Correction to signatures on yesterday's BIND 9 releases

Paul Wouters paul at xelerance.com
Wed Jul 29 19:34:40 UTC 2009


On Wed, 29 Jul 2009, Evan Hunt wrote:

> Due to a combination of circumstances, including extreme rush and the
> usual signer of our releases being away at IETF, we accidentally signed
> yesterday's BIND 9 patch releases (9.4.3-P3, 9.5.1-P3, and 9.6.1-P1) with
> the expired 2006 ISC signing key rather than the current one, and didn't
> notice the mistake until after publishing.

Interesting. I did check the signature, which told me I had a missing
key, so I grabbed it from the keyserver, after which gpg verified an
ok signature....

Checking again, I see the key only expires at 2012-01-13. So perhaps it
is best to actually revoke this key? If that had been done, I would have
caught this mistake.

In your case "expired 2006" key means expired as per ISC policy, and not
as per GPG record on the key servers?

Paul



More information about the bind-workers mailing list