[192520] in North American Network Operators' Group
Re: Another day, another illicit SQUAT - WebNX (AS18450)
daemon@ATHENA.MIT.EDU (Tony Finch)
Mon Oct 31 06:57:04 2016
X-Original-To: nanog@nanog.org
Date: Mon, 31 Oct 2016 10:57:00 +0000
From: Tony Finch <dot@dotat.at>
To: "Ronald F. Guilmette" <rfg@tristatelogic.com>
In-Reply-To: <25352.1477766547@segfault.tristatelogic.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
>
> You are correct. In this case, it would have been helpful if APNIC's WHOIS
> server returned something, when queried about 103.11.67.105, that would
> include an explicit referral to the ARIN WHOIS server. I mean they
> obviously know all the transfers they've made.
Yes, the state of whois referrals from RIRs is a bit of a mess.
I have changed FreeBSD whois to rely more on referrals than built-in
knowledge, and this mostly works. There are a couple of hacks to cope with
awkward RIRs: AfriNIC's referrals are human-readable though they can be
parsed if you assume the rubric is fixed; for RIPE, if the netname is
NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK it is treated as a referral to ARIN;
there's a similar hack for APNIC's ERX-NETBLOCKs - but evidently this
doesn't apply to more recently transferred net blocks :-(
It's probably time to make whois use RDAP under the covers for address
lookups. Bah.
Tony.
--
f.anthony.n.finch <dot@dotat.at> http://dotat.at/ - I xn--zr8h punycode
Southeast Iceland: Westerly veering northwesterly 6 to gale 8, decreasing 4 or
5 for a time. Rough or very rough, occasionally high at first, then becoming
moderate in west. Showers. Good, occasionally poor.
