Correct inclusion of rwhois info in WHOIS server output?

Albert Meyer from_nanog at corenap.com
Wed Sep 7 19:33:53 UTC 2005


I've been talking to ARIN about the rwhois setup on our SWIPped blocks, and
there appears to be a problem with the standard output from whois.arin.net. The
two rwhois clients I've tried are rwhois and jwhois. The rwhois client behavior
is something like this:

1. Query whois.arin.net.
2a. If the response contains the name of an rwhois server, query that server and
return its output.
2b. If the response doesn't contain the name of an rwhois server, follow the
links. Query every rwhois server you find and return all of the output.

The jwhois client behavior is something like this:

1. Query whois.arin.net.
2a. If the response contains the name of an rwhois server, query that server and
return its output.
2b. If the response doesn't contain the name of an rwhois server, return the SWIP.

On blocks which are owned by CoreNAP, that works fine. For example, if I type:

whois -h whois.arin.net 66.219.44.0

The whois server returns our complete SWIP record including:

ReferralServer: rwhois://rwhois.corenap.com:4321/

So this block works fine with both jwhois and rwhois:

bash-2.05$ jwhois 66.219.44.0
[Querying whois.arin.net]
[Redirected to rwhois.corenap.com:4321]
[Querying rwhois.corenap.com]
[rwhois.corenap.com]
%rwhois V-1.5:003fff:00 cache02.ns.corenap.com (by Network Solutions, Inc.
V-1.5.7.3)
network:Auth-Area:66.219.32.0/19
...

On blocks which are SWIPped to CoreNAP by an upstream provider, the response
from whois.arin.net does not include an rwhois record. For example, if I type:

whois -h whois.arin.net 65.59.252.0

The whois server returns this:

Level 3 Communications, Inc. LC-ORG-ARIN-BLK2 (NET-65-56-0-0-1)
                                   65.56.0.0 - 65.59.255.255
Core NAP, L.P. LVLT-CORENAP-NETBLOCK-03 (NET-65-59-252-0-1)
                                   65.59.252.0 - 65.59.252.255
VC Sterling, Inc. NET-65-59-252-0-1 (NET-65-59-252-0-2)
                                   65.59.252.0 - 65.59.252.255

Since there is no rwhois server listed here, rwhois clients don't necessarily
manage to find the referral. rwhois apparently follows both links and returns
results from every rwhois server it finds, but jwhois doesn't follow either
link; it just returns the SWIP info. I believe that the correct response to this 
query would be:

Level 3 Communications, Inc. LC-ORG-ARIN-BLK2 (NET-65-56-0-0-1)
                                   65.56.0.0 - 65.59.255.255
ReferralServer: rwhois://rwhois.level3.net:4321
Core NAP, L.P. LVLT-CORENAP-NETBLOCK-03 (NET-65-59-252-0-1)
                                   65.59.252.0 - 65.59.252.255
ReferralServer: rwhois://rwhois.corenap.com:4321/
VC Sterling, Inc. NET-65-59-252-0-1 (NET-65-59-252-0-2)
                                   65.59.252.0 - 65.59.252.255



I've read through the apparently relevant RFCs (812, 954, 1714, 1834, 1835, 
1913, 1914, 2050, 2167, 3912) but did not find a clear specification of correct 
WHOIS server output. The people I talked to at ARIN say that the configuration 
of whois.arin.net can be changed based on "significant community consensus" but 
they suggested that the problem could be fixed by rewriting the jwhois client 
(and any other client that doesn't follow links to search for an rwhois server). 
I spent a fair amount of time looking through the (apparently non-searchable) 
mailing list archive at http://lists.arin.net/pipermail/dbwg/ and saw some 
discussion of rwhois issues but I didn't manage to find information showing how 
the previous change was initiated. Questions:

1. Does anyone agree that the present lack of rwhois server information in the 
initial WHOIS response for SWIPped blocks is a problem?

2. Can anyone think of a compelling reason why rwhois server information should 
not be included in the initial response to a standard whois query for all IP 
blocks, including SWIPped blocks, besides the fact that it is not included now?

3. Would this change (adding rwhois server information to the initial response 
to a standard whois query for SWIPped blocks) break your scripts that parse 
WHOIS output?

4. How disruptive was the change when rwhois server information was initially 
added to WHOIS output?

5. Was the issue fully thought through at that time, and the rwhois server 
information intentionally left out of the initial response for SWIPped blocks, 
or did this happen by accident?

6. Does anyone know where that change process was documented?



More information about the NANOG mailing list