[dnstap] Adding response policy information in dnstap

Chris Mikkelson cmikk at fsi.io
Mon Feb 1 18:59:48 UTC 2021 

Greetings, dnstap folks.

I have been asked in off-list discussion for a standard method to
include information on Response Policy Zone (RPZ) matches in dnstap
reports, for which I propose a new policy field of a new Policy message
type, detailed below. While this proposed field and type is designed
to capture the policies RPZ can express, it should be usable for other
policy frameworks as well.

Does this look reasonable for server implementations, and usable / useful
for readers? Is anything useful for non-RPZ frameworks missing? Feedback
welcome.

	message Message {
	    //...
	
	    // Operator policy applied to the processing of this message, if any.
	    optional Policy             policy = 15;
	}
	

	// Policy: information about any name server operator policy
	// applied to the processing of a DNS message.
	message Policy {
	
	    // Match: what aspect of the message or message exchange
	    // triggered the application of the Policy.
	    enum Match {
	        QNAME = 1;       // Name in question section of query
	        CLIENT_IP = 2;   // Client IP address
	        RESPONSE_IP = 3; // Address in A/AAAA RRSet
	        NS_NAME = 4;     // Authoritative name server, by name
	        NS_IP = 5;       // Authoritative name server, by IP address
	    }
	
	    // The Action taken to implement the Policy.
	    enum Action {
	        NXDOMAIN = 1;   // Respond with NXDOMAIN
	        NODATA = 2;     // Respond with empty answer section
	        PASS = 3;       // Do not alter the response (passthrough)
	        DROP = 4;       // Do not respond.
	        TRUNCATE = 5;   // Truncate UDP response, forcing TCP retry
	        LOCAL_DATA = 6; // Respond with local data from policy
	    }
	
	    // type: the type of policy applied, e.g. "RPZ" for a
	    // policy from a Response Policy Zone.
	    optional string type = 1;
	
	    // rule: the rule matched by the message.
	    //
	    // In an RPZ context, this is the owner name of the rule in
	    // the Reponse Policy Zone in wire format.
	    optional bytes rule = 2;
	
	    // action: the policy action taken in response to the
	    // rule match.
	    optional Action action = 3;
	
	    // match: the feature of the message exchange which matched the rule.
	    optional Match match = 4;
	
	    // The matched value. Format depends on the matched feature .
	    optional bytes value = 2;
	}

Thanks,
-- 
Chris Mikkelson
Farsight Security, Inc.
cmikk at fsi.io

More information about the dnstap mailing list