CZ.NIC's DNSSEC operations involve signing with offline KSK. This has been traditionally managed by a set of shell scripts. DNS administrators for .CZ together with KnotDNS developers joined together to design and implement this functionality into the KnotDNS DNSSEC signer. This feature was released in KnotDNS 2.8. This presentation describes the feature in the context of current operations in .CZ.