Support for additional DNS RR Type: LOC[29], SSHFP[44], NSEC3PARAM[51], custom BIND9 signaling[65534]

CHANGES

@@ -1,3 +1,6 @@
+3.3.0-dev.516 | 2020-11-11 12:53:02 -0700
+
+  * Support for additional DNS RR Type: LOC[29], SSHFP[44], NSEC3PARAM[51], custom BIND9 signaling[65534] (Fatema BW)
 
 3.3.0-dev.514 | 2020-11-10 14:05:51 -0700
 

NEWS

@@ -72,6 +72,14 @@ New Functionality
   ``policy/misc/unknown-protocols`` script. The script adds a new
   ``unknown_protocol`` event.
 
+- Added support for DNS resource records LOC, SSHFP, NSEC3PARAM, and custom
+  BIND9 signaling. The associated events are:
+
+  - dns_LOC
+  - dns_SSHFP
+  - dns_NSEC3PARAM
+  - dns_BINDS
+
 Changed Functionality
 ---------------------
 

VERSION

@@ -1 +1 @@
-3.3.0-dev.514
+3.3.0-dev.516

doc

@@ -1 +1 @@
-Subproject commit d7f86df4dfee8272a56d8f1590d9e1c9b5d0a2d9
+Subproject commit e4cd91687f1fa59c8376aa2b4dead748ef72a378

scripts/base/init-bare.zeek

@@ -3792,6 +3792,20 @@ type dns_nsec3_rr: record {
 	is_query: count;		##< The RR is a query/Response.
 };
 
+## A DNSSEC NSEC3PARAM record.
+##
+## .. zeek:see:: dns_NSEC3PARAM
+type dns_nsec3param_rr: record {
+	query: string;			##< Query.
+	answer_type: count;		##< Ans type.
+	nsec_flags: count;		##< flags field.
+	nsec_hash_algo: count;		##< Hash algorithm.
+	nsec_iter: count;		##< Iterations.
+	nsec_salt_len: count; 		##< Salt length.
+	nsec_salt: string;		##< Salt value
+	is_query: count;		##< The RR is a query/Response.
+};
+
 ## A DNSSEC DS record.
 ##
 ## .. zeek:see:: dns_DS
@@ -3805,6 +3819,35 @@ type dns_ds_rr: record {
 	is_query: count;	##< The RR is a query/Response.
 };
 
+## A Private RR type BINDS record.
+##
+## .. zeek:see:: dns_BINDS
+type dns_binds_rr: record {
+	query: string;		##< Query.
+	answer_type: count;	##< Ans type.
+	algorithm: count;	##< Algorithm for Public Key.
+	key_id: count;		##< key tag.
+	removal_flag: count;	##< rm flag.
+	complte_flag: string;	##< complete flag.
+	is_query: count;	##< The RR is a query/Response.
+};
+
+## A Private RR type LOC record.
+##
+## .. zeek:see:: dns_LOC
+type dns_loc_rr: record {
+	query: string;		##< Query.
+	answer_type: count;	##< Ans type.
+	version: count;		##< version number of the representation.
+	size: count;		##< Diameter of a sphere enclosing the entity.
+	horiz_pre: count;	##< The horizontal precision of the data, in centimeters.
+	vert_pre: count;	##< The vertical precision of the data, in centimeters.
+	latitude: count;	##< The latitude of the center of the sphere.
+	longitude: count;	##< The longitude of the center of the sphere.
+	altitude: count;	##< The altitude of the center of the sphere. 
+	is_query: count;	##< The RR is a query/Response.
+};
+
 # DNS answer types.
 #
 # .. zeek:see:: dns_answerr

scripts/base/protocols/dns/main.zeek

@@ -577,6 +577,11 @@ event dns_NSEC3(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_r
 	hook DNS::do_reply(c, msg, ans, "NSEC3");
 	}
 
+event dns_NSEC3PARAM(c: connection, msg: dns_msg, ans: dns_answer, nsec3param: dns_nsec3param_rr) &priority=5
+	{
+	hook DNS::do_reply(c, msg, ans, "NSEC3PARAM");
+	}
+
 event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr) &priority=5
 	{
 	local s: string;
@@ -584,6 +589,25 @@ event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr) &prior
 	hook DNS::do_reply(c, msg, ans, s);
 	}
 
