OpenPGP Key

A public-private security measure

ISC has an OpenPGP key. OpenPGP is a public key system, which means that if you have our public key and we sign a mail message (or a software distribution) using our private key, you can have a reasonable confidence level that the message or distribution really did come from us. You can learn more about OpenPGP in RFC 2440.

If you suspect you have found a security defect in BIND 9, Kea DHCP, Stork, or ISC DHCP, or if you wish to inquire about a security issue that you have learned about which has not yet been publicly announced, ISC encourages you to take one or more of the following steps, as appropriate:

Emails to any of the above addresses automatically create secure, confidential issues in ISC’s GitLab instance.

* If possible, we ask that you please encrypt your communications to the address using the ISC Security Officer public key found below. Our OpenPGP keys are also available from our FTP site.

Security Officer ( - PGP key to report potential general security issues

Please see this blog post if you are interested in our current signing procedure during the rollover period, and for releases after December 2022.

Current Set of ISC Code-Signing Keys

Expiring ISC Code Signing Key 2021 - 2022 ( - Expired on 1 February, 2023

Prior ISC Code Signing Key 2019 - 2020 ( Expired 31 January, 2021

Prior ISC Code Signing Key 2017 - 2018 ( - Expired 31 January, 2019

Prior ISC Code Signing Key 2015 - 2016 ( - Expired 31 January, 2017

Prior ISC Code Signing Key 2013 - 2014 ( - Expired 31 January, 2015


PGP Keys Currently Used for Signing ISC Software

pub   rsa4096 2022-11-03 [SC]
      706B 6C28 620E 76F9 1D11  F7DF 510A 642A 06C5 2CEC
uid                      Michał Kępień (Code-Signing Key) <>

pub   rsa4096 2022-11-03 [SC]
      D99C CEAF 8797 4701 4F03  8D63 182E 2357 9462 EFAA
uid                      Michal Nowak (Code-Signing Key) <>

pub   rsa4096 2022-11-03 [SC]
      0259 A33B 5F5A 3A44 66CF  345C 7A5E 084C ACA5 1884
uid                      Wlodek Wencel (Code-Signing Key) <>

pub   rsa4096 2022-11-03 [SC]
      090A 2A07 923F 925B 5767  803A 42E5 DF78 C832 71DB
uid                      Marcin Godzina (Code-Signing Key) <>

pub   rsa4096 2022-11-03 [SC]
      9580 D6BF 2CC8 0F1E 3BB1  1252 DEAB 91D5 4B13 C9B8
uid                      Greg Choules (Code-Signing Key) <>

pub   rsa4096 2022-11-03 [SC]
      FC87 4C3E 3FE8 6770 70AC  71BE B5EF F6AC 7E1A DDF8
uid                      Cathy Almond (Code-Signing Key) <>

pub   rsa4096 2023-04-27 [SC]
      DA6A 3508 E672 A49D D382  AFD9 5B8F 4D91 B88E D909
uid                      Andrei Pavel (Code-Signing Key) <>

Verifying a source tarball with the pgp key:

You will need to have the GnuPG package installed. Then download the appropriate key above, save it to a file, and import it into your own keyring:

  • gpg –import KEYFILE # such as KEYFILE pgpkey2015.txt

Then you can verify any BIND or DHCP release by:

  • gpg –verify SIGFILE TARBALL

For example, if you have downloaded bind-9.10.4.tar.gz and the accompanying signature file bind-9.10.4.tar.gz.sha512.asc from our downloads page:

  • gpg –verify bind-9.10.4.tar.gz.sha512.asc bind-9.10.4.tar.gz