Re: [DNSOP] draft-dulaunoy-dnsop-passive-dns-cof
Robert Edmonds <edmonds@mycre.ws> Thu, 29 June 2023 21:58 UTC
Return-Path: <edmonds@mycre.ws>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1C1BC151070; Thu, 29 Jun 2023 14:58:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.898
X-Spam-Level:
X-Spam-Status: No, score=-5.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_WP_DIRINDEX=1] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b457Vb528a-C; Thu, 29 Jun 2023 14:58:32 -0700 (PDT)
Received: from mycre.ws (mycre.ws [45.33.102.105]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C630C15106A; Thu, 29 Jun 2023 14:58:19 -0700 (PDT)
Received: by chase.mycre.ws (Postfix, from userid 1000) id 3666D12C114B; Thu, 29 Jun 2023 17:58:14 -0400 (EDT)
Date: Thu, 29 Jun 2023 17:58:14 -0400
From: Robert Edmonds <edmonds@mycre.ws>
To: Tim Wicinski <tjw.ietf@gmail.com>
Cc: dnsop <dnsop@ietf.org>, dnsop-chairs <dnsop-chairs@ietf.org>
Message-ID: <ZJ3+dk/ol5NQtgun@mycre.ws>
References: <CADyWQ+HJozaeFgvRVV1xm1xjbz51pQVSr==rOxU9+cqcpuE3aw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CADyWQ+HJozaeFgvRVV1xm1xjbz51pQVSr==rOxU9+cqcpuE3aw@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/me69fMSiBja7wyCHH7QVIPwK2hg>
Subject: Re: [DNSOP] draft-dulaunoy-dnsop-passive-dns-cof
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jun 2023 21:58:36 -0000
Tim Wicinski wrote: > All > > Draft-dulaunoy-dnsop-passive-dns-cof was originally submitted back in 2014, and > has had 10 revisions since then. > > https://datatracker.ietf.org/doc/draft-dulaunoy-dnsop-passive-dns-cof/ > > Note that the format is now fixed, and there are several implementations. > > We had asked DNSOP (in the poll we held)to help us assess the level of interest > in it, and the responses largely put it moderately high ("Adopt, but not > now"). It would be helpful to find out if this is still the case, as things > have progressed since then: the format is now widely used, and so the format > itself is basically fixed. As an example, the format is being used within the > US government agencies for event logging and incident response[0]. > > > One of two things could happen: > > 1: DNSOP decides that they are really interested, adopts and improves the > justification / operational / supporting text, and the draft gets published as > an IETF RFC; or > > > 2: DNSOP says "No thanks, but we don't actively object". In which case the ISE > (and Warren!) has a much easier time explaining why it's being published as an > RFC on the Independent stream. . We will also ask for a DNS Directorate review. > > > Feedback Welcome > > tim > > [0]: Because the draft had expired, and the USG cannot (realistically) point at > expired IDs, they had to copy and paste it into an internal document: https:// > www.whitehouse.gov/wp-content/uploads/2021/08/ > M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf > Page 15 is the table where they defined the Passive DNS Log fields. I originally developed one of the implementations named in this draft [1] and if I recall correctly it did not occur to me that the API I was developing should ever be standardized, let alone the underlying data model being used to generate API responses, which I don't think this I-D has ever touched on. E.g., the 'rdata' field may return a string or an array of strings; if you have an array of length 1, does this mean a resource record or a resource record set is being represented? Well, it probably depends on which API endpoint on which implementation is being called; but this spec is presented as a document format rather than as specification for an entire API. I would guess there is substantially more variation in the kinds of API endpoints that are supported by the various passive DNS API implementations than there is in the output formats generated by those endpoints which makes it less tractable to come up with a consensus specification for the endpoints as well. So, it seems a bit odd to me to try to put a particular narrowly scoped idiosyncratic consensus format used by a few particular API services through the RFC process. There are many kinds of databases, API services, and formats that do not have RFC documents describing them. For instance, the pcap savefile format is widely used and presumably a lot of governments buy a lot of products that support the pcap format, and as far as I can tell the canonical specification for that format is a file in a particular Git repository [2] maintained by a group of open source contributors. Why isn't that approach feasible for this particular use case, which is much more of a niche use case than packet capture in general? [1] Some of the early API documentation is on the Wayback Machine: https://web.archive.org/web/20130904190535/https://api.dnsdb.info/ [2] https://www.tcpdump.org/manpages/pcap-savefile.5.html, https://github.com/the-tcpdump-group/libpcap/blob/master/pcap-savefile.manfile.in -- Robert Edmonds
- [DNSOP] draft-dulaunoy-dnsop-passive-dns-cof Tim Wicinski
- Re: [DNSOP] draft-dulaunoy-dnsop-passive-dns-cof Ben Schwartz
- Re: [DNSOP] draft-dulaunoy-dnsop-passive-dns-cof John Levine
- Re: [DNSOP] draft-dulaunoy-dnsop-passive-dns-cof Ben Schwartz
- Re: [DNSOP] draft-dulaunoy-dnsop-passive-dns-cof John R Levine
- Re: [DNSOP] draft-dulaunoy-dnsop-passive-dns-cof Ben Schwartz
- Re: [DNSOP] draft-dulaunoy-dnsop-passive-dns-cof John R Levine
- Re: [DNSOP] draft-dulaunoy-dnsop-passive-dns-cof John R Levine
- Re: [DNSOP] draft-dulaunoy-dnsop-passive-dns-cof Robert Edmonds
- Re: [DNSOP] draft-dulaunoy-dnsop-passive-dns-cof Paul Vixie
- Re: [DNSOP] draft-dulaunoy-dnsop-passive-dns-cof Tim Wicinski