Havard Eidnes <Havard.Eidnes@runit.sintef.no> writes: * ------- =_aaaaaaaaaa0 * Content-Type: text/plain; charset="us-ascii" * * > As one of the actions from the last RIPE meeting we have been thinking * > about a nice way to have an automatic update procedure based on DNS. As a * > trial for this an auto-script has been been produced that loads current * > AS derived data into zonefiles under the domain aut-num.ripe.net. This * > has two very nice features straight away. It allows you to see a list of * > networks associated with an AS. For example... * > * > [mature-tony-1480] host -lt txt as1104.aut-num.ripe.net * > AS1104.aut-num.ripe.net TXT 192.16.185.0 * > AS1104.aut-num.ripe.net TXT 192.16.186.0 * > AS1104.aut-num.ripe.net TXT 192.16.194.0 * > AS1104.aut-num.ripe.net TXT 192.16.195.0 * > AS1104.aut-num.ripe.net TXT 192.16.199.0 * > AS1104.aut-num.ripe.net TXT 192.87.45.0 * * I've only one comment (I think): for large ASes there will be a lot of text * stored for a single label. If you should try using DNS/UDP to query for * TXT for this label, default maximum DNS response packet size (512 bytes?) * will likely overflow. If the resolver library in use followed the Host * Requirements it should notice a truncated response, and retry with TCP, but * who has a resolver library which correctly implements this? I'm not sure * the resolver library in BIND does this right... Witness the attached * output of "dig" and note the "tc" flag. You could use A records instead, I * guess, and save some space in the DNS response packets, but this just * postpons the problem a short while. I see you already did that (see * below), but I still get a truncated response to the as224.aut-num.ripe.net * query, so there you go... * Sure - this we knew about but not sure how else to do it. My feeling is that most people well probably do zone transfers of the data anyway. Some of us do have good resolvers as well but I agree this is not a very good answer. One thing I did on the suggestion of Peter Koch was change the entries to A RRs. A RRs use less RDATA than TXT as you say but it doesn't help much. * However, if all you are interested in doing is zone transfers, then TCP is * already in use anyway, so maybe this is not of such a great concern. I * should however point out that storing massive amounts of information on a * single label is fairly "unconventional use" of the DNS (?), which may * stress-test some pieces of code in new ways... * Yes - this is interesting. Currently it is not too bad although it takes a little while (order of seconds) to load the data from scrath however as you saw from the RIPE meeting we only have about 25% AS coverage so far. * I'm not sure of what a solution to this problem should be, however, or * whether we just ignore the problem. * That was my feeling too. If people like the idea and we can reliably use it for the update procedure then I'll just make sure we either make "warning" documentation to use TCP based queries or we put up a good resolver. * * - Havard * Thanks for your comments, --Tony

Havard Eidnes <Havard.Eidnes@runit.sintef.no> writes: * > * > [mature-tony-1480] host -lt txt as1104.aut-num.ripe.net * > * > AS1104.aut-num.ripe.net TXT 192.16.185.0 * > * > AS1104.aut-num.ripe.net TXT 192.16.186.0 * > * > AS1104.aut-num.ripe.net TXT 192.16.194.0 * > * > AS1104.aut-num.ripe.net TXT 192.16.195.0 * > * > AS1104.aut-num.ripe.net TXT 192.16.199.0 * > * > AS1104.aut-num.ripe.net TXT 192.87.45.0 * > * ... * > * I'm not sure of what a solution to this problem should be, however, o * r * > * whether we just ignore the problem. * > * > That was my feeling too. If people like the idea and we can reliably use * > it for the update procedure then I'll just make sure we either make * > "warning" documentation to use TCP based queries or we put up a good * > resolver. * * I've given this some further thought, and a possibility could be to do it * like this: * * $origin as224.aut-num.ripe.net. * @ IN SOA ... * ; * @ NS ... * @ NS ... * ; * 1 A 32.0.0.0 * 2 A 128.39.0.0 * 3 A 129.177.0.0 * 4 A 129.240.0.0 * ; * * etc. * Hmm... Don't like this too much either sorry. I agree about the labels are immaterial but doesn't really get round the main thing which in my opinion is listing the nets. * Since you are primarily concerned with the value parts of the RRs in the * zone, the labels you use to identify each individual entry is of lesser * concern. This avoids the problem of truncated UDP response packets, but * also removes the possibility to retrieve the network list by using a single * DNS query (over TCP). Instead, one have to use a zone transfer to * accomplish the same task. * * I'm not sure this is a desireable solution... I think the technically more * correct thing would be to deploy/distribute (contribute to BIND) a better * resolver library but it will take a while for it to be widely distributed * (eg. via vendors). * I agree. Anyone know if this will happen in 4.9 or not ? On this whole subject. It appers that from the repsonses I've had the general feeling is not to do the update procedure this way. We will use the standard "centralised" type mechanism based on logins and guarded files and not persure this any further. However as part of this whole idea I plan to leave the ability to list all the nets from the DNS so will generate network lists based on AS so at least the functionality is there for those who want to make use of it. --Tony.