Using GPG with the RADb

Notes - Limitations

In addition to supporting PGP-based authentication we now offer limited support of GPG-based signatures. It is limited because ElGamel encryption cannot currently be affirmed as supported due to interoperability issues with PGP. Some previous GPG versions (v1.*) offer ElGamal (sign and encrypt) as an option. Using this encryption option is not recommended due to these compatibility concerns.

Creating Key-Cert

This document takes you step-by-step through the process of creating a key-cert object, including generation of a GPG key and GPG-signing your DB submissions.

GPG key

The example below uses GPG version 2.2.4 but the process is applicable to other versions.

The key generation takes some time to complete as it manages entropy for key generation.

  $ gpg --full-generate-key
  gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.

  gpg: directory '/home/etbru/.gnupg' created
  gpg: keybox '/home/etbru/.gnupg/pubring.kbx' created
  Please select what kind of key you want:
  (1) RSA and RSA (default)
  (2) DSA and Elgamal
  (3) DSA (sign only)
  (4) RSA (sign only)
  Your selection? 1
  RSA keys may be between 1024 and 4096 bits long.
  What keysize do you want? (3072)
  Requested keysize is 3072 bits
  Please specify how long the key should be valid.
        0 = key does not expire
        < n >  = key expires in n days
        < n > w = key expires in n weeks
        < n > m = key expires in n months
        &lt;n&gt;y = key expires in n years
  Key is valid for? (0) 0
  Key does not expire at all
  Is this correct? (y/N) y

  GnuPG needs to construct a user ID to identify your key.

  Real name: Etienne Brule
  Email address: etbru@noreply.net
  Comment:
  You selected this USER-ID:
  "Etienne Brule &lt;etbru@noreply.net&gt;"

  Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

A dialog box should now appear asking you to create a passphrase. Enter something unique and secure that phrase.

  Please enter the passphrase to
  protect your new key

  Passphrase: ThisIsAnExampleOnly




  Press the Tab key to "OK" and then press ENTER



  We need to generate a lot of random bytes. It is a good idea to perform
  some other action (type on the keyboard, move the mouse, utilize the
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.
  ...
  We need to generate a lot of random bytes. It is a good idea to perform
  some other action (type on the keyboard, move the mouse, utilize the
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.

  gpg: /home/etbru/.gnupg/trustdb.gpg: trustdb created
  gpg: key 748C195F7F507482 marked as ultimately trusted
  gpg: directory '/home/etbru/.gnupg/openpgp-revocs.d' created
  gpg: revocation certificate stored as
  '/home/etbru/.gnupg/openpgp-revocs.d/F5AF118927CCEE9BA0AF2EBE748C195F7F507482.rev'
  public and secret key created and signed.

  pub   rsa3072 2020-01-06 [SC]
        F5AF118927CCEE9BA0AF2EBE748C195F7F507482
  uid                      Etienne Brule &lt;etbru@noreply.net&gt;
  sub   rsa3072 2020-01-06 [E]

Hex ID

  $ gpg --list-keys --keyid-format short
  /home/etbru/.gnupg/pubring.kbx
  ----------------------------------
  pub   rsa3072/7F507482 2020-01-06 [SC]
        F5AF118927CCEE9BA0AF2EBE748C195F7F507482
  uid         [ultimate] Etienne Brule &lt;etbru@noreply.net&gt;
  sub   rsa3072/D3091FD2 2020-01-06 [E]

Now note your hex ID. The hex ID here is 7F507482. This is required to create the key-cert object.

