why not use dns for draft-ymbk-opsawg-finding-geofeeds?

• Previous message (by thread): IP addresses on subnet edge (/24)
• Next message (by thread): microsoft mail contact
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ am i going to regret cross-posting? ]

a friend raised in private the question of whether the dns could be used
instead of rpsl.

essentially, dns does not search down-tree for you.  it only answers
exact specific queries.  for some reason lost in time, well at least
lost in my mind, rpsl servers give you the nearest enclosing object.

e.g., if i query for the ip address of psg.com, 147.28.0.62, i get the
encompassing inetnum: object.

    ryuu.rg.net:/Users/randy> whois -h whois.ripe.net 147.28.0.62   
    inetnum:        147.28.0.0 - 147.28.31.255
    netname:        RGNET-RSCH-147-0
    country:        EE
    org:            ORG-RO47-RIPE
    admin-c:        RB45695-RIPE
    tech-c:         RB45695-RIPE
    abuse-c:        AR52766-RIPE
    status:         LEGACY
    mnt-by:         MAINT-RGNET
    remarks:        Geofeed https://rg.net/geofeed
    created:        2020-09-03T22:23:37Z
    last-modified:  2020-09-13T20:16:05Z
    source:         RIPE # Filtered

and now i know not to query further in the range 147.28.0.0/19.  note
the geofeed pointer is not at the exact ip, or at the /24, or at the
/16.  and have fun getting the magic of knowing it is the /19 into the
dns.

one does not want to query the dns for an RR 62.0.28.147.in-addr.arpa
because, for this to be useful, either
  o you need the geoloc data with every PTR record (think ipv6 and
    slaac)
  o you need some non-existent magic to get you the geoloc data for some
    unspecified less specific granularity

if netflix wants to collect the geofeeds once a month.  do we propose
they dns query all ipv4 and ipv6 host addresses?

i suspect there are also cultural issues.  in most isps of scale, dns is
close to customer service, a different 'silo' from provisioning.  rpsl
not so much.  i am sure massimo is learning more about the silos in ntt
than he would care to.  but he was able to deploy this hack in a week.
i would bet that he could never get a dns hack deployed.

possibly amusing tangential note: we once tried to do rpki in the dns,
see https://tools.ietf.org/html/draft-bates-bgp4-nlri-orig-verif-00
aside from other issues, dns only allows a single delegation, which
would preclude two owners in a make before break transition.

randy

• Previous message (by thread): IP addresses on subnet edge (/24)
• Next message (by thread): microsoft mail contact
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]