Some dnssec-signzone questions

Paul Wouters paul at
Tue Feb 1 18:44:48 UTC 2011

On Tue, 1 Feb 2011, Torinthiel wrote:

> To clarify things, I'm using BIND 9.7.2-P2.
> First is about input file: you can specify on the command line either the
> signed version of the zone, or the unsigned one.
> What I'd like to do hovever, is to use both.
> The unsigned zone is much more readable, and can contain $INCLUDE directives,
> which makes modification easier.
> But specifying the signed zone has added benefit of reusing existing
> signatures, thus saving on computation time (not that I have a lot to save
> on ;). So, I'd like dnssec-signzone to take 'normal' records from non-signed
> zone, try to reuse RRSIG records as much as possible, taking them from
> signed zone, and write the result.

see ldns-read-zone -d (data without sigs) and ldns-read-zone -s (sigs only)
combined with -n (dont print soa) for one of them.

Basically run the signed zone through ldns-read-zone -s, concatenate it
with your unsigned zone, and run it through dnssec-signzone.


More information about the bind-users mailing list