+event dns_BINDS(c: connection, msg: dns_msg, ans: dns_answer, binds: dns_binds_rr) &priority=5
+	{
+	hook DNS::do_reply(c, msg, ans, "BIND9 signing signal");
+	}
+
+event dns_SSHFP(c: connection, msg: dns_msg, ans: dns_answer, algo: count, fptype: count, fingerprint: string) &priority=5
+	{
+	local s: string;
+	s = fmt("SSHFP: %s", bytestring_to_hexstr(fingerprint));
+	hook DNS::do_reply(c, msg, ans, s);
+	}
+
+event dns_LOC(c: connection, msg: dns_msg, ans: dns_answer, loc: dns_loc_rr) &priority=5
+	{
+	local s: string;
+	s = fmt("LOC:  %d %d %d", loc$size, loc$horiz_pre, loc$vert_pre);
+	hook DNS::do_reply(c, msg, ans, s);
+	}
+
 event dns_rejected(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5
 	{
 	if ( c?$dns )

src/NetVar.cc

@@ -66,7 +66,10 @@ zeek::RecordType* dns_tsig_additional;
 zeek::RecordType* dns_rrsig_rr;
 zeek::RecordType* dns_dnskey_rr;
 zeek::RecordType* dns_nsec3_rr;
+zeek::RecordType* dns_nsec3param_rr;
 zeek::RecordType* dns_ds_rr;
+zeek::RecordType* dns_binds_rr;
+zeek::RecordType* dns_loc_rr;
 zeek::TableVal* dns_skip_auth;
 zeek::TableVal* dns_skip_addl;
 

src/analyzer/protocol/dns/DNS.cc

@@ -339,10 +339,26 @@ bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg,
 			status = ParseRR_NSEC3(msg, data, len, rdlength, msg_start);
 			break;
 
+		case detail::TYPE_NSEC3PARAM:
+			status = ParseRR_NSEC3PARAM(msg, data, len, rdlength, msg_start);
+			break;
+
 		case detail::TYPE_DS:
 			status = ParseRR_DS(msg, data, len, rdlength, msg_start);
 			break;
 		
+		case detail::TYPE_BINDS:
+			status = ParseRR_BINDS(msg, data, len, rdlength, msg_start);
+			break;
+
+		case detail::TYPE_SSHFP:
+			status = ParseRR_SSHFP(msg, data, len, rdlength, msg_start);
+			break;
+		
+		case detail::TYPE_LOC:
+			status = ParseRR_LOC(msg, data, len, rdlength, msg_start);
+			break;
+
 		default:
 
 			if ( dns_unknown_reply && ! msg->skip_event )
@@ -1275,6 +1291,56 @@ bool DNS_Interpreter::ParseRR_NSEC3(detail::DNS_MsgInfo* msg,
 	return true;
 	}
 
+bool DNS_Interpreter::ParseRR_NSEC3PARAM(detail::DNS_MsgInfo* msg,
+                                    const u_char*& data, int& len, int rdlength,
+                                    const u_char* msg_start)
+	{
+	if ( ! dns_NSEC3PARAM || msg->skip_event )
+		{
+		data += rdlength;
+		len -= rdlength;
+		return true;
+		}
+
+	if ( len < 5 )
+		return false;
+
+	uint32_t halgo_flags = ExtractShort(data, len);
+	unsigned int hash_algo = (halgo_flags >> 8) & 0xff;
+	unsigned int nsec_flags = halgo_flags & 0xff;
+	unsigned int iter = ExtractShort(data, len);
+
+	uint8_t salt_len = 0;
+
+	if ( len > 0 )
+		{
+		salt_len = data[0];
+		++data;
+		--len;
+		}
+
+		auto salt_value = ExtractStream(data, len, static_cast<int>(salt_len));
+
+	if ( dns_NSEC3PARAM )
+		{
+		detail::NSEC3PARAM_DATA nsec3param;
+		nsec3param.nsec_flags = nsec_flags;
+		nsec3param.nsec_hash_algo = hash_algo;
+		nsec3param.nsec_iter = iter;
+		nsec3param.nsec_salt_len = salt_len;
+		nsec3param.nsec_salt = salt_value;
+
+		analyzer->EnqueueConnEvent(dns_NSEC3PARAM,
+			analyzer->ConnVal(),
+			msg->BuildHdrVal(),
+			msg->BuildAnswerVal(),
+			msg->BuildNSEC3PARAM_Val(&nsec3param)
+		);
+		}
+
+	return true;
+	}
+
 bool DNS_Interpreter::ParseRR_DS(detail::DNS_MsgInfo* msg,
                                  const u_char*& data, int& len, int rdlength,
                                  const u_char* msg_start)
@@ -1333,6 +1399,140 @@ bool DNS_Interpreter::ParseRR_DS(detail::DNS_MsgInfo* msg,
 	return true;
 	}
 
