diff --git a/bin/dnssec b/bin/dnssec
new file mode 100755
index 0000000..3015fed
--- /dev/null
+++ b/bin/dnssec
@@ -0,0 +1,45 @@
+#!/usr/bin/env python3
+
+from os.path import realpath, dirname
+from bundlewrap.repo import Repository
+from base64 import b64decode, urlsafe_b64encode
+from jwkest import long_to_base64
+from cryptography.utils import int_to_bytes
+
+def long_to_base64(n):
+    return urlsafe_b64encode(int_to_bytes(n, None)).decode()
+
+#repo = Repository(dirname(dirname(realpath(__file__))))
+repo = Repository('.')
+domain = 'ckn.li'
+
+pk = repo.libs.rsa.generate_deterministic_rsa_private_key(
+    b64decode(str(repo.vault.random_bytes_as_base64_for('dnssec' + domain)))
+)
+
+# https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers
+# https://crypto.stackexchange.com/a/21104
+public_exponent = pk.private_numbers().public_numbers.e
+modulo = pk.private_numbers().public_numbers.n
+private_exponent = pk.private_numbers().d
+prime1 = pk.private_numbers().p
+prime2 = pk.private_numbers().q
+exponent1 = pk.private_numbers().dmp1
+exponent2 = pk.private_numbers().dmq1
+coefficient = pk.private_numbers().iqmp
+
+print(f"""
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: {long_to_base64(modulo)}
+PublicExponent: {long_to_base64(public_exponent)}
+PrivateExponent: {long_to_base64(private_exponent)}
+Prime1: {long_to_base64(prime1)}
+Prime2: {long_to_base64(prime2)}
+Exponent1: {long_to_base64(exponent1)}
+Exponent2: {long_to_base64(exponent2)}
+Coefficient: {long_to_base64(coefficient)}
+Created: 20230428110109
+Publish: 20230428110109
+Activate: 20230428110109
+""")
diff --git a/bundles/bind/README.md b/bundles/bind/README.md
new file mode 100644
index 0000000..5f69096
--- /dev/null
+++ b/bundles/bind/README.md
@@ -0,0 +1,26 @@
+## DNSSEC
+
+https://wiki.debian.org/DNSSEC%20Howto%20for%20BIND%209.9+#The_signing_part
+https://blog.apnic.net/2021/11/02/dnssec-provisioning-automation-with-cds-cdnskey-in-the-real-world/
+https://gist.github.com/wido/4c6288b2f5ba6d16fce37dca3fc2cb4a
+
+```python
+import dns.dnssec
+algorithm = dns.dnssec.RSASHA256
+```
+
+```python
+import cryptography
+pk = cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key(key_size=2048, public_exponent=65537)
+```
+
+## Nomenclature
+
+### parent
+
+DNSKEY:
+  the public key
+
+DS
+
+
diff --git a/libs/rsa.py b/libs/rsa.py
index e2666fb..a16e065 100644
--- a/libs/rsa.py
+++ b/libs/rsa.py
@@ -1,7 +1,6 @@
 # https://stackoverflow.com/a/18266970
 
 from Crypto.PublicKey import RSA
-from Crypto.Hash import HMAC
 from struct import pack
 from hashlib import sha3_512
 from cryptography.hazmat.primitives.serialization import load_der_private_key
@@ -23,12 +22,12 @@ class PRNG(object):
 
 
 @cache_to_disk(30)
-def _generate_deterministic_rsa_private_key(secret_bytes):
-    return RSA.generate(2048, randfunc=PRNG(secret_bytes)).export_key('DER')
+def _generate_deterministic_rsa_private_key(secret_bytes, key_size):
+    return RSA.generate(key_size, randfunc=PRNG(secret_bytes)).export_key('DER')
 
 @cache
-def generate_deterministic_rsa_private_key(secret_bytes):
+def generate_deterministic_rsa_private_key(secret_bytes, key_size=2048):
     return load_der_private_key(
-        _generate_deterministic_rsa_private_key(secret_bytes),
+        _generate_deterministic_rsa_private_key(secret_bytes, key_size),
         password=None,
     )