	Tools
	Tutorials
	FAQ
	Documentation
	Billing
	Contact
	Mirror Information

Query the RADb:

Advanced Query

Query Help

Tutorials: Using GPG with the RADB

GPG Notes and Limitations
Creating the Key-Cert Object
How to Use GPG for RADB Authentication

Notes and Limitations

In addition to supporting PGP-based authentication we now offer limited support of GPG-based signatures. It is limited because ElGamel encryption cannot currently be supported due to interoperability issues with PGP. Thus key types <1> DSA and Elgamal (default) and (2) DSA are supported while option (4) ElGamal (sign and encrypt) is not. We hope to provide full support for ElGamal keys in the near future.

Creating the Key-Cert Object

Create a GPG key.

This document takes you step-by-step through the process of creating a key-cert object, including generation of a GPG key and GPG-signing your DB submissions.

User input is shown in red. Other important information in orange.

The example below uses GPG version 1.04 but the process is applicable to other versions.

% gpg --gen-key gpg (GnuPG) 1.0.4; Copyright (C) 2000 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details.

gpg: you have to start GnuPG again, so it can read the new options file % gpg --gen-key gpg (GnuPG) 1.0.4; Copyright (C) 2000 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: /.gnupg/secring.gpg: keyring created gpg: /.gnupg/pubring.gpg: keyring created Please select what kind of key you want: (1) DSA and ElGamal (default) (2) DSA (sign only) (4) ElGamal (sign and encrypt) Your selection? 1

Note that choosing option 4 will result in a key that you will not be able to register. Options 1 and 2 should work fine.

DSA keypair will have 1024 bits. About to generate a new ELG-E keypair. minimum keysize is 768 bits default keysize is 1024 bits highest suggested keysize is 2048 bits What keysize do you want? (1024) Requested keysize is 1024 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct (y/n)? y You need a User-ID to identify your key; the software constructs the user id from Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: Christerfer Frazier Email address: cfz@merit.edu Comment: You selected this USER-ID: "Christerfer Frazier " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. ThisIsAPieceofCake We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ++++++++++.+++++.++++++++++..+++++.++++++++++.+++++.+++++++++++++++++++++++++.++ ++++++++++++++++++++++++++++++++++++++++++++..++++++++++++++++++++....>+++++.... ++++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. .++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.++++++++++++++++++ +++..++++++++++++++++++++++++++++++++++++++++.++++++++++>.+++++................. +..+++++^^^^ public and secret key created and signed.

Get your hex ID.

Now note your hex ID. The hex ID here is 'E0EBA60B'. This is required to create the key-cert object.

% gpg --list-keys
/.gnupg/pubring.gpg
----------------------------------------------
pub  1024D/E0EBA60B 2001-10-10
Christerfer Frazier

sub  1024g/66C5C28C 2001-10-10

Extract your public key block in ascii format to a file mykeys.txt.


% gpg --export -a -o mykeys.txt --export E0EBA60B

% cat mykeys.txt
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.4 (SunOS)
Comment: For info see http://www.gnupg.org

