ISC has an OpenPGP key. OpenPGP is a public key system, which means that if you have our public key and we sign a mail message (or a software distribution) using our private key, you can have a moderate confidence level that the message or distribution really did come from us. You can learn more about OpenPGP in RFC 2440.
If you suspect you have found a security defect in BIND 9, ISC DHCP, or Kea DHCP, or if you wish to inquire about a security issue that you have learned about which has not yet been publicly announced, ISC encourages you to get in touch with our Security Officer using the email@example.com e-mail address. However, plain-text e-mail is not a secure choice for communications concerning undisclosed security issues so we ask that you please encrypt your communications to us using the ISC Security Officer public key found below. Our openpgp keys are also available from our FTP site.
Please see this blog post if you are interested in our current signing procedure during the rollover period, and for releases after December, 2022.
PGP Keys Currently Used for Signing ISC Software
pub rsa4096 2022-11-03 [SC] 706B 6C28 620E 76F9 1D11 F7DF 510A 642A 06C5 2CEC uid Michał Kępień (Code-Signing Key) <firstname.lastname@example.org> pub rsa4096 2022-11-03 [SC] D99C CEAF 8797 4701 4F03 8D63 182E 2357 9462 EFAA uid Michal Nowak (Code-Signing Key) <email@example.com> pub rsa4096 2022-11-03 [SC] 0259 A33B 5F5A 3A44 66CF 345C 7A5E 084C ACA5 1884 uid Wlodek Wencel (Code-Signing Key) <firstname.lastname@example.org> pub rsa4096 2022-11-03 [SC] 090A 2A07 923F 925B 5767 803A 42E5 DF78 C832 71DB uid Marcin Godzina (Code-Signing Key) <email@example.com> pub rsa4096 2022-11-03 [SC] 9580 D6BF 2CC8 0F1E 3BB1 1252 DEAB 91D5 4B13 C9B8 uid Greg Choules (Code-Signing Key) <firstname.lastname@example.org> pub rsa4096 2022-11-03 [SC] FC87 4C3E 3FE8 6770 70AC 71BE B5EF F6AC 7E1A DDF8 uid Cathy Almond (Code-Signing Key) <email@example.com>
Verifying a source tarball with the pgp key:
You will need to have the GnuPG package installed. Then download the appropriate key above, save it to a file, and import it into your own keyring:
- gpg –import KEYFILE # such as KEYFILE pgpkey2015.txt
Then you can verify any BIND or DHCP release by:
- gpg –verify SIGFILE TARBALL
For example, if you have downloaded bind-9.10.4.tar.gz and the accompanying signature file bind-9.10.4.tar.gz.sha512.asc from our downloads page:
- gpg –verify bind-9.10.4.tar.gz.sha512.asc bind-9.10.4.tar.gz