www.rfc-editor.org/info/rfc1035>. November 1987, <https://www.rfc-editor.org/info/rfc1035>.
skipping to change at page 42, line 49 skipping to change at page 43, line 17
standard XML representation of DNS data", draft-daley- standard XML representation of DNS data", draft-daley-
dnsxml-00 (work in progress), July 2013. dnsxml-00 (work in progress), July 2013.
[I-D.hoffman-dns-in-json] [I-D.hoffman-dns-in-json]
Hoffman, P., "Representing DNS Messages in JSON", draft- Hoffman, P., "Representing DNS Messages in JSON", draft-
hoffman-dns-in-json-13 (work in progress), October 2017. hoffman-dns-in-json-13 (work in progress), October 2017.
[I-D.ietf-cbor-cddl] [I-D.ietf-cbor-cddl]
Birkholz, H., Vigano, C., and C. Bormann, "Concise data Birkholz, H., Vigano, C., and C. Bormann, "Concise data
definition language (CDDL): a notational convention to definition language (CDDL): a notational convention to
express CBOR data structures", draft-ietf-cbor-cddl-01 express CBOR data structures", draft-ietf-cbor-cddl-02
(work in progress), January 2018. (work in progress), February 2018.
[opcodes] IANA, "OPCODES", 2016, <http://www.iana.org/assignments/
dns-parameters/dns-parameters.xhtml#dns-parameters-5>.
[packetq] .SE - The Internet Infrastructure Foundation, "PacketQ", [packetq] .SE - The Internet Infrastructure Foundation, "PacketQ",
2014, <https://github.com/dotse/PacketQ>. 2014, <https://github.com/dotse/PacketQ>.
[pcap] tcpdump.org, "PCAP", 2016, <http://www.tcpdump.org/>. [pcap] tcpdump.org, "PCAP", 2016, <http://www.tcpdump.org/>.
[pcapng] Tuexen, M., Risso, F., Bongertz, J., Combs, G., and G. [pcapng] Tuexen, M., Risso, F., Bongertz, J., Combs, G., and G.
Harris, "pcap-ng", 2016, <https://github.com/pcapng/ Harris, "pcap-ng", 2016, <https://github.com/pcapng/
pcapng>. pcapng>.
[RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data [RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March
2014, <https://www.rfc-editor.org/info/rfc7159>. 2014, <https://www.rfc-editor.org/info/rfc7159>.
[RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
Code: The Implementation Status Section", BCP 205, Code: The Implementation Status Section", BCP 205,
RFC 7942, DOI 10.17487/RFC7942, July 2016, RFC 7942, DOI 10.17487/RFC7942, July 2016,
<https://www.rfc-editor.org/info/rfc7942>. <https://www.rfc-editor.org/info/rfc7942>.
[rrtypes] IANA, "RR types", 2016, <http://www.iana.org/assignments/
dns-parameters/dns-parameters.xhtml#dns-parameters-4>.
17.3. URIs 17.3. URIs
[1] https://github.com/dns-stats/draft-dns-capture- [1] https://github.com/dns-stats/draft-dns-capture-
format/blob/master/draft-05/cdns_format.png format/blob/master/draft-06/cdns_format.png
[2] https://github.com/dns-stats/draft-dns-capture- [2] https://github.com/dns-stats/draft-dns-capture-
format/blob/master/draft-05/cdns_format.svg format/blob/master/draft-06/cdns_format.svg
[3] https://github.com/dns-stats/draft-dns-capture- [3] https://github.com/dns-stats/draft-dns-capture-
format/blob/master/draft-05/qr_data_format.png format/blob/master/draft-06/qr_data_format.png
[4] https://github.com/dns-stats/draft-dns-capture- [4] https://github.com/dns-stats/draft-dns-capture-
format/blob/master/draft-05/qr_data_format.svg format/blob/master/draft-06/qr_data_format.svg
[5] https://github.com/dns-stats/draft-dns-capture- [5] https://github.com/dns-stats/draft-dns-capture-
format/blob/master/draft-05/packet_matching.png format/blob/master/draft-06/packet_matching.png
[6] https://github.com/dns-stats/draft-dns-capture- [6] https://github.com/dns-stats/draft-dns-capture-
format/blob/master/draft-05/packet_matching.svg format/blob/master/draft-06/packet_matching.svg
[7] https://github.com/dns-stats/compactor/wiki [7] https://github.com/dns-stats/compactor/wiki
[8] https://mm.dns-stats.org/mailman/listinfo/dns-stats-users [8] https://mm.dns-stats.org/mailman/listinfo/dns-stats-users
[9] https://www.sinodun.com/2017/06/compressing-pcap-files/ [9] https://www.sinodun.com/2017/06/compressing-pcap-files/
[10] https://www.sinodun.com/2017/06/more-on-debian-jessieubuntu- [10] https://www.sinodun.com/2017/06/more-on-debian-jessieubuntu-
trusty-packet-capture-woes/ trusty-packet-capture-woes/
skipping to change at page 45, line 39 skipping to change at page 45, line 52
ticks-per-second => uint, ticks-per-second => uint,
max-block-items => uint, max-block-items => uint,
storage-hints => StorageHints, storage-hints => StorageHints,
opcodes => [+ uint], opcodes => [+ uint],
rr-types => [+ uint], rr-types => [+ uint],
? storage-flags => StorageFlags, ? storage-flags => StorageFlags,
? client-address-prefix-ipv4 => uint, ? client-address-prefix-ipv4 => uint,
? client-address-prefix-ipv6 => uint, ? client-address-prefix-ipv6 => uint,
? server-address-prefix-ipv4 => uint, ? server-address-prefix-ipv4 => uint,
? server-address-prefix-ipv6 => uint, ? server-address-prefix-ipv6 => uint,
? sampling-method => tstr,
? anonymisation-method => tstr,
} }
ticks-per-second = 0 ticks-per-second = 0
max-block-items = 1 max-block-items = 1
storage-hints = 2 storage-hints = 2
opcodes = 3 opcodes = 3
rr-types = 4 rr-types = 4
storage-flags = 5 storage-flags = 5
client-address-prefix-ipv4 = 6 client-address-prefix-ipv4 = 6
client-address-prefix-ipv6 = 7 client-address-prefix-ipv6 = 7
server-address-prefix-ipv4 = 8 server-address-prefix-ipv4 = 8
server-address-prefix-ipv6 = 9 server-address-prefix-ipv6 = 9
sampling-method = 10
anonymisation-method = 11
; A hint indicates if the collection method will output the ; A hint indicates if the collection method will output the
; item or will ignore the item if present. ; item or will ignore the item if present.
