ISC has an OpenPGP key. OpenPGP is a public key system, which means that if you have our public key and we sign a mail message (or a software distribution) using our private key, you can have a reasonable confidence level that the message or distribution really did come from us. You can learn more about OpenPGP in RFC 2440.
If you suspect you have found a security defect in BIND 9, Kea DHCP, Stork, or ISC DHCP, or if you wish to inquire about a security issue that you have learned about which has not yet been publicly announced, ISC encourages you to take one or more of the following steps, as appropriate:
- Open a confidential GitLab issue (preferred) or send email to bind-security@isc.org - for BIND 9-related security issues
- Send email to kea-security@isc.org - for Kea DHCP-related security issues
- Send email to stork-security@isc.org - for Stork-related security issues
Emails to any of the above addresses automatically create secure, confidential issues in ISC’s GitLab instance.
- security-officer@isc.org - for any other security issues*
* If possible, we ask that you please encrypt your communications to the security-officer@isc.org address using the ISC Security Officer public key found below. Our OpenPGP keys are also available from our FTP site.
Security Officer (security-officer@isc.org) - PGP key to report potential general security issues
Please see this blog post if you are interested in our current signing procedure during the rollover period, and for releases after December 2022.
Current Set of ISC Code-Signing Keys
Expiring ISC Code Signing Key 2021 - 2022 (codesign@isc.org) - Expired on 1 February, 2023
Prior ISC Code Signing Key 2019 - 2020 (codesign@isc.org)- Expired 31 January, 2021
Prior ISC Code Signing Key 2017 - 2018 (codesign@isc.org) - Expired 31 January, 2019
Prior ISC Code Signing Key 2015 - 2016 (codesign@isc.org) - Expired 31 January, 2017
Prior ISC Code Signing Key 2013 - 2014 (codesign@isc.org) - Expired 31 January, 2015
PGP Keys Currently Used for Signing ISC Software
pub rsa4096 2022-11-03 [SC]
706B 6C28 620E 76F9 1D11 F7DF 510A 642A 06C5 2CEC
uid Michał Kępień (Code-Signing Key) <michal@isc.org>
pub rsa4096 2022-11-03 [SC]
D99C CEAF 8797 4701 4F03 8D63 182E 2357 9462 EFAA
uid Michal Nowak (Code-Signing Key) <mnowak@isc.org>
pub rsa4096 2022-11-03 [SC]
0259 A33B 5F5A 3A44 66CF 345C 7A5E 084C ACA5 1884
uid Wlodek Wencel (Code-Signing Key) <wlodek@isc.org>
pub rsa4096 2022-11-03 [SC]
090A 2A07 923F 925B 5767 803A 42E5 DF78 C832 71DB
uid Marcin Godzina (Code-Signing Key) <mgodzina@isc.org>
pub rsa4096 2022-11-03 [SC]
9580 D6BF 2CC8 0F1E 3BB1 1252 DEAB 91D5 4B13 C9B8
uid Greg Choules (Code-Signing Key) <greg@isc.org>
pub rsa4096 2022-11-03 [SC]
FC87 4C3E 3FE8 6770 70AC 71BE B5EF F6AC 7E1A DDF8
uid Cathy Almond (Code-Signing Key) <cathya@isc.org>
pub rsa4096 2023-04-27 [SC]
DA6A 3508 E672 A49D D382 AFD9 5B8F 4D91 B88E D909
uid Andrei Pavel (Code-Signing Key) <andrei@isc.org>
Verifying a source tarball with the pgp key:
You will need to have the GnuPG package installed. Then download the appropriate key above, save it to a file, and import it into your own keyring:
- gpg –import KEYFILE # such as KEYFILE pgpkey2015.txt
Then you can verify any BIND or DHCP release by:
- gpg –verify SIGFILE TARBALL
For example, if you have downloaded bind-9.10.4.tar.gz and the accompanying signature file bind-9.10.4.tar.gz.sha512.asc from our downloads page:
- gpg –verify bind-9.10.4.tar.gz.sha512.asc bind-9.10.4.tar.gz