[MaraDNS] MaraDNS: Stop using MaraDNS 1; How to trust MaraDNS' GPG key

[Sam Trenholme]

In this post to the MaraDNS mailing list, I remind users to stop using
MaraDNS 1, and discuss why users can trust MaraDNS' GPG key.

==MaraDNS 1: Stop using it!==

As I announced three years ago, MaraDNS 1 support stops on June 21,
2015. That is within one month. If anyone still wishes to use MaraDNS
1 after that date, they are on their own: No support nor updates (not
even security updates, no matter how critical the security bug) will
be provided.

I know some people are still using MaraDNS 1; I got a support request
for MaraDNS 1 as recently as last December:

https://github.com/samboy/MaraDNS/issues/5

==Trusting MaraDNS’ GPG key==

Since there has been a report of a trojanized version of a popular
program out there, I will detail how MaraDNS users can trust the GPG
key MaraDNS has, and use this GPG key to verify a given release of
MaraDNS.

There has been, ever since the 1.0 release of MaraDNS in 2002, two
different GPG keys used:

* A 1024-bit DSA key used from 2001 until 2012
* A 2048-bit RSA key in use since 2012

To 2012 key has been signed with the 2001 key. The 2001 key can be
trusted because it has been in use for a long time. Not only is it
still included in every single MaraDNS release, it has been included
in releases since 2001. It’s pretty easy to verify that, say, a 2002
release of MaraDNS was using the same 1024-bit key new releases are
included with:

https://web.archive.org/web/20020803040619/http://www.maradns.org/download.html

http://sourceforge.net/projects/maradns/files/MaraDNS/1.0.00/

The DSA key has a key ID of 1E61FCA6 and the following fingerprint:

D167 252A 18BC D011 7CB4 6CA8 0BE8 D6AE 1E61 FCA6

Note that this fingerprint can be verified by looking at multiple
mailing list postings over the years, e.g.:

http://marc.info/?l=maradns-list&m=101195132232108&w=2

http://osdir.com/ml/network.dns.maradns.general/2003-09/msg00008.html

Both MaraDNS GPG keys are also available on the MIT GPG key server:

http://pgp.mit.edu/pks/lookup?search=MaraDNS&op=index

The 2048-bit RSA key has a key ID of 6D150805 and the following fingerprint:

A96E 30DD A360 FC63 42B2 D9AB 5FF4 96D1 6D15 0805

This key can be verified because it is signed by the older DSA key:

gpg --list-sigs 6D150805

==Using GnuPG==

One issue is that GPG is not the easiest program to use. To add the
MaraDNS keys to one’s GPG keyring, enter the MaraDNS top-level
directory and then:

cat maradns.gpg.key.old | gpg --import

cat maradns.gpg.key | gpg --import

To verify a signed file, do something like:

gpg --verify maradns-2.0.11.tar.bz2.asc maradns-2.0.11.tar.bz2

Verifying a key fingerprint:

gpg --fingerprint {ID}

Where {ID} is the ID of the key we wish to view the fingerprint of.