Extract key

Key block shortened for demonstration

  $ gpg --export -a -o /tmp/mykeys.txt --export 7F507482

  $ cat /tmp/mykeys.txt
  -----BEGIN PGP PUBLIC KEY BLOCK-----
  Version: GnuPG v2

  mQGNBF4TdToBDADTUt7gV9IdsTznHKjAauPZ08+U/sOZsx0LYtttIofk/wDQTDpf
  1B0+2qcbSDgRQHNWLEFPjcahc2GDcrwRMtnqp7XjtQgnANyGdVK/CectULfqoWcU
  Fc09GR3Ls0pFdnx5v9qlzkbSk5izACjZkfZmgGl/CC9Yg9UroSon5s2x2vst08nE
  d1/3WhDLb6TLxYwX9mjMaJHvNgX6aNj0MciHj/p3DwMzwXEA/pxp/sv6DiA1HUQq
  JvewPs/st852IJDl1Qgl5yBNZdNqmeSuzf7GDMz5RMqZxFELutue/gSRg1ImSBBf
  xdFKcKq0qFHmRLpBNWb+cNA0CD4OjsP/UsnUL5f16d+tndmGuwyY5t1oDaP/i0MC
  tkB4teSDql8F9LviVMPIgs7XkEYuj916cA4BDnqnOWG8BUsN7sv7kCGWe5t9RK54
  vheh8B8SKnl0NS3+5RT1+WybcvaMeo8Z8Uodx7vbVkI2cp5T+m0y8+VuAPWQ4Wap
  YG4Lee/zZX8FXU6fHIw4EsCQias+xesb5to99vKgKpAZmI3wCFJhEgijlEPMHsF8
  w6R5sqZL9CD2oLUyczW+08ictIom2TyqZo1I2rmPP+r9qsPDrghXvbF5HTCN6PDp
  zr88trvF+8XJ4HtoGxjBRLsYfxb/fcRG+JieSbwRP04JJULSUIYylBQtGf7c09LS
  pd/o0ErJs2xNQNm7dpaXHOQRfPWPz6OADoSROrlb3graC74VWL8oPGda/aqNN9i1
  t85aghh5SqUqIKw3SylRRta3md/fLiyOFwu5pRpbV/EQ4KXMYi3Rvm7JAudwnfkA
  EQEAAYkBtgQYAQoAIBYhBPWvEYknzO6boK8uvnSMGV9/UHSCBQJeE3U6AhsMAAoJ
  EHSMGV9/UHSCM1IL/jlcsxAt6K4Y9D641JYCism1954aAaUfOkGnPaJlv/Lqpe1j
  1Prq15+gtaALscjEG/kwrGBNfxQhITkdG21EDgkHHOshHzH9KSG+EtVeWVP60pXm
  voUlfMBhvQtLUueY6kun/o+enpfEfJpXLXZxJfjqyOgBC+PPEpU/Kp1bcjEHpoYR
  3I0/En0U2EQPfoXTi+jxPoieA161/wU/S1CWzZpbHYmY4LMiaIfFYZWnxaTdHgUp
  CvgvYMgvbeNp0PYz6REl3r4InJNxcrgADwYAI3qdkMrdjKjJng28rIpnWZu/9ABK
  3RqlvxFY1wyDrZ1mJDD6ZzjgFD4/0z8SDoFx0AZOpIkBUAZO75MHidv/aR9MhAAN
  osp0yq8lQtzFCDL3Dt8JzRGdKdSezfDES3XyPd3eYH7r83uN1J1G3PmB2trV1X+I
  k18NufOgOuXc0Y9O1OxmdqYQtXvxuETLO7k8LtAiBLYf5O0Bvvz/5/5iGNJFhM1w
  dMysOe1K0Bw5vdKKLw==
  =TSDH
  -----END PGP PUBLIC KEY BLOCK-----

Create key-cert

Now use your favorite editor to create your key-cert object. Be sure to note the + signs that begin each line of the certif attribute you are required to add them in the object. Note that the method:, owner: and fingerpr: attributes have not been specified. These attributes are auto-generated by the IRRd software and so they are intentionally omitted.

