4.3.4 Description of the MNTNER Object

Below is the object template for the mntner object. It lists all possible attributes that are allowed in this object type.

Attribute Name  Presence   Repeat     Indexed
mntner: mandatory single primary/lookup key
descr: mandatory multiple
org: optional multiple inverse key
admin-c: mandatory multiple inverse key
tech-c: optional multiple inverse key
upd-to: mandatory multiple inverse key
mnt-nfy: optional multiple inverse key
auth: mandatory multiple inverse key
remarks: optional multiple
notify: optional multiple inverse key
mnt-by: mandatory multiple inverse key
created: generated single
last-modified: generated single
source: mandatory single

Objects in the RIPE Database are protected using mntner objects. A mntner object is an anonymous box containing the credentials needed to authorise creation, deletion or modification of any objects that it protects by whomever maintains this data. Currently, these credentials are MD5 passwords or PGP keys or Single Sign-On user names from the RIPE NCC Access system. The syntax also allows for X.509 certificates, but these are not fully implemented throughout the whois software.

Objects are protected by a mntner, if they contain a reference to the mntner in the object. This is done by including a "mnt-by:" attribute. Other “mnt-xxx:” attributes offer hierarchical protection. The "mnt-by:" attribute is mandatory in all object types. However it has not always been mandatory and there are still many person and role objects in the RIPE Database that are still not maintained by the people responsible for them.

Most users set the "mnt-by:" value in a mntner to reference itself. That makes it maintain itself. But this is not always the case. There are situations where someone wants to control who maintains a set of objects. This can be done by using mnt-a to maintain mnt-b. The object mnt-b contains the credentials to maintain a set of data. These credentials are set up by mnt-a.

To update an object protected by a mntner the authorisation must be passed from one of the "auth:" values in the mntner object referenced in one of the "mnt-by:" attributes of the updated object. This means that the correct credential for one of the "auth:" values must be supplied as part of the update. If an object references more than one mntner in the "mnt-by:" attributes, they act as a logical 'OR'. If the authorisation is passed by any "auth:" value from any of the referenced mntner objects, then the update will be authorised.

The "mnt-lower:", "mnt-routes:" and "mnt-domains:" attributes all provide for hierarchical authorisation. These also work in a logical 'OR' when multiple values are included in an object. How they are used is described in the object descriptions where these attributes are valid.

For more detailed information about using mntner attributes, see the section ‘Authorisation.' Description of Attributes Specific to the MNTNER Object

  • "mntner:" – This attribute specifies the name of the mntner object. It should end in ‘-mnt', but the software has never enforced this.
  • “descr:” – A short description related to the object.
  • “upd-to:” – This attribute specifies an email address where a notification will be sent when an attempt to update an object protected by this mntner is unsuccessful due to authorisation failure. If there are multiple attributes, all specified email addresses will receive a direct email to that address.
  • “mnt-nfy:” – This attribute specifies the email address where a notification will be sent when an object protected by this mntner is successfully updated. If there are multiple attributes, all specified email addresses will receive a direct email to that address.
  • “auth:” – This attribute defines an authentication scheme to be used. Any of the current authentication schemes used by the RIPE Database are allowed.