Verifying a BIND source tarball using cryptographic signatures
When downloading and compiling software, it's always a good idea to verify the integrity of the source files you obtain. Package handlers like yum
and apt
handle this automatically, but it must be done manually when you download software yourself.
ISC, the publisher of the BIND DNS server, provides cryptographic signatures with each release. If you have gpg
installed, you can use the signature to validate your downloaded BIND
tarball. ISC's download URLs follow a consistent naming pattern; simply change the version number in the URLs below to match the version you need.
Download the BIND source
[root@host /home/files]# wget https://ftp.isc.org/isc/bind9/9.11.29/bind-9.11.29.tar.gz
`bind-9.11.29.tar.gz' saved [8297010/8297010]
Download the associated signature file
[root@host /home/files]# wget https://ftp.isc.org/isc/bind9/9.11.29/bind-9.11.29.tar.gz.sha256.asc
`bind-9.11.29.tar.gz.sha256.asc' saved [833/833]
Download ISC's PGP signing key
This is the PGP public key ISC will use for signing in 2021 and 2022. Prior and future keys will appear here.
[root@host /home/files]# wget https://ftp.isc.org/isc/pgpkeys/codesign2021.txt
`codesign2021.txt' saved [34304/34304]
Import ISC's key to your gpg keyring
[root@host /home/files]# gpg --import codesign2021.txt
gpg: key 723E4012: public key "Internet Systems Consortium, Inc.
(Signing key, 2021-2022) <codesign@isc.org>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
gpg: no ultimately trusted keys found
Verify the tarball using the signature file
[root@host /home/files]# gpg --verify bind-9.11.29.tar.gz.sha256.asc bind-9.11.29.tar.gz
gpg: Signature made Tue Mar 16 14:05:10 2021 CDT using RSA key ID 5970811F
gpg: Good signature from "Internet Systems Consortium, Inc. (Signing key, 2021-2022) <codesign@isc.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7E1C 91AC 8030 A5A5 9D1E FAB9 750F 3C87 723E 4012
Subkey fingerprint: 2455 774D 42FD FE6B 9C38 3EB8 FE10 02BC 5970 811F
The warning message displayed here can be safely ignored; it just means that you haven't personally marked ISC's key as trusted in your keyring. What you're looking for is the "Good signature" output, which is present here, indicating that the file you downloaded matches the one on the remote site.
Updated Mar 18, 2021 to reference BIND
version 9.11.29.