  $ vi /tmp/mykeys.txt
  key-cert:  PGPKEY-7F507482
  certif:
  +-----BEGIN PGP PUBLIC KEY BLOCK-----
  +Version: GnuPG v2
  +
  +mQGNBF4TdToBDADTUt7gV9IdsTznHKjAauPZ08+U/sOZsx0LYtttIofk/wDQTDpf
  +1B0+2qcbSDgRQHNWLEFPjcahc2GDcrwRMtnqp7XjtQgnANyGdVK/CectULfqoWcU
  +Fc09GR3Ls0pFdnx5v9qlzkbSk5izACjZkfZmgGl/CC9Yg9UroSon5s2x2vst08nE
  +d1/3WhDLb6TLxYwX9mjMaJHvNgX6aNj0MciHj/p3DwMzwXEA/pxp/sv6DiA1HUQq
  +JvewPs/st852IJDl1Qgl5yBNZdNqmeSuzf7GDMz5RMqZxFELutue/gSRg1ImSBBf
  +xdFKcKq0qFHmRLpBNWb+cNA0CD4OjsP/UsnUL5f16d+tndmGuwyY5t1oDaP/i0MC
  +tkB4teSDql8F9LviVMPIgs7XkEYuj916cA4BDnqnOWG8BUsN7sv7kCGWe5t9RK54
  +vheh8B8SKnl0NS3+5RT1+WybcvaMeo8Z8Uodx7vbVkI2cp5T+m0y8+VuAPWQ4Wap
  +YG4Lee/zZX8FXU6fHIw4EsCQias+xesb5to99vKgKpAZmI3wCFJhEgijlEPMHsF8
  +w6R5sqZL9CD2oLUyczW+08ictIom2TyqZo1I2rmPP+r9qsPDrghXvbF5HTCN6PDp
  +zr88trvF+8XJ4HtoGxjBRLsYfxb/fcRG+JieSbwRP04JJULSUIYylBQtGf7c09LS
  +pd/o0ErJs2xNQNm7dpaXHOQRfPWPz6OADoSROrlb3graC74VWL8oPGda/aqNN9i1
  +t85aghh5SqUqIKw3SylRRta3md/fLiyOFwu5pRpbV/EQ4KXMYi3Rvm7JAudwnfkA
  +EQEAAYkBtgQYAQoAIBYhBPWvEYknzO6boK8uvnSMGV9/UHSCBQJeE3U6AhsMAAoJ
  +EHSMGV9/UHSCM1IL/jlcsxAt6K4Y9D641JYCism1954aAaUfOkGnPaJlv/Lqpe1j
  +1Prq15+gtaALscjEG/kwrGBNfxQhITkdG21EDgkHHOshHzH9KSG+EtVeWVP60pXm
  +voUlfMBhvQtLUueY6kun/o+enpfEfJpXLXZxJfjqyOgBC+PPEpU/Kp1bcjEHpoYR
  +3I0/En0U2EQPfoXTi+jxPoieA161/wU/S1CWzZpbHYmY4LMiaIfFYZWnxaTdHgUp
  +CvgvYMgvbeNp0PYz6REl3r4InJNxcrgADwYAI3qdkMrdjKjJng28rIpnWZu/9ABK
  +3RqlvxFY1wyDrZ1mJDD6ZzjgFD4/0z8SDoFx0AZOpIkBUAZO75MHidv/aR9MhAAN
  +osp0yq8lQtzFCDL3Dt8JzRGdKdSezfDES3XyPd3eYH7r83uN1J1G3PmB2trV1X+I
  +k18NufOgOuXc0Y9O1OxmdqYQtXvxuETLO7k8LtAiBLYf5O0Bvvz/5/5iGNJFhM1w
  +dMysOe1K0Bw5vdKKLw==
  +=TSDH
  +-----END PGP PUBLIC KEY BLOCK-----
  mnt-by:    MAINT-ETBRU
  changed:   etbru@noreply.net
  source:    RADB

Mail the object

Depending on your mail executable version, one of these mail agent calls should serve you.

  $ mail auto-dbm@radb.net < /tmp/mykeys.txt
  # or
  $ mail -t auto-dbm@radb.net < /tmp/mykeys.txt

If everything is ok you will receive mail acknowledgement form auto-dbm@radb.net with the following:

  ADD OK: [key-cert] PGPKEY-7F507482

Else you will get a response with syntax errors. The errors are denoted in the response message with ? characters.

Update maintainer

Make sure your key has been added successfully before updating your maintainer to use the key. At this point lets add in the new auth: attribute. To make full use of the security GPG provides be sure to delete references to the MAIL-FROM and CRYPT-PW else your maintainer is just as insecure as it was before since these mechanisms can still be used.

BEFORE GPG:

  mntner:             MAINT-ETBRU
  descr:              Maintainer without GPG
  admin-c:            ETBRU
  tech-c:             ETBRU
  upd-to:             etbru@noreply.net
  auth:               MAIL-FROM etbru@noreply.net
  auth:               CRYPT-PW pfRRVg599QpLw
  mnt-by:             MAINT-ETBRU
  changed:            etbru@noreply.net 20190130
  source:             RADB

WITH GPG:

  mntner:             MAINT-ETBRU
  descr:              New maintainer with GPG authentication
  admin-c:            ETBRU
  tech-c:             ETBRU
  upd-to:             etbru@noreply.net
  auth:               PGPKEY-7F507482
  mnt-by:             MAINT-ETBRU
  changed:            etbru@noreply.net 20200106
  source:             RADB

GPG authentication

Following instructions for creating, modifying or deleting an object, but omit the step to mail auto-dbm@radb.net.
Assume the object is in a filed named db-submission.txt.

Since GPG defaults its output to a file named *.asc, in our example the GPG-signed submission will be in a file called db-submission.txt.asc. The passphrase is the value you supplied to GPG when you created your key from step in the previous section "Create a GPG key."

  $ gpg --clearsign db-submission.txt</span>

  You need a passphrase to unlock the secret key for
  user: "Etienne Brule &lt;etbru@noreply.net&gt;"
  3072-bit RSA key, ID 7F507482, created 2020-01-06

Send your GPG signed submission to auto-dbm@radb.net.

Depending on your mail executable version, one of these mail agent calls should serve you.

  $ mail auto-dbm@radb.net < /tmp/db-submission.txt.asc
  # or
  $ mail -t auto-dbm@radb.net < /tmp/db-submission.txt.asc

DONE! You have successfully used a GPG-signed message to update an entry in the RADB.