Feb 8 – 9, 2024 Workshop
Embassy Suites Charlotte Uptown
US/Eastern timezone

DNSSEC signer upgrade at PCH.net

Feb 8, 2024, 12:20 PM
Salon A/B (Embassy Suites Charlotte Uptown)

Salon A/B

Embassy Suites Charlotte Uptown

401 East Martin Luther King Jr Blvd Charlotte NC 28202 United States
In-Person Standard Presentation OARC 42 Day 1


Tamas Csillag (PCH.net)


In my talk I plan to summarize the properties of
PCH's DNSSEC bump in the wire signer from 2010.
(which was based on bind9 and custom code in c/bash/perl)

What were our goals and motivations for the upgrade.

Why we ended up choosing knot as a replacement signer.

Our process include a keysigning ceremony where ZSKs are generated and RRSIGs for those keys years in advance.

I will talk about how we use the keysigning output with knot's offline-ksk functionality and how we utilize HSMs.

Another part to be presented is nsd and how we use its relatively recent functionality the verifier hook to check the correctness of the DNSSEC signed zones.

Talk duration

Primary author

Tamas Csillag (PCH.net)

Presentation materials