Some dnssec-signzone questions

Torinthiel torinthiel at
Wed Feb 2 07:01:00 UTC 2011

On 02/01/11 19:44, Paul Wouters wrote:
> On Tue, 1 Feb 2011, Torinthiel wrote:
>> To clarify things, I'm using BIND 9.7.2-P2.
>> First is about input file: you can specify on the command line either
>> the
>> signed version of the zone, or the unsigned one.
>> What I'd like to do hovever, is to use both.
>> The unsigned zone is much more readable, and can contain $INCLUDE
>> directives,
>> which makes modification easier.
>> But specifying the signed zone has added benefit of reusing existing
>> signatures, thus saving on computation time (not that I have a lot to
>> save
>> on ;). So, I'd like dnssec-signzone to take 'normal' records from
>> non-signed
>> zone, try to reuse RRSIG records as much as possible, taking them from
>> signed zone, and write the result.
> see ldns-read-zone -d (data without sigs) and ldns-read-zone -s (sigs
> only)
> combined with -n (dont print soa) for one of them.

Thanks, nice tool. I'd have to look at ldns-* as I've only used drill
from ldns packages.

> Basically run the signed zone through ldns-read-zone -s, concatenate it
> with your unsigned zone, and run it through dnssec-signzone.
Or have a script that either strips the data from signed zone or creