1. Forum
  2. Newsgroups
  3. comp.protocols.dns.bind

  • how to revert signed db zone file to unsgined plain text (remove dnssec keys)

    From Jelle de Jong@jelledejong@powercraft.nl to bind-users on Sat Aug 8 21:17:09 2020
    From Newsgroup: comp.protocols.dns.bind

    Hello everybody,

    This will sound counter intuitive but I want to convert a db.powercraft.nl.signed file to db.powercraft.nl (unsigned without
    keys). I do have the keys used, but not the original file that got singed.

    I know I can convert the raw format to text but the zone file is rather
    big and i want to get rid of all the sign keys.

    named-compilezone -f raw -F text -o powercraft.nl.text powercraft.nl /var/cache/bind/db.powercraft.nl.signed

    named-checkzone -D -f raw powercraft.nl /var/cache/bind/db.powercraft.nl.signed

    Kind regards,

    Jelle de Jong
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Evan Hunt@each@isc.org to Jelle de Jong on Sun Aug 9 02:51:14 2020
    From Newsgroup: comp.protocols.dns.bind

    On Sat, Aug 08, 2020 at 09:17:09PM +0200, Jelle de Jong wrote:
    This will sound counter intuitive but I want to convert a db.powercraft.nl.signed file to db.powercraft.nl (unsigned without keys). I do have the keys used, but not the original file that got singed.

    I know I can convert the raw format to text but the zone file is rather big and i want to get rid of all the sign keys.

    named-compilezone -f raw -F text -o powercraft.nl.text powercraft.nl /var/cache/bind/db.powercraft.nl.signed

    named-checkzone -D -f raw powercraft.nl /var/cache/bind/db.powercraft.nl.signed

    You can just regex out all the DNSSEC-related types. Something like
    this ought to work:

    $ named-compilezone -f raw -F text -s full -o - powercraft.nl | \
    awk '$4 ~ /(DNSKEY|DS|RRSIG|NSEC|NSEC3|NSEC3PARAM)/ {next} {print}'

    --
    Evan Hunt -- each@isc.org
    Internet Systems Consortium, Inc.
    --- Synchronet 3.18a-Linux NewsLink 1.113