+bool DNS_Interpreter::ParseRR_BINDS(detail::DNS_MsgInfo* msg,
+                                 const u_char*& data, int& len, int rdlength,
+                                 const u_char* msg_start)
+	{
+	if ( ! dns_BINDS || msg->skip_event )
+		{
+		data += rdlength;
+		len -= rdlength;
+		return true;
+		}
+
+	if ( len < 5 )
+		return false;
+
+	uint32_t algo_keyid_rflag = ExtractLong(data, len);
+
+	unsigned int algo = (algo_keyid_rflag >> 24) & 0xff;
+	unsigned int keyid1 = (algo_keyid_rflag >> 16) & 0xff;
+	unsigned int keyid2 = (algo_keyid_rflag >> 8) & 0xff;
+	unsigned int rmflag = algo_keyid_rflag & 0xff;
+
+	unsigned int keyid = (keyid1 << 8) | keyid2;
+
+	String* completeflag = ExtractStream(data, len, rdlength - 4);
+
+	if ( dns_BINDS )
+		{
+		detail::BINDS_DATA binds;
+		binds.algorithm = algo;
+		binds.key_id = keyid;
+		binds.removal_flag = rmflag;
+		binds.complete_flag = completeflag;
+
+		analyzer->EnqueueConnEvent(dns_BINDS,
+			analyzer->ConnVal(),
+			msg->BuildHdrVal(),
+			msg->BuildAnswerVal(),
+			msg->BuildBINDS_Val(&binds)
+		);
+		}
+
+	return true;
+	}
+
+bool DNS_Interpreter::ParseRR_SSHFP(detail::DNS_MsgInfo* msg,
+                                 const u_char*& data, int& len, int rdlength,
+                                 const u_char* msg_start)
+	{
+	if ( ! dns_SSHFP || msg->skip_event )
+		{
+		data += rdlength;
+		len -= rdlength;
+		return true;
+		}
+
+	if ( len < 2 )
+		return false;
+
+	uint32_t algo_fptype = ExtractShort(data, len);
+	unsigned int algo = (algo_fptype >> 8) & 0xff;
+	unsigned int fptype = algo_fptype & 0xff;
+
+	String* fingerprint = ExtractStream(data, len, rdlength - 2);
+
+	if ( dns_SSHFP )
+		{
+		analyzer->EnqueueConnEvent(dns_SSHFP,
+			analyzer->ConnVal(),
+			msg->BuildHdrVal(),
+			msg->BuildAnswerVal(),
+			val_mgr->Count(algo),
+			val_mgr->Count(fptype),
+			make_intrusive<StringVal>(fingerprint)
+		);
+		}
+
+	return true;
+	}
+
+bool DNS_Interpreter::ParseRR_LOC(detail::DNS_MsgInfo* msg,
+                                    const u_char*& data, int& len, int rdlength,
+                                    const u_char* msg_start)
+	{
+	if ( ! dns_LOC || msg->skip_event )
+		{
+		data += rdlength;
+		len -= rdlength;
+		return true;
+		}
+
+	if ( len < 15 )
+		return false;
+
+	// split the two bytes for version and size extraction
+	uint32_t ver_size = ExtractShort(data, len);
+	unsigned int version = (ver_size >> 8) & 0xff;
+	unsigned int size = ver_size & 0xff;
+
+	// split the two bytes for horizontal and vertical precision extraction
+	uint32_t horiz_vert = ExtractShort(data, len);
+	unsigned int horiz_pre = (horiz_vert >> 8) & 0xff;
+	unsigned int vert_pre= horiz_vert & 0xff;
+
+	uint32_t latitude = ExtractLong(data, len);
+	uint32_t longitude = ExtractLong(data, len);
+	uint32_t altitude = ExtractLong(data, len);
+
+	if ( version != 0 )
+			{
+			analyzer->Weird("DNS_LOC_version_unrecognized", util::fmt("%d", version));
+			}
+
+	if ( dns_LOC )
+		{
+		detail::LOC_DATA loc;
+		loc.version = version;
+		loc.size = size;
+		loc.horiz_pre = horiz_pre;
+		loc.vert_pre = vert_pre;
+		loc.latitude = latitude;
+		loc.longitude = longitude;
+		loc.altitude = altitude;
+
+		analyzer->EnqueueConnEvent(dns_LOC,
+			analyzer->ConnVal(),
+			msg->BuildHdrVal(),
+			msg->BuildAnswerVal(),
+			msg->BuildLOC_Val(&loc)
+		);
+		}
+
+	return true;
+	}
+
 bool DNS_Interpreter::ParseRR_A(detail::DNS_MsgInfo* msg,
                                 const u_char*& data, int& len, int rdlength)
 	{
@@ -1780,6 +1980,23 @@ RecordValPtr DNS_MsgInfo::BuildNSEC3_Val(NSEC3_DATA* nsec3)
 	return r;
 	}
 
