On 1/29/26 16:48, Peter 'PMc' Much wrote:
On Thu, Jan 29, 2026 at 03:19:24PM +0100, Matthijs Mekking wrote:
! Hello,
!
! For users interested in offline KSK, introduced in 9.20.2, we have just
! published a Knowledgebase article on this feature that might be worth a
! read.
!
! If you have any questions or remarks about it, feel free to reach out.
Hi,
yes,
what about a link? ;)
I guess I could make a pun about things being offline and all, but yes
that would have been friendly to add.
My earthly colleague Ben already took care of posting the link, but here
it is one more time:
https://kb.isc.org/docs/dnssec-signing-with-an-offline-ksk
Cheers,
Matthijs
BTW, not fully sure what "offline KSK" is supposed to be, but I for my
part have detached the entire zone signing procedure onto (ideally) a
discrete node that is connected via serial wire only (no network).
And that works (30 lines of ruby). What I can't afford is only the two
marines with guns.
I'm no friend of bloating the bloated named even further; instead I
have unbloated it by moving all the signing stuff out of it. That
is much easier to manage and debug, and it also invites to do continuous
rollover. And it saves the money for a crypt device. :)
cheerio,
PMc
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
