Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Parse DNSSEC AD and CD bits

Browse source 
Parse authentic data (AD) and checking disabled (CD) bits according to
RFC 2535. Leaves the Z field as-is, in case users are already handling
this elsewhere and depend on the value being the integer for all 3 bits.

https://www.rfc-editor.org/rfc/rfc2535#section-6.1

Fixes #2672
This commit is contained in:
Michael R. Torres 2023-01-23 02:17:59 +00:00 committed by Michael
parent c29b98b224
commit fe8390c646
28 changed files with 305 additions and 285 deletions
Download patch file Download diff file Expand all files Collapse all files

16
scripts/base/protocols/dns/main.zeek
View file

@ -60,9 +60,17 @@ export {
## The Recursion Available bit in a response message indicates
## that the name server supports recursive queries.
RA: bool &log &default=F;
## A reserved field that is usually zero in
## queries and responses.
## A reserved field that is zero in queries and responses unless
## using DNSSEC. This field represents the 3-bit Z field using
## the specification from RFC 1035.
Z: count &log &default=0;
## The DNSSEC Authentic Data bit in a response message indicates
## that the name server has authenticated all the data in the
## answer and authority sections.
AD: bool &log &default=F;
## The DNSSEC Checking Disabled bit in a query indicates that
## pending, non-authenticated data is acceptable to the sender
CD: bool &log &default=F;
## The set of resource descriptions in the query answer.
answers: vector of string &log &optional;
## The caching intervals of the associated RRs described by the
@ -359,6 +367,8 @@ hook DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
# Currently only standard queries are tracked.
return;
c$dns$AD = msg$AD;
if ( ! msg$QR )
# This is weird: the inquirer must also be providing answers in
# the request, which is not what we want to track.
@ -428,6 +438,8 @@ event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qcla
c$dns$qtype = qtype;
c$dns$qtype_name = query_types[qtype];
c$dns$Z = msg$Z;
c$dns$AD = msg$AD;
c$dns$CD = msg$CD;
# Decode netbios name queries
# Note: I'm ignoring the name type for now. Not sure if this should be