[PATCH] Do not use -V on RIPE/Bird WHOIS queries

Faidon Liambotis paravoid at debian.org
Fri Jan 7 17:44:39 UTC 2011

Marco, hi,

Marco d'Itri wrote:
> I do not understand your point. -VTAG works and I expect it will work
> forever since many widely used clients use it. I believe it is a good
> idea to make clients which make a lot of queries advertise their name
> to the server.

We began investigating the issue after an upgrade of our internal WHOIS
server to 3.10; specifically, irrtoolset was getting "address passing
not allowed" and then banned.

Naturally, at first I thought it was a bug in the new version of whoisd.

However, RIPE's own database query reference manual[1] says:

> The database server provides a facility for such proxy clients that
> allows accounting to be based on the IP address of the clients using
> the proxy to query the RIPE Database and not on the IP address of the
> proxy server. This is done using the "-V" flag as follows:
> -V <version>,<ipv4-address>

and more importantly,

> Not all users can use this "-V" flag. Before you can, you must 
> contact RIPE Database Administration and tell us why you need this 
> facility. If we approve your request, we will add the IP address of 
> the proxy server to an access control list. You can then use the "-V"
> flag, but only from your stated IP address.
> Attempting to use the "-V" flag without approval may result in 
> permanent denial of access to the RIPE Database. This denial of 
> access will apply to the IP address that submits the query.

Hence their (new?) code matches the documentation, so I figured it's
irrtoolset that doesn't conform to that. Is there documentation that
suggests otherwise?


1: http://www.ripe.net/db/support/query-reference-manual.pdf §.212

More information about the irrtoolset mailing list