ISC has an OpenPGP key. OpenPGP is a public key system, which means that if you have our public key and we sign a mail message (or a software distribution) using our private key, you can have a moderate confidence level that the message or distribution really did come from us. You can learn more about OpenPGP in RFC 2440.
If you suspect you have found a security defect in BIND 9, ISC DHCP, or Kea DHCP, or if you wish to inquire about a security issue that you have learned about which has not yet been publicly announced, ISC encourages you to get in touch with our Security Officer using the firstname.lastname@example.org e-mail address. However, plain-text e-mail is not a secure choice for communications concerning undisclosed security issues so we ask that you please encrypt your communications to us using the ISC Security Officer public key found below. Our openpgp keys are also available our FTP site.
Verifying a source tarball with the pgp key:
You will need to have the GnuPG package installed. Then download the appropriate key above, save it to a file, and import it into your own keyring:
- gpg –import KEYFILE # such as KEYFILE pgpkey2015.txt
Then you can verify any BIND or DHCP release by:
- gpg –verify SIGFILE TARBALL
For example, if you have downloaded bind-9.10.4.tar.gz and the accompanying signature file bind-9.10.4.tar.gz.sha512.asc from our downloads page:
- gpg –verify bind-9.10.4.tar.gz.sha512.asc bind-9.10.4.tar.gz