+RecordValPtr DNS_MsgInfo::BuildNSEC3PARAM_Val(NSEC3PARAM_DATA* nsec3param)
+	{
+	static auto dns_nsec3param_rr = id::find_type<RecordType>("dns_nsec3param_rr");
+	auto r = make_intrusive<RecordVal>(dns_nsec3param_rr);
+
+	r->Assign(0, query_name);
+	r->Assign(1, val_mgr->Count(int(answer_type)));
+	r->Assign(2, val_mgr->Count(nsec3param->nsec_flags));
+	r->Assign(3, val_mgr->Count(nsec3param->nsec_hash_algo));
+	r->Assign(4, val_mgr->Count(nsec3param->nsec_iter));
+	r->Assign(5, val_mgr->Count(nsec3param->nsec_salt_len));
+	r->Assign(6, make_intrusive<StringVal>(nsec3param->nsec_salt));
+	r->Assign(7, val_mgr->Count(is_query));
+
+	return r;
+	}
+
 RecordValPtr DNS_MsgInfo::BuildDS_Val(DS_DATA* ds)
 	{
 	static auto dns_ds_rr = id::find_type<RecordType>("dns_ds_rr");
@@ -1796,6 +2013,41 @@ RecordValPtr DNS_MsgInfo::BuildDS_Val(DS_DATA* ds)
 	return r;
 	}
 
+RecordValPtr DNS_MsgInfo::BuildBINDS_Val(BINDS_DATA* binds)
+	{
+	static auto dns_binds_rr = id::find_type<RecordType>("dns_binds_rr");
+	auto r = make_intrusive<RecordVal>(dns_binds_rr);
+
+	r->Assign(0, query_name);
+	r->Assign(1, val_mgr->Count(int(answer_type)));
+	r->Assign(2, val_mgr->Count(binds->algorithm));
+	r->Assign(3, val_mgr->Count(binds->key_id));
+	r->Assign(4, val_mgr->Count(binds->removal_flag));
+	r->Assign(5, make_intrusive<StringVal>(binds->complete_flag));
+	r->Assign(6, val_mgr->Count(is_query));
+
+	return r;
+	}
+
+RecordValPtr DNS_MsgInfo::BuildLOC_Val(LOC_DATA* loc)
+	{
+	static auto dns_loc_rr = id::find_type<RecordType>("dns_loc_rr");
+	auto r = make_intrusive<RecordVal>(dns_loc_rr);
+
+	r->Assign(0, query_name);
+	r->Assign(1, val_mgr->Count(int(answer_type)));
+	r->Assign(2, val_mgr->Count(loc->version));
+	r->Assign(3, val_mgr->Count(loc->size));
+	r->Assign(4, val_mgr->Count(loc->horiz_pre));
+	r->Assign(5, val_mgr->Count(loc->vert_pre));
+	r->Assign(6, val_mgr->Count(loc->latitude));
+	r->Assign(7, val_mgr->Count(loc->longitude));
+	r->Assign(8, val_mgr->Count(loc->altitude));
+	r->Assign(9, val_mgr->Count(is_query));
+
+	return r;
+	}
+
 } // namespace detail
 
