[Bro] couple of questions
vern at icir.org
Fri Mar 24 14:16:43 PST 2006
> 1) In the DNS policy file there is an event for "dns_EDNS_addl" what
> part of the packet is this field in a DNS connection
EDNS is a general mechanism for specifying extensions to DNS.
> and what is the
> "pldsize" value from?
It comes from the framing provided by the EDNS mechanism.
> Is there a way to break out the data from this field?
No, though if there are specific EDNS extensions you're interested in,
we'd certainly encourage you to consider adding analysis for them to
the event engine (in DNS.cc).
> 2) When a DNS record has "DNS_SEC_OK" What is that from the packet connection?
That's also part of EDNS (the 'Z' field), and specifes that the extension
accepts DNSSEC RRs.
More information about the Bro