Sam Trenholme's webpage
Support this website

MaraDNS, GPG, and trust


May 27 2015

In today’s blog, I remind people to stop using MaraDNS 1, and discuss how to use GnuPG to verify that releases of MaraDNS are legitimate.

==MaraDNS 1: Stop using it!==

As I announced three years ago, MaraDNS 1 support stops on June 21, 2015. That is within one month. If anyone still wishes to use MaraDNS 1 after that date, they are on their own: No support nor updates (not even security updates, no matter how critical the security bug) will be provided.

I know some people are still using MaraDNS 1; I got a support request for MaraDNS 1 as recently as last December:

==Trusting MaraDNS’ GPG key==

Since there has been a report of a trojanized version of a popular program out there, I will detail how MaraDNS users can trust the GPG key MaraDNS has, and use this GPG key to verify a given release of MaraDNS.

There has been, ever since the 1.0 release of MaraDNS in 2002, two different GPG keys used:

  • A 1024-bit DSA key used from 2001 until 2012
  • A 2048-bit RSA key in use since 2012

The 2012 key has been signed with the 2001 key. The 2001 key can be trusted because it has been in use for a long time. Not only is it still included in every single MaraDNS release, it has been included in releases since 2001. It’s pretty easy to verify that, say, a 2002 release of MaraDNS was using the same 1024-bit key new releases are included with:

The DSA key has a key ID of 1E61FCA6 and the following fingerprint:

D167 252A 18BC D011 7CB4 6CA8 0BE8 D6AE 1E61 FCA6

Note that this fingerprint can be verified by looking at multiple mailing list postings over the years, e.g.:

Both MaraDNS GPG keys are also available on the MIT GPG key server:

The 2048-bit RSA key has a key ID of 6D150805 and the following fingerprint:

A96E 30DD A360 FC63 42B2 D9AB 5FF4 96D1 6D15 0805

This key can be verified because it is signed by the older DSA key:

gpg --list-sigs 6D150805

==Using GnuPG==

One issue is that GPG is not the easiest program to use. To add the MaraDNS keys to one’s GPG keyring, enter the MaraDNS top-level directory and then:

cat maradns.gpg.key.old | gpg --import

cat maradns.gpg.key | gpg --import

To verify a signed file, do something like:

gpg --verify maradns-2.0.11.tar.bz2.asc maradns-2.0.11.tar.bz2

Verifying a key fingerprint:

gpg --fingerprint {ID}

Where {ID} is the ID of the key we wish to view the fingerprint of.

Comments are closed