 Contents_DNS::Contents_DNS(Connection* conn, bool orig,

src/analyzer/protocol/dns/DNS.h

@@ -45,7 +45,8 @@ enum RR_Type {
 	TYPE_SIG = 24,		///< digital signature (RFC 2535)
 	TYPE_KEY = 25,		///< public key (RFC 2535)
 	TYPE_PX = 26,		///< pointer to X.400/RFC822 mapping info (RFC 1664)
-	TYPE_AAAA = 28,		///< IPv6 address (RFC 1886
+	TYPE_AAAA = 28,		///< IPv6 address (RFC 1886)
+	TYPE_LOC = 29,		///< Location information about hosts (RFC 1876)
 	TYPE_NBS = 32,		///< Netbios name (RFC 1002)
 	TYPE_SRV = 33,		///< service location (RFC 2052)
 	TYPE_NAPTR = 35,	///< naming authority pointer (RFC 2168)
@@ -54,6 +55,7 @@ enum RR_Type {
 	TYPE_A6 = 38,		///< IPv6 address with indirection (RFC 2874)
 	TYPE_DNAME = 39,	///< Non-terminal DNS name redirection (RFC 2672)
 	TYPE_EDNS = 41,		///< OPT pseudo-RR (RFC 2671)
+	TYPE_SSHFP = 44,	///< SSH Public Key Fingerprint (RFC 4255)
 	TYPE_TKEY = 249,	///< Transaction Key (RFC 2930)
 	TYPE_TSIG = 250,	///< Transaction Signature (RFC 2845)
 	TYPE_CAA = 257,		///< Certification Authority Authorization (RFC 6844)
@@ -63,6 +65,7 @@ enum RR_Type {
 	TYPE_DNSKEY = 48,	///< DNS Key record (RFC 4034)
 	TYPE_DS = 43,		///< Delegation signer (RFC 4034)
 	TYPE_NSEC3 = 50,
+	TYPE_NSEC3PARAM = 51,	///< Contains the NSEC3 parameters (RFC 5155)
 	// Obsoleted
 	TYPE_SPF = 99,          ///< Alternative: storing SPF data in TXT records, using the same format (RFC 4408). Support for it was discontinued in RFC 7208
 	// The following are only valid in queries.
@@ -70,6 +73,8 @@ enum RR_Type {
 	TYPE_ALL = 255,
 	TYPE_WINS = 65281,	///< Microsoft's WINS RR
 	TYPE_WINSR = 65282,	///< Microsoft's WINS-R RR
+	// Private use RR TYPE range: 65280 - 65534
+	TYPE_BINDS = 65534,  ///< Bind9's Private Type Rec for signaling state of signing process
 };
 
 #define DNS_CLASS_IN 1
@@ -208,6 +213,14 @@ struct NSEC3_DATA {
 	VectorValPtr bitmaps;
 };
 
+struct NSEC3PARAM_DATA {
+	unsigned short nsec_flags;		// 8
+	unsigned short nsec_hash_algo;		// 8
+	unsigned short nsec_iter;		// 16 : ExtractShort(data, len)
+	unsigned short nsec_salt_len;		// 8
+	String* nsec_salt;			// Variable length salt
+};
+
 struct DS_DATA {
 	unsigned short key_tag;			// 16 : ExtractShort(data, len)
 	unsigned short algorithm;		// 8
@@ -215,6 +228,23 @@ struct DS_DATA {
 	String* digest_val;			// Variable lenght Digest of DNSKEY RR
 };
 
