OpenPGP Key

A public-private security measure

ISC has an OpenPGP key. OpenPGP is a public key system, which means that if you have our public key and we sign a mail message (or a software distribution) using our private key, you can have a moderate confidence level that the message or distribution really did come from us. You can learn more about OpenPGP in RFC 2440.

If you suspect you have found a security defect in BIND 9, ISC DHCP, or Kea DHCP, or if you wish to inquire about a security issue that you have learned about which has not yet been publicly announced, ISC encourages you to get in touch with our Security Officer using the security-officer@isc.org e-mail address. However, plain-text e-mail is not a secure choice for communications concerning undisclosed security issues so we ask that you please encrypt your communications to us using the ISC Security Officer public key found below. Our openpgp keys are also available our FTP site.

Security Officer (security-officer@isc.org) - Use this key to report potential security vulnerabilities

Current ISC Code Signing Key 2019 - 2020 (codesign@isc.org)

Prior ISC Code Signing Key 2017 - 2018 (codesign@isc.org) - Expired 31 January, 2019

Prior ISC Code Signing Key 2015 - 2016 (codesign@isc.org) - Expired 31 January, 2017

Prior ISC Code Signing Key 2013 - 2014 (codesign@isc.org) - Expired 31 January, 2015

Support-Staff

Verifying a source tarball with the pgp key:

You will need to have the GnuPG package installed. Then download the appropriate key above, save it to a file, and import it into your own keyring:

  • gpg –import KEYFILE # such as KEYFILE pgpkey2015.txt

Then you can verify any BIND or DHCP release by:

  • gpg –verify SIGFILE TARBALL

For example, if you have downloaded bind-9.10.4.tar.gz and the accompanying signature file bind-9.10.4.tar.gz.sha512.asc from our downloads page:

  • gpg –verify bind-9.10.4.tar.gz.sha512.asc bind-9.10.4.tar.gz