DNSSEC Support

Date: Wed, 27 Apr 2016 20:21:39 -0400

From: Dave Crawford <bro@pingtrip.com>
Subject: [Bro] DNSSEC Support
To: bro <bro@bro.org>
Message-ID: <D82261C5-A89B-4861-A12C-B37D8AED1ED4@pingtrip.com>
Content-Type: text/plain; charset=us-ascii

It doesn’t appear that there is full support for DNSSEC RR types in the current release and I’m >looking for the best option in the meantime.

For example, answers that include RRSIG’s will produce a vector similar to [“192.168.1.1”," > "] with a corresponding event in weird.log of “DNS_RR_unknown_type”.

In protocols/dns/consts.bro I see type 46 is included in the query_type map but based on the >variable name I assume its not applied to answers?

-Dave

Hi Dave,

There were some recent commits done to support these DNSSEC RR types parsing in Bro: RRSIG, DNSKEY, DS, NSEC, NSEC3.

If you want to give it a try, it’s available in dev/2.7 branch or a forked branch from 2.5.4 at following:
https://github.com/fatemabw/bro/tree/master (bro 2.5.4 with dnssec)

https://github.com/bro/bro/tree/dev/2.7

Apologies for the delay.

Fatema.