+struct BINDS_DATA {
+	unsigned short algorithm;		// 8 
+	unsigned short key_id;			// 16 : ExtractShort(data, len)
+	unsigned short removal_flag;		// 8
+	String* complete_flag;			// 8
+};
+
+struct LOC_DATA {
+	unsigned short version;		// 8
+	unsigned short size;		// 8
+	unsigned short horiz_pre;	// 8
+	unsigned short vert_pre;	// 8
+	unsigned long latitude;		// 32
+	unsigned long longitude;	// 32
+	unsigned long altitude;		// 32
+};
+
 class DNS_MsgInfo {
 public:
 	DNS_MsgInfo(DNS_RawMsgHdr* hdr, int is_query);
@@ -229,7 +259,10 @@ public:
 	RecordValPtr BuildRRSIG_Val(struct RRSIG_DATA*);
 	RecordValPtr BuildDNSKEY_Val(struct DNSKEY_DATA*);
 	RecordValPtr BuildNSEC3_Val(struct NSEC3_DATA*);
+	RecordValPtr BuildNSEC3PARAM_Val(struct NSEC3PARAM_DATA*);
 	RecordValPtr BuildDS_Val(struct DS_DATA*);
+	RecordValPtr BuildBINDS_Val(struct BINDS_DATA*);
+	RecordValPtr BuildLOC_Val(struct LOC_DATA*);
 
 	int id;
 	int opcode;	///< query type, see DNS_Opcode
@@ -349,9 +382,21 @@ protected:
 	bool ParseRR_NSEC3(detail::DNS_MsgInfo* msg,
 	                   const u_char*& data, int& len, int rdlength,
 	                   const u_char* msg_start);
+	bool ParseRR_NSEC3PARAM(detail::DNS_MsgInfo* msg,
+	                   const u_char*& data, int& len, int rdlength,
+	                   const u_char* msg_start);
 	bool ParseRR_DS(detail::DNS_MsgInfo* msg,
 	                const u_char*& data, int& len, int rdlength,
 	                const u_char* msg_start);
+	bool ParseRR_BINDS(detail::DNS_MsgInfo* msg,
+	                const u_char*& data, int& len, int rdlength,
+	                const u_char* msg_start);
+	bool ParseRR_SSHFP(detail::DNS_MsgInfo* msg,
+	                const u_char*& data, int& len, int rdlength,
+	                const u_char* msg_start);
+	bool ParseRR_LOC(detail::DNS_MsgInfo* msg,
+	                const u_char*& data, int& len, int rdlength,
+	                const u_char* msg_start);
 	void SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, EventHandlerPtr event,
 	                            const u_char*& data, int& len,
 	                            String* question_name,

src/analyzer/protocol/dns/events.bif

@@ -655,6 +655,19 @@ event dns_NSEC%(c: connection, msg: dns_msg, ans: dns_answer, next_name: string,
 ## nsec3: The parsed RDATA of Nsec3 record.
 event dns_NSEC3%(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr%);
 
+## Generated for DNS replies of type *NSEC3PARAM*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## nsec3param: The parsed RDATA of NSEC3PARAM record.
+event dns_NSEC3PARAM%(c: connection, msg: dns_msg, ans: dns_answer, nsec3param: dns_nsec3param_rr%);
+
 ## Generated for DNS replies of type *DS*. For replies with multiple answers,
 ## an individual event of the corresponding type is raised for each.
 ##
@@ -668,6 +681,45 @@ event dns_NSEC3%(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_
 ## ds: The parsed RDATA of DS record.
 event dns_DS%(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr%);
 
+## Generated for DNS replies of type *BINDS*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## binds: The parsed RDATA of BIND-Signeing state record.
+event dns_BINDS%(c: connection, msg: dns_msg, ans: dns_answer, binds: dns_binds_rr%);
+
+## Generated for DNS replies of type *BINDS*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## binds: The parsed RDATA of BIND-Signeing state record.
+event dns_SSHFP%(c: connection, msg: dns_msg, ans: dns_answer, algo: count, fptype: count, fingerprint: string%);
+
+## Generated for DNS replies of type *LOC*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## loc: The parsed RDATA of LOC type record.
+event dns_LOC%(c: connection, msg: dns_msg, ans: dns_answer, loc: dns_loc_rr%);
+
 ## Generated at the end of processing a DNS packet. This event is the last
 ## ``dns_*`` event that will be raised for a DNS query/reply and signals that
 ## all resource records have been passed on.

testing/btest/Baseline/scripts.base.protocols.dns.loc/dns.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dns
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	79.141.82.250	57483	192.188.22.52	53	udp	33295	0.000195	sunn-pt1.es.net	1	C_INTERNET	255	*	0	NOERROR	T	F	F	F	0	LOC:  18 21 19,RRSIG 29 es.net	60XXXXXXXXXX.XXXXXX,60XXXXXXXXXX.XXXXXX	F
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.dns.loc/output

