info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
how to revert signed db zone file to unsgined plain text (remove dnssec keys)
87 views
Skip to first unread message
Jelle de Jong
Aug 8, 2020, 3:18:24 PM8/8/20
to bind-...@lists.isc.org
Hello everybody,
This will sound counter intuitive but I want to convert a
db.powercraft.nl.signed file to db.powercraft.nl (unsigned without
keys). I do have the keys used, but not the original file that got singed.
I know I can convert the raw format to text but the zone file is rather
big and i want to get rid of all the sign keys.
named-compilezone -f raw -F text -o powercraft.nl.text powercraft.nl
/var/cache/bind/db.powercraft.nl.signed
named-checkzone -D -f raw powercraft.nl
/var/cache/bind/db.powercraft.nl.signed
Kind regards,
Jelle de Jong
This will sound counter intuitive but I want to convert a
db.powercraft.nl.signed file to db.powercraft.nl (unsigned without
keys). I do have the keys used, but not the original file that got singed.
I know I can convert the raw format to text but the zone file is rather
big and i want to get rid of all the sign keys.
named-compilezone -f raw -F text -o powercraft.nl.text powercraft.nl
/var/cache/bind/db.powercraft.nl.signed
named-checkzone -D -f raw powercraft.nl
/var/cache/bind/db.powercraft.nl.signed
Kind regards,
Jelle de Jong
Evan Hunt
Aug 8, 2020, 10:51:30 PM8/8/20
to Jelle de Jong, bind-...@lists.isc.org
this ought to work:
$ named-compilezone -f raw -F text -s full -o - powercraft.nl | \
awk '$4 ~ /(DNSKEY|DS|RRSIG|NSEC|NSEC3|NSEC3PARAM)/ {next} {print}'
--
Evan Hunt -- ea...@isc.org
Internet Systems Consortium, Inc.
Jelle de Jong
Aug 9, 2020, 6:04:34 AM8/9/20
to bind-...@lists.isc.org
resign=20200802123322 lines, but it does clean up a lot better, sorted
on record type it would become useful, ideas?
Is there no clean named command to do this output?
Evan Hunt
Aug 9, 2020, 6:38:46 PM8/9/20
to Jelle de Jong, bind-...@lists.isc.org
On Sun, Aug 09, 2020 at 12:03:22PM +0200, Jelle de Jong wrote:
> Thank you for your reply, there are still a lot of ; resign=20200802123322
> lines, but it does clean up a lot better, sorted on record type it would
> become useful, ideas?
>
> Is there no clean named command to do this output?
Everything starting with ";" is a comment. Run it through "named-compilezone"
> Thank you for your reply, there are still a lot of ; resign=20200802123322
> lines, but it does clean up a lot better, sorted on record type it would
> become useful, ideas?
>
> Is there no clean named command to do this output?
again, perhaps with "-s relative" this time (I used "-s full" before
because it makes processing with awk easier). The result should be be free
of comments and canonically sorted.
"named" can do this automatically if you dynamically update a zone and
remove the DNSKEY rrset. I think "dnssec-signzone -SPRQ" would do it if you
marked the keys as deleted with "dnssec-settime" first; I haven't tested
this, but it should. But I think the awk trick is probably the most
straightforward way.
0 new messages