(new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog

Me, elsewhere

GitHub
parseword
Miscellaneous public code

Twitter
@parseword
I don't tweet much

XMPP chat
xmpp@shaunc.com
(Pidgin, Miranda, Swift, etc.)

Verifying a BIND source tarball using cryptographic signatures

Posted April 12, 2017 by shaun
[permalink]

When downloading and compiling software, it's always a good idea to verify the integrity of the source files you obtain. Package handlers like yum and apt handle this automatically, but it must be done manually when you download software yourself.

ISC, the publisher of the BIND DNS server, provides cryptographic signatures with each release. If you have gpg installed, you can use the signature to validate your downloaded BIND tarball. ISC's download URLs follow a consistent naming pattern; simply change the version number in the URLs below to match the version you need.

Download the BIND source

[root@host /home/files]# wget https://ftp.isc.org/isc/bind9/9.11.4-P2/bind-9.11.4-P2.tar.gz
  `bind-9.11.4-P2.tar.gz' saved [9617963/9617963]

Download the associated signature file

[root@host /home/files]# wget https://ftp.isc.org/isc/bind9/9.11.4-P2/bind-9.11.4-P2.tar.gz.sha256.asc
  `bind-9.11.4-P2.tar.gz.sha256.asc' saved [873/873]

Download ISC's PGP signing key

This is the PGP public key ISC will use for signing in 2017 and 2018, it expires in February 2019. Future keys will appear here. 

[root@host /home/files]# wget https://ftp.isc.org/isc/pgpkeys/codesign2017.txt
  `codesign2017.txt' saved [3187/3187]

Import ISC's key to your gpg keyring

[root@host /home/files]# gpg --import codesign2017.txt
  gpg: key 5CF02E57: public key "Internet Systems Consortium, Inc. 
       (Signing key, 2017-2018) <codesign@isc.org>" imported
  gpg: Total number processed: 1
  gpg:               imported: 1  (RSA: 1)

Verify the tarball using the signature file

[root@host /home/files]# gpg --verify bind-9.11.4-P2.tar.gz.sha256.asc bind-9.11.4-P2.tar.gz
  gpg: Signature made Wed Sep  5 20:37:15 2018 CDT using RSA key ID 5CF02E57
  gpg: Good signature from "Internet Systems Consortium, Inc. 
       (Signing key, 2017-2018) <codesign@isc.org>"
  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.
  Primary key fingerprint: BE0E 9748 B718 253A 28BB  89FF F1B1 1BF0 5CF0 2E57

The particular warning message displayed here can be ignored; it just means that you haven't personally marked ISC's key as trusted in your keyring. What you're looking for is the "Good signature" output, which is present here, indicating that the file you downloaded matches the one on the remote site.

Updated September 19, 2018 to reference BIND version 9.11.4-P2.


Recent articles

📰 Generating vanity DNSSEC key tags

📰 DDoS involving forged packets from 23.225.141.70

📰 Website integrity monitoring through version control

📰 SpamAssassin 3.4.2 fixes security problems, adds HashBL and phishing plugins

📰 Bug or turf war? ICQ via Pidgin now fails with "startOSCARSession: Request Timeout"

📰 🎂

📰 SFSQuery, a PHP class to query the StopForumSpam API and DNSBL

📰 Resolving portmaster error "pkg-static: automake-1.16.1 conflicts with automake-wrapper-20131203"

📰 Resolving LibreNMS error "RuntimeException: The only supported ciphers are AES-128-CBC and AES-256-CBC with the correct key lengths"

📰 1.1.1.1: Fast, but not so accurate (yet)

📰 autodiscover.xml as an Indicator of Attack

📰 Blocking Facebook's Tracking and Surveillance: A Comprehensive Approach

📰 Let's Encrypt Readies for Certificate Transparency with Embedded SCTs

📰 Evaluating DNSBL Effectiveness with Postfix Logs

📰 Resolving subversion error E145001: Node has unexpectedly changed kind

▲ Back to top | Permalink to this page