ISC has issued a new code signing key. Previous key expires 31 January
mcnally at isc.org
Wed Jan 7 03:10:34 UTC 2015
Happy New Year to the BIND community,
Beginning with the start of 2015, ISC is introducing a new PGP
signing key which will be used to verify the authenticity of BIND
and DHCP source downloaded from ISC. This replaces the current
key, which is expiring.
The old key for codesign at isc.org, with key ID
45AC7857189CDBC5, was created in 2013 with an expiration
date of 31 January, 2015, a date that is fast approaching.
It is being replaced by a new key with key ID
6FA6EBC9911A4C02, and an expiration date of 31 January, 2017.
Until the expiration of the 2013 key, ISC will sign code releases
with both keys. This includes the development releases released
today (BIND 9.9.7b1 and BIND 9.10.2b1.) You may therefore encounter
a message from PGP or GPG when verifying your download if you do
not have both keys in your keyring. You can disregard such messages
as long as PGP or GPG confirms a valid signature with at least one
of the keys.
Both keys are available from the ISC website:
And if you need instructions on how to verify a download using PGP
or GPG, a brief summary can be found in the ISC Knowledge Base:
Given the recent security incident with the ISC web site, some will
naturally ask whether the retirement of the old key was prompted
by security concerns. The answer to that is no, we have no suspicion
that the old key was compromised in any way; the key change is
motivated solely by the January 31, 2015 expiration date that was
set when the key was generated years ago. We are choosing this
time to issue the replacement to allow an interim period during
which people have time to retrieve the new key.
Some parties may also have reservations about trusting a key
downloaded from a site that was recently compromised. If you you
prefer you can download the key from the public keyserver
Please take note that after 31 January, 2015 new releases will no
longer be signed using the expiring key (key id 45AC7857189CDBC5)
and so if you use PGP or GPG to check the integrity of your downloads
you should import the new key before that occurs.
More information about the bind-announce