unbound/dnstap/dnstap.proto

   1 // dnstap: flexible, structured event replication format for DNS software
   2 //
   3 // This file contains the protobuf schemas for the "dnstap" structured event
   4 // replication format for DNS software.
   5
   6 // Written in 2013-2014 by Farsight Security, Inc.
   7 //
   8 // To the extent possible under law, the author(s) have dedicated all
   9 // copyright and related and neighboring rights to this file to the public
  10 // domain worldwide. This file is distributed without any warranty.
  11 //
  12 // You should have received a copy of the CC0 Public Domain Dedication along
  13 // with this file. If not, see:
  14 //
  15 // <http://creativecommons.org/publicdomain/zero/1.0/>.
  16
  17 package dnstap;
  18
  19 // "Dnstap": this is the top-level dnstap type, which is a "union" type that
  20 // contains other kinds of dnstap payloads, although currently only one type
  21 // of dnstap payload is defined.
  22 // See: https://developers.google.com/protocol-buffers/docs/techniques#union
  23 message Dnstap {
  24     // DNS server identity.
  25     // If enabled, this is the identity string of the DNS server which generated
  26     // this message. Typically this would be the same string as returned by an
  27     // "NSID" (RFC 5001) query.
  28     optional bytes      identity = 1;
  29
  30     // DNS server version.
  31     // If enabled, this is the version string of the DNS server which generated
  32     // this message. Typically this would be the same string as returned by a
  33     // "version.bind" query.
  34     optional bytes      version = 2;
  35
  36     // Extra data for this payload.
  37     // This field can be used for adding an arbitrary byte-string annotation to
  38     // the payload. No encoding or interpretation is applied or enforced.
  39     optional bytes      extra = 3;
  40
  41     // Identifies which field below is filled in.
  42     enum Type {
  43         MESSAGE = 1;
  44     }
  45     required Type       type = 15;
  46
  47     // One of the following will be filled in.
  48     optional Message    message = 14;
  49 }
  50
  51 // SocketFamily: the network protocol family of a socket. This specifies how
  52 // to interpret "network address" fields.
  53 enum SocketFamily {
  54     INET = 1;   // IPv4 (RFC 791)
  55     INET6 = 2;  // IPv6 (RFC 2460)
  56 }
  57
  58 // SocketProtocol: the transport protocol of a socket. This specifies how to
  59 // interpret "transport port" fields.
  60 enum SocketProtocol {
  61     UDP = 1;    // User Datagram Protocol (RFC 768)
  62     TCP = 2;    // Transmission Control Protocol (RFC 793)
  63 }
  64
  65 // Message: a wire-format (RFC 1035 section 4) DNS message and associated
  66 // metadata. Applications generating "Message" payloads should follow
  67 // certain requirements based on the MessageType, see below.
  68 message Message {
  69
  70     // There are eight types of "Message" defined that correspond to the
  71     // four arrows in the following diagram, slightly modified from RFC 1035
  72     // section 2:
  73
  74     //    +---------+               +----------+           +--------+
  75     //    |         |     query     |          |   query   |        |
  76     //    | Stub    |-SQ--------CQ->| Recursive|-RQ----AQ->| Auth.  |
  77     //    | Resolver|               | Server   |           | Name   |
  78     //    |         |<-SR--------CR-|          |<-RR----AR-| Server |
  79     //    +---------+    response   |          |  response |        |
  80     //                              +----------+           +--------+
  81
  82     // Each arrow has two Type values each, one for each "end" of each arrow,
  83     // because these are considered to be distinct events. Each end of each
  84     // arrow on the diagram above has been marked with a two-letter Type
  85     // mnemonic. Clockwise from upper left, these mnemonic values are:
  86     //
  87     //   SQ:        STUB_QUERY
  88     //   CQ:      CLIENT_QUERY
  89     //   RQ:    RESOLVER_QUERY
  90     //   AQ:        AUTH_QUERY
  91     //   AR:        AUTH_RESPONSE
  92     //   RR:    RESOLVER_RESPONSE
  93     //   CR:      CLIENT_RESPONSE
  94     //   SR:        STUB_RESPONSE
  95
  96     // Two additional types of "Message" have been defined for the
  97     // "forwarding" case where an upstream DNS server is responsible for
  98     // further recursion. These are not shown on the diagram above, but have
  99     // the following mnemonic values:
 100
 101     //   FQ:   FORWARDER_QUERY
 102     //   FR:   FORWARDER_RESPONSE
 103
 104     // The "Message" Type values are defined below.
 105
 106     enum Type {
 107         // AUTH_QUERY is a DNS query message received from a resolver by an
 108         // authoritative name server, from the perspective of the authorative
 109         // name server.
 110         AUTH_QUERY = 1;
 111
 112         // AUTH_RESPONSE is a DNS response message sent from an authoritative
 113         // name server to a resolver, from the perspective of the authoritative
 114         // name server.
 115         AUTH_RESPONSE = 2;
 116
 117         // RESOLVER_QUERY is a DNS query message sent from a resolver to an
 118         // authoritative name server, from the perspective of the resolver.
 119         // Resolvers typically clear the RD (recursion desired) bit when
 120         // sending queries.
 121         RESOLVER_QUERY = 3;
 122
 123         // RESOLVER_RESPONSE is a DNS response message received from an
 124         // authoritative name server by a resolver, from the perspective of
 125         // the resolver.
