Verifying a BIND source tarball using cryptographic signatures
When downloading and compiling software, it's always a good idea to verify the integrity of the source files you obtain. Package handlers like
apt handle this automatically, but it must be done manually when you download software yourself.
ISC, the publisher of the BIND DNS server, provides cryptographic signatures with each release. If you have
gpg installed, you can use the signature to validate your downloaded
BIND tarball. ISC's download URLs follow a consistent naming pattern; simply change the version number in the URLs below to match the version you need.
Download the BIND source
[root@host /home/files]# wget https://ftp.isc.org/isc/bind9/9.11.17/bind-9.11.17.tar.gz `bind-9.11.17.tar.gz' saved [8206030/8206030]
Download the associated signature file
[root@host /home/files]# wget https://ftp.isc.org/isc/bind9/9.11.17/bind-9.11.17.tar.gz.sha256.asc `bind-9.11.17.tar.gz.sha256.asc' saved [874/874]
Download ISC's PGP signing key
This is the PGP public key ISC will use for signing in 2019 and 2020. Prior and future keys will appear here.
[root@host /home/files]# wget https://ftp.isc.org/isc/pgpkeys/codesign2019.txt `codesign2019.txt' saved [16154/16154]
Import ISC's key to your gpg keyring
[root@host /home/files]# gpg --import codesign2019.txt gpg: key 4CBB3D38: public key "Internet Systems Consortium, Inc. (Signing key, 2019-2020) <email@example.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: no ultimately trusted keys found
Verify the tarball using the signature file
[root@host /home/files]# gpg --verify bind-9.11.17.tar.gz.sha256.asc bind-9.11.17.tar.gz gpg: Signature made Fri Mar 13 06:22:20 2020 CDT using RSA key ID F0088407 gpg: Good signature from "Internet Systems Consortium, Inc. (Signing key, 2019-2020) <firstname.lastname@example.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: AE3F AC79 6711 EC59 FC00 7AA4 74BB 6B9A 4CBB 3D38 Subkey fingerprint: 1568 9068 5EA0 DF6A 1371 EF20 17CC 5DB1 F008 8407
The warning message displayed here can be safely ignored; it just means that you haven't personally marked ISC's key as trusted in your keyring. What you're looking for is the "Good signature" output, which is present here, indicating that the file you downloaded matches the one on the remote site.
Updated Mar 20, 2020 to reference
BIND version 9.11.17.