StorageHints = { StorageHints = {
query-response-hints => QueryResponseHints, query-response-hints => QueryResponseHints,
query-response-signature-hints => QueryResponseSignatureHints, query-response-signature-hints => QueryResponseSignatureHints,
rr-hints => RRHints,
other-data-hints => OtherDataHints, other-data-hints => OtherDataHints,
} }
query-response-hints = 0 query-response-hints = 0
query-response-signature-hints = 1 query-response-signature-hints = 1
other-data-hints = 2 rr-hints = 2
other-data-hints = 3
QueryResponseHintValues = &( QueryResponseHintValues = &(
time-offset : 0, time-offset : 0,
client-address-index : 1, client-address-index : 1,
client-port : 2, client-port : 2,
transaction-id : 3, transaction-id : 3,
qr-signature-index : 4, qr-signature-index : 4,
client-hoplimit : 5, client-hoplimit : 5,
response-delay : 6, response-delay : 6,
query-name-index : 7, query-name-index : 7,
skipping to change at page 47, line 8 skipping to change at page 47, line 27
query-ancount : 10, query-ancount : 10,
query-arcount : 11, query-arcount : 11,
query-nscount : 12, query-nscount : 12,
query-edns-version : 13, query-edns-version : 13,
query-udp-size : 14, query-udp-size : 14,
query-opt-rdata : 15, query-opt-rdata : 15,
response-rcode : 16, response-rcode : 16,
) )
QueryResponseSignatureHints = uint .bits QueryResponseSignatureHintValues QueryResponseSignatureHints = uint .bits QueryResponseSignatureHintValues
RRHintValues = &(
ttl : 0,
)
RRHints = uint .bits RRHintValues
OtherDataHintValues = &( OtherDataHintValues = &(
malformed-messages : 0, malformed-messages : 0,
address-event-counts : 1, address-event-counts : 1,
) )
OtherDataHints = uint .bits OtherDataHintValues OtherDataHints = uint .bits OtherDataHintValues
StorageFlagValues = &( StorageFlagValues = &(
anonymised-data : 0, anonymised-data : 0,
sampled-data : 1, sampled-data : 1,
normalised-names : 2,
) )
StorageFlags = uint .bits StorageFlagValues StorageFlags = uint .bits StorageFlagValues
CollectionParameters = { CollectionParameters = {
? query-timeout => uint, ? query-timeout => uint,
? skew-timeout => uint, ? skew-timeout => uint,
? snaplen => uint, ? snaplen => uint,
? promisc => uint, ? promisc => uint,
? interfaces => [+ tstr], ? interfaces => [+ tstr],
? server-addresses => [+ IPAddress], ; Hint for later analysis ? server-addresses => [+ IPAddress], ; Hint for later analysis
skipping to change at page 52, line 4 skipping to change at page 52, line 28
} }
name-index = 0 name-index = 0
classtype-index = 1 classtype-index = 1
RRTables = ( RRTables = (
rrlist => [+ RRList], rrlist => [+ RRList],
rr => [+ RR] rr => [+ RR]
) )
RRList = [+ uint] ; Index of RR RRList = [+ uint] ; Index of RR
RR = { RR = {
name-index => uint, ; Index to a name in the name-rdata table name-index => uint, ; Index to a name in the name-rdata table
classtype-index => uint, classtype-index => uint,
ttl => uint, ? ttl => uint,
rdata-index => uint, ; Index to RDATA in the name-rdata table rdata-index => uint, ; Index to RDATA in the name-rdata table
} }
; Other map key values already defined above. ; Other map key values already defined above.
ttl = 2 ttl = 2
rdata-index = 3 rdata-index = 3
MalformedMessageData = { MalformedMessageData = {
? server-address-index => uint, ? server-address-index => uint,
? server-port => uint, ? server-port => uint,
? mm-transport-flags => TransportFlags, ? mm-transport-flags => TransportFlags,
 End of changes. 47 change blocks. 
62 lines changed or deleted 104 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/