[DNSSEC-Transparency] Status 2016-04-08

Linus Nordberg wrote: Hi, Linus: There is already a flexible binary logging facility implemented in multiple DNS resolvers: http://dnstap.info/. I think at least BIND, Unbound, and Knot Resolver already have support in their mainline branches. The underlying log messages are encoded with Protocol Buffers. Currently dnstap only supports logging complete DNS wire format messages (with metadata), but I was originally planning to support multiple types of log messages. It would be fairly simple to update the schema (https://github.com/dnstap/dnstap.pb) so that a new type of message could be encoded with just the information that you need, and then update the resolver to generate the new messages and submit them into the already existing code that handles exporting dnstap messages. Once that was in place, a daemon could be developed that functions as a dnstap server (listening on an AF_UNIX socket), decodes incoming dnstap-formatted messages, and re-formats them for submission to a log. It's not particularly well documented how to do these kinds of extensions to dnstap, but if you can pinpoint where exactly in e.g. the Unbound code you would want to capture the DS record data (and any needed metadata?) I can help with making the necessary modifications. -- Robert Edmonds