mQGiBDvEqK4RBACipVK0SbSbggyWzSrdRn67BwFS3S4G0vIHO5PUzh4J9D4IxHu5
a3RfaSgKPGWp3ZrgWjm2Y4ff64DbcDbx43nkxGrQdnihMI7BS/ulehfkmlnET/BX
u9mtYiV4m+rpxT5XRJRjVbZBSERmZlaFhgfFGp2BYexVNegwDSa4ArWJ2wCgt88V
O/edXkFOC3jynH/XO478ikEEAJYSvrSJ6TYyPEn9N6jlD65xL0xUfAieGmW1NyRh
/KYLE+2+DoME0sVCqiCUqM4SYfr+n3N+Vpq1sLitUxWpi5jPwWtxFAZ9GU6HHb/n
YaHOgHA9Pb/OeO4zl9lCGjf4LJ6a5518x6jjoP6uhKrWXdOHjD10uQNI5zj2F9Xs
EuYDA/9gaNT8tHLNvbfbl+1PSrKa9b/tbcTAuA9Nu7U7V/0xAOYGJyejnjAEsJBI
wZJf+ua7KCV5mtqlwtTFw5pXMGHLHIMnbuzSU0qBsEHzo4yxtST7cTPh5Fv+xcc0
ST8fTw3A6xnmzDIi41q1EcuQT1E5igp4GEHYXnfdSqBMKglCnLQjQ2hyaXN0ZXJm
ZXIgRnJhemllciA8Y2Z6QG1lcml0LmVkdT6IVwQTEQIAFwUCO8SorgULBwoDBAMV
AwIDFgIBAheAAAoJEF+P4+7g66YLIPIAoIx5FgGo+mTsZvx1/G8haUW2oaUEAJ9T
n2Z9k7ASLHJWdB6ICGKkzRAwjbkBDQQ7xKjNEAQAsc246VvyqXnvSapiLP3cteSF
5esgC0xmvjgnrbv34mdQak7wgmWpXg8ohitij1vHl6Y07QgiJh3XJ0qLjT4bu+jE
w6c8FamkMovB2YnHAGiHAol3Mqv4codEUs1DRu0Sza+5pmpElcysMiPhx661OH1B
DTrDmHKBpXYfqI/ZNDMAAwYD+QErFkB62KV+u/Xx0dCeGdQL5AG/MnZobtnoNOkY
wSiXxUF1dN0+gVi61t31yDkoD3H0f5jKHYCTrgnAVmh+UJKpXNlskshzLBw3OM9F
oGI+3Cw+fLbMi4ojYyuYWvt2hywNEuzkEtirHrDMDbTLzGbO+c1OJDP2exrVHaU5
8N+MiEYEGBECAAYFAjvEqM0ACgkQX4/j7uDrpgv8OACgjrWbVVJzSe3Og5s+nJ59
Fy+Jqz4An3A2/b/t+7nH7e/0+fiwo+pfiCRi
=5lsy
-----END PGP PUBLIC KEY BLOCK-----

Create the key-cert.

Now use your favorite editor to create your key-cert object. Be sure to note the '+' signs that begin each line of the certif attribute you are required to add them in the object. Note that the 'method:', 'owner:' and 'fingerpr:' attributes have not been specified. These attributes are auto-generated by the IRRd software and so they are intentionally omitted.

% vi mykeys.txt
key-cert:  PGPKEY-E0EBA60B
certif:
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.0.4 (SunOS)
+Comment: For info see http://www.gnupg.org
+
+mQGiBDvEqK4RBACipVK0SbSbggyWzSrdRn67BwFS3S4G0vIHO5PUzh4J9D4IxHu5
+a3RfaSgKPGWp3ZrgWjm2Y4ff64DbcDbx43nkxGrQdnihMI7BS/ulehfkmlnET/BX
+u9mtYiV4m+rpxT5XRJRjVbZBSERmZlaFhgfFGp2BYexVNegwDSa4ArWJ2wCgt88V
+O/edXkFOC3jynH/XO478ikEEAJYSvrSJ6TYyPEn9N6jlD65xL0xUfAieGmW1NyRh
+/KYLE+2+DoME0sVCqiCUqM4SYfr+n3N+Vpq1sLitUxWpi5jPwWtxFAZ9GU6HHb/n
+YaHOgHA9Pb/OeO4zl9lCGjf4LJ6a5518x6jjoP6uhKrWXdOHjD10uQNI5zj2F9Xs
+EuYDA/9gaNT8tHLNvbfbl+1PSrKa9b/tbcTAuA9Nu7U7V/0xAOYGJyejnjAEsJBI
+wZJf+ua7KCV5mtqlwtTFw5pXMGHLHIMnbuzSU0qBsEHzo4yxtST7cTPh5Fv+xcc0
+ST8fTw3A6xnmzDIi41q1EcuQT1E5igp4GEHYXnfdSqBMKglCnLQjQ2hyaXN0ZXJm
+ZXIgRnJhemllciA8Y2Z6QG1lcml0LmVkdT6IVwQTEQIAFwUCO8SorgULBwoDBAMV
+AwIDFgIBAheAAAoJEF+P4+7g66YLIPIAoIx5FgGo+mTsZvx1/G8haUW2oaUEAJ9T
+n2Z9k7ASLHJWdB6ICGKkzRAwjbkBDQQ7xKjNEAQAsc246VvyqXnvSapiLP3cteSF
+5esgC0xmvjgnrbv34mdQak7wgmWpXg8ohitij1vHl6Y07QgiJh3XJ0qLjT4bu+jE
+w6c8FamkMovB2YnHAGiHAol3Mqv4codEUs1DRu0Sza+5pmpElcysMiPhx661OH1B
+DTrDmHKBpXYfqI/ZNDMAAwYD+QErFkB62KV+u/Xx0dCeGdQL5AG/MnZobtnoNOkY
+wSiXxUF1dN0+gVi61t31yDkoD3H0f5jKHYCTrgnAVmh+UJKpXNlskshzLBw3OM9F
+oGI+3Cw+fLbMi4ojYyuYWvt2hywNEuzkEtirHrDMDbTLzGbO+c1OJDP2exrVHaU5
+8N+MiEYEGBECAAYFAjvEqM0ACgkQX4/j7uDrpgv8OACgjrWbVVJzSe3Og5s+nJ59
+Fy+Jqz4An3A2/b/t+7nH7e/0+fiwo+pfiCRi
+=5lsy
+-----END PGP PUBLIC KEY BLOCK-----
mnt-by:    MAINT-FRAZIER
changed:   cfz@merit.edu
source:    RADB

Mail the key-cert object to auto-dbm for processing.
```
% mail -t auto-dbm@radb.net < mykeys.txt
```
If everything is ok you will recieve mail acknowledgement form auto-dbm@radb.net with the following:
```
ADD OK: [key-cert] PGPKEY-E0EBA60B
```
Else you will get a response with syntax errors. The errors are denoted in the response messsage with '?' characters.

Update your maintainer to use the GPG athentication.

Make sure your key has been added succesfully *before* updating your maintainer to use the key. At this point lets add in the new 'auth:' attribute. To make full use of the security GPG provides be sure to delete references to the 'MAIL-FROM' and 'CRYPT-PW' else your maintainer is just as insecure as it was before since these mechanisms can still be used.

BEFORE GPG
mntner:             MAINT-FRAZIER
descr:              Maintainer without GPG
admin-c:            CFZ
tech-c:             CFZ
upd-to:             cfz@merit.edu
auth:               MAIL-FROM cfz@merit.edu
auth:               CRYPT-PW pfRRVg599QpLw
mnt-by:             MAINT-FRAZIER
changed:            cfz@merit.edu 20010616
source:             RADB

WITH GPG
mntner:             MAINT-FRAZIER
descr:              New maintainer with GPG authentication
admin-c:            CFZ
tech-c:             CFZ
upd-to:             cfz@merit.edu
auth:               PGPKEY-E0EBA60B
mnt-by:             MAINT-FRAZIER
changed:            cfz@merit.edu 20011010
source:             RADB

How to use GPG for RADB authentication

Following instructions for creating, modifying, or deleting an object. But omit the step to mail auto-dbm@radb.net.
Assume the object is in a filed named 'db-submission.txt'. Since GPG defaults its output to a file named *.asc, in our example the GPG-signed submission will be in a file called db-submission.txt.asc.The 'passphrase' is the value you supplied to GPG when you created your key from step in the previous section "Create a GPG key."
```
% gpg --clearsign db-submission.txt 

You need a passphrase to unlock the secret key for
user: "Christerfer Frazier "
1024-bit DSA key, ID E0EBA60B, created 2001-10-10
%
```
Send your GPG signed submission to auto-dbm@radb.net.
```
% mail -t auto-dbm@radb.net < db-submission.txt
```
DONE! You have successfully used a GPG-signed message to update an entry in the RADB.
Comments and questions are welcome; please send email to db-admin@radb.net.

The RADb is operated by Merit Network Inc.
1000 Oakbrook Drive Suite 200
Ann Arbor, MI 48104-6794
734-764-9430 db-admin@radb.net