PGP authentication and mntner objects

Using PGP keys in mntner objects

To use PGP authentication to authorize changes to objects protected by your mntner object, you must:

1. Create a PGP key

Don’t have PGP software installed on your system?

Download Download from International PGP

2. Register the public PGP key in the APNIC Whois Database

  • Create a ‘key-cert’ object in the APNIC Whois Database to hold your public PGP key
  • Place your public key in the certif attribute.

Object Template

The object template includes information on how to complete the attribute values.

               Status       Instance     Search Status

key-cert:      [mandatory]  [single]     [primary/lookup key]
method:        [generated]  [single]     [ ]
owner:         [generated]  [multiple]   [ ]
fingerpr:      [generated]  [single]     [ ]
certif:        [mandatory]  [multiple]   [ ]
remarks:       [optional]   [multiple]   [ ]
notify:        [optional]   [multiple]   [inverse key]
admin-c:       [optional]   [multiple]   [inverse key]
tech-c:        [optional]   [multiple]   [inverse key]
mnt-by:        [mandatory]  [multiple]   [inverse key]
changed:       [mandatory]  [multiple]   [ ]
source:        [mandatory]  [single]     [ ]

More on key-cert objects

3. Place the name of the key-cert object in the auth attribute of your mntner object

  • If you are creating a new mntner object, send the completed mntner object to
  • If you are updating an existing mntner object, you must include the authorization method specified in the earlier version of the object to update the auth attribute. Then send
    the completed object to

Using PGP keys to sign database updates

To send PGP signed updates to the APNIC Whois Database, sign the body of the message which contains the updates. Remember to use ASCII armoring.

  • Multiple PGP-signed and non-signed parts can be supplied in a single update message; each part gets processed separately.

  • You can supply several objects which are protected by different PGP keys in a single update message, but you cannot use any ”magic” references like AUTO-1 nic-handles between these parts.
    Also, the software doesn’t currently support recursive PGP decoding. If you sign an already signed message, only the outermost PGP block gets checked.

  • PGP parts with invalid signatures are rejected in all cases, even if the object is not protected by PGP authentication.

Back to mntner objects