 126         RESOLVER_RESPONSE = 4;
 127
 128         // CLIENT_QUERY is a DNS query message sent from a client to a DNS
 129         // server which is expected to perform further recursion, from the
 130         // perspective of the DNS server. The client may be a stub resolver or
 131         // forwarder or some other type of software which typically sets the RD
 132         // (recursion desired) bit when querying the DNS server. The DNS server
 133         // may be a simple forwarding proxy or it may be a full recursive
 134         // resolver.
 135         CLIENT_QUERY = 5;
 136
 137         // CLIENT_RESPONSE is a DNS response message sent from a DNS server to
 138         // a client, from the perspective of the DNS server. The DNS server
 139         // typically sets the RA (recursion available) bit when responding.
 140         CLIENT_RESPONSE = 6;
 141
 142         // FORWARDER_QUERY is a DNS query message sent from a downstream DNS
 143         // server to an upstream DNS server which is expected to perform
 144         // further recursion, from the perspective of the downstream DNS
 145         // server.
 146         FORWARDER_QUERY = 7;
 147
 148         // FORWARDER_RESPONSE is a DNS response message sent from an upstream
 149         // DNS server performing recursion to a downstream DNS server, from the
 150         // perspective of the downstream DNS server.
 151         FORWARDER_RESPONSE = 8;
 152
 153         // STUB_QUERY is a DNS query message sent from a stub resolver to a DNS
 154         // server, from the perspective of the stub resolver.
 155         STUB_QUERY = 9;
 156
 157         // STUB_RESPONSE is a DNS response message sent from a DNS server to a
 158         // stub resolver, from the perspective of the stub resolver.
 159         STUB_RESPONSE = 10;
 160     }
 161
 162     // One of the Type values described above.
 163     required Type               type = 1;
 164
 165     // One of the SocketFamily values described above.
 166     optional SocketFamily       socket_family = 2;
 167
 168     // One of the SocketProtocol values described above.
 169     optional SocketProtocol     socket_protocol = 3;
 170
 171     // The network address of the message initiator.
 172     // For SocketFamily INET, this field is 4 octets (IPv4 address).
 173     // For SocketFamily INET6, this field is 16 octets (IPv6 address).
 174     optional bytes              query_address = 4;
 175
 176     // The network address of the message responder.
 177     // For SocketFamily INET, this field is 4 octets (IPv4 address).
 178     // For SocketFamily INET6, this field is 16 octets (IPv6 address).
 179     optional bytes              response_address = 5;
 180
 181     // The transport port of the message initiator.
 182     // This is a 16-bit UDP or TCP port number, depending on SocketProtocol.
 183     optional uint32             query_port = 6;
 184
 185     // The transport port of the message responder.
 186     // This is a 16-bit UDP or TCP port number, depending on SocketProtocol.
 187     optional uint32             response_port = 7;
 188
 189     // The time at which the DNS query message was sent or received, depending
 190     // on whether this is an AUTH_QUERY, RESOLVER_QUERY, or CLIENT_QUERY.
 191     // This is the number of seconds since the UNIX epoch.
 192     optional uint64             query_time_sec = 8;
 193
 194     // The time at which the DNS query message was sent or received.
 195     // This is the seconds fraction, expressed as a count of nanoseconds.
 196     optional fixed32            query_time_nsec = 9;
 197
 198     // The initiator's original wire-format DNS query message, verbatim.
 199     optional bytes              query_message = 10;
 200
 201     // The "zone" or "bailiwick" pertaining to the DNS query message.
 202     // This is a wire-format DNS domain name.
 203     optional bytes              query_zone = 11;
 204
 205     // The time at which the DNS response message was sent or received,
 206     // depending on whether this is an AUTH_RESPONSE, RESOLVER_RESPONSE, or
 207     // CLIENT_RESPONSE.
 208     // This is the number of seconds since the UNIX epoch.
 209     optional uint64             response_time_sec = 12;
 210
 211     // The time at which the DNS response message was sent or received.
 212     // This is the seconds fraction, expressed as a count of nanoseconds.
 213     optional fixed32            response_time_nsec = 13;
 214
 215     // The responder's original wire-format DNS response message, verbatim.
 216     optional bytes              response_message = 14;
 217 }
 218
 219 // All fields except for 'type' in the Message schema are optional.
 220 // It is recommended that at least the following fields be filled in for
 221 // particular types of Messages.
 222
 223 // AUTH_QUERY:
 224 //      socket_family, socket_protocol
 225 //      query_address, query_port
 226 //      query_message
 227 //      query_time_sec, query_time_nsec
 228
 229 // AUTH_RESPONSE:
 230 //      socket_family, socket_protocol
 231 //      query_address, query_port
 232 //      query_time_sec, query_time_nsec
 233 //      response_message
 234 //      response_time_sec, response_time_nsec
 235
 236 // RESOLVER_QUERY:
 237 //      socket_family, socket_protocol
 238 //      query_name, query_type, query_class
 239 //      query_message
 240 //      query_time_sec, query_time_nsec
 241 //      query_zone
 242 //      response_address, response_port
 243
 244 // RESOLVER_RESPONSE:
 245 //      socket_family, socket_protocol
 246 //      query_name, query_type, query_class
 247 //      query_time_sec, query_time_nsec
 248 //      query_zone
 249 //      response_address, response_port
 250 //      response_message
 251 //      response_time_sec, response_time_nsec
 252
 253 // CLIENT_QUERY:
 254 //      socket_family, socket_protocol
 255 //      query_message
 256 //      query_time_sec, query_time_nsec
 257
 258 // CLIENT_RESPONSE:
 259 //      socket_family, socket_protocol
 260 //      query_time_sec, query_time_nsec
 261 //      response_message
 262 //      response_time_sec, response_time_nsec