@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+LOC, [query=sunn-pt1.es.net, answer_type=1, version=0, size=18, horiz_pre=21, vert_pre=19, latitude=2282029648, longitude=1708315648, altitude=10000000, is_query=0]

testing/btest/Baseline/scripts.base.protocols.dns.sshfp/dns.log

@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dns
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	128.3.121.180	54109	192.188.22.52	53	udp	40916	0.000200	mon.lbl.gov	1	C_INTERNET	44	SSHFP	0	NOERROR	T	F	F	F	1	SSHFP: a6b95f9eba1104a7272a362e8bfbcbebd5726dcf,SSHFP: 520711b47c300b819cfb696a845007c420de4df30ae3953004b6cfb2bd2c6a46,SSHFP: 5b72c59cceaea2c210f14156e20e6aff829b3e3b,SSHFP: c052721a978470b36fe5b9222f234400f369172b,SSHFP: 0b24d970aa05b708804d35eea3a8c1a6c355e545,SSHFP: 2870056915073c1e189fc7bf04bbce4512be09a0104f64ae3cfa072b8e06dd2b,SSHFP: 562cb91a82129b62ee4fd92ca202a72b844b7e84ac29dec75654453550201e82,SSHFP: c692deb7667ceee670d3e6863b5de7b140fe0ba0183a52f6ccbb4247f7b0ab29,RRSIG 44 lbl.gov	4320XXXXXXXXXX.XXXXXX,4320XXXXXXXXXX.XXXXXX,4320XXXXXXXXXX.XXXXXX,4320XXXXXXXXXX.XXXXXX,4320XXXXXXXXXX.XXXXXX,4320XXXXXXXXXX.XXXXXX,4320XXXXXXXXXX.XXXXXX,4320XXXXXXXXXX.XXXXXX,4320XXXXXXXXXX.XXXXXX	F
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	128.3.121.180	54109	192.188.22.52	53	udp	22044	-	n0019.savio1.lbl.gov	1	C_INTERNET	1	A	3	NXDOMAIN	F	F	F	F	0	-	-	F
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.dns.sshfp/output

@@ -0,0 +1,9 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+SSHFP, 2, 1, a6b95f9eba1104a7272a362e8bfbcbebd5726dcf
+SSHFP, 2, 2, 520711b47c300b819cfb696a845007c420de4df30ae3953004b6cfb2bd2c6a46
+SSHFP, 3, 1, 5b72c59cceaea2c210f14156e20e6aff829b3e3b
+SSHFP, 1, 1, c052721a978470b36fe5b9222f234400f369172b
+SSHFP, 4, 1, 0b24d970aa05b708804d35eea3a8c1a6c355e545
+SSHFP, 4, 2, 2870056915073c1e189fc7bf04bbce4512be09a0104f64ae3cfa072b8e06dd2b
+SSHFP, 1, 2, 562cb91a82129b62ee4fd92ca202a72b844b7e84ac29dec75654453550201e82
+SSHFP, 3, 2, c692deb7667ceee670d3e6863b5de7b140fe0ba0183a52f6ccbb4247f7b0ab29

testing/btest/scripts/base/protocols/dns/loc.zeek

@@ -0,0 +1,9 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/dns/loc-29-trunc.pcap %INPUT > output
+# @TEST-EXEC: btest-diff dns.log
+# @TEST-EXEC: btest-diff output
+@load base/protocols/dns
+
+event dns_LOC(c: connection, msg: dns_msg, ans: dns_answer, loc: dns_loc_rr)
+        {
+        print "LOC", loc;
+        }

testing/btest/scripts/base/protocols/dns/sshfp.zeek

@@ -0,0 +1,9 @@
+# @TEST-EXEC: zeek -b -C -r $TRACES/dns/sshfp-trunc.pcap %INPUT > output
+# @TEST-EXEC: btest-diff dns.log
+# @TEST-EXEC: btest-diff output
+@load base/protocols/dns
+
+event dns_SSHFP(c: connection, msg: dns_msg, ans: dns_answer, algo: count, fptype: count, fingerprint: string)
+        {
+        print "SSHFP", algo, fptype, bytestring_to_hexstr(fingerprint);
+        }