Re: how to revert signed db zone file to unsgined plain text (remove dnssec keys)
On 2020-08-09 04:51, Evan Hunt wrote:
On Sat, Aug 08, 2020 at 09:17:09PM +0200, Jelle de Jong wrote:
This will sound counter intuitive but I want to convert a
db.powercraft.nl.signed file to db.powercraft.nl (unsigned without keys). I
do have the keys used, but not the original file that got singed.
I know I can convert the raw format to text but the zone file is rather big
and i want to get rid of all the sign keys.
named-compilezone -f raw -F text -o powercraft.nl.text powercraft.nl
/var/cache/bind/db.powercraft.nl.signed
named-checkzone -D -f raw powercraft.nl
/var/cache/bind/db.powercraft.nl.signed
You can just regex out all the DNSSEC-related types. Something like
this ought to work:
$ named-compilezone -f raw -F text -s full -o - powercraft.nl | \
awk '$4 ~ /(DNSKEY|DS|RRSIG|NSEC|NSEC3|NSEC3PARAM)/ {next} {print}'
Thank you for your reply, there are still a lot of ;
resign=20200802123322 lines, but it does clean up a lot better, sorted
on record type it would become useful, ideas?
Is there no clean named command to do this output?
Kind regards,
Jelle de Jong
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: how to revert signed db zone file to unsgined plain text (remove dnssec keys)
On Sun, Aug 09, 2020 at 12:03:22PM +0200, Jelle de Jong wrote: > Thank you for your reply, there are still a lot of ; resign=20200802123322 > lines, but it does clean up a lot better, sorted on record type it would > become useful, ideas? > > Is there no clean named command to do this output? Everything starting with ";" is a comment. Run it through "named-compilezone" again, perhaps with "-s relative" this time (I used "-s full" before because it makes processing with awk easier). The result should be be free of comments and canonically sorted. "named" can do this automatically if you dynamically update a zone and remove the DNSKEY rrset. I think "dnssec-signzone -SPRQ" would do it if you marked the keys as deleted with "dnssec-settime" first; I haven't tested this, but it should. But I think the awk trick is probably the most straightforward way. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
