Knowledgebase on offline KSK
Matthijs Mekking
matthijs at isc.org
Fri Jan 30 08:18:43 UTC 2026
On 1/29/26 16:48, Peter 'PMc' Much wrote:
> On Thu, Jan 29, 2026 at 03:19:24PM +0100, Matthijs Mekking wrote:
> ! Hello,
> !
> ! For users interested in offline KSK, introduced in 9.20.2, we have just
> ! published a Knowledgebase article on this feature that might be worth a
> ! read.
> !
> ! If you have any questions or remarks about it, feel free to reach out.
>
> Hi,
> yes,
> what about a link? ;)
I guess I could make a pun about things being offline and all, but yes
that would have been friendly to add.
My earthly colleague Ben already took care of posting the link, but here
it is one more time:
https://kb.isc.org/docs/dnssec-signing-with-an-offline-ksk
Cheers,
Matthijs
>
> BTW, not fully sure what "offline KSK" is supposed to be, but I for my
> part have detached the entire zone signing procedure onto (ideally) a
> discrete node that is connected via serial wire only (no network).
> And that works (30 lines of ruby). What I can't afford is only the two
> marines with guns.
>
> I'm no friend of bloating the bloated named even further; instead I
> have unbloated it by moving all the signing stuff out of it. That
> is much easier to manage and debug, and it also invites to do continuous
> rollover. And it saves the money for a crypt device. :)
>
> cheerio,
> PMc
More information about the bind-users
mailing list