New code signing key for 2015-2017

Beginning with the start of 2015, ISC is introducing a new PGP signing key which will be used to verify the authenticity of BIND and DHCP source downloaded from ISC.  This replaces the current key, which is expiring.

The old key for codesign@isc.org, with key ID 45AC7857189CDBC5, was created in 2013 with an expiration date of 31 January, 2015, a date that is fast approaching.

It is being replaced by a new key with key ID 6FA6EBC9911A4C02, and an expiration date of 31 January, 2017.

Until the expiration of the 2013 key, ISC will sign code releases with both keys.  This includes the development releases released today (BIND 9.9.7b1 and BIND 9.10.2b1.)  You may therefore encounter a message from PGP or GPG when verifying your download if you do not have both keys in your keyring.  You can disregard such messages as long as PGP or GPG confirms a valid signature with at least one of the keys.

Both keys are available from the ISC website:

https://www.isc.org/downloads/software-support-policy/openpgp-key/

And if you need instructions on how to verify a download using PGP or GPG, a brief summary can be found in the ISC Knowledge Base:

https://kb.isc.org/article/AA-01225

Given the recent security incident with the ISC web site, some will naturally ask whether the retirement of the old key was prompted by security concerns.  The answer to that is no, we have no suspicion that the old key was compromised in any way; the key change is motivated solely by the January 31, 2015 expiration date that was set when the key was generated years ago.  We are choosing this time to issue the replacement to allow an interim period during which people have time to retrieve the new key.

Some parties may also have reservations about trusting a key downloaded from a site that was recently compromised.  If you you prefer you can download the key from the public key server https://pgp.mit.edu

Please take note that after 31 January, 2015 new releases will no longer be signed using the expiring key (key id 45AC7857189CDBC5) and so if you use PGP or GPG to check the integrity of your downloads you should import the new key before that occurs.

Michael McNally
ISC Support

Last modified: May 28, 2015 at 11:49 am