allow 'alias function' for -S query

[job]

Which sources to query for is kind of a moving target. It makes sense if we can allow specify a list of IRR sources that are expanded.

think of it as

alias SECURE=RPKI,APNIC,RPKI,ARIN-WHOIS,AFRINIC,REGISTROBR,JPIRR

so that

bgpq3 -h rr.ntt.net -S SECURE AS15562 is the same as: bgpq3 -h rr.ntt.net -S RPKI,APNIC,RPKI,ARIN-WHOIS,AFRINIC,REGISTROBR,JPIRR AS15562

this way we can promote people to use SECURE as a source, and allow them to outsource that decision making to the IRRd instance operator.

[job]

Thanks to Martijn Schmidt (i3d) for the dialogue that led to this idea

[martijn-schmidt]

Thanks for raising the issue Job!

If we are going to outsource the decision to the IRRd instance operator, it may be helpful to include a sane default for that alias in the configuration file shipped with the software, or alternatively add a comment which refers to a link where the operator can obtain the latest list of sources considered as SECURE by the community. Perhaps we could even add a default that dynamically refers to an externally hosted list (MANRS?) so the IRRd instance operator can in turn outsource the SECURE decision to some other entity, with the option to deviate from that default as needed.

Moreover, as an end user it would be nice if we can send a whois query to the IRRd server instance which responds back with the list of SECURE sources it used to build the alias. Maybe this would be easiest as a new IRR object type that can only be created by the IRRd instance owner?

[job]

I think we're not going to implement this feature at this time - I think the best approach is that people shouldn't mirror databases they don't trust, or shouldn't point their prefix list generator to an irrd instance they don't trust. We should have "secure by default" and not add flags to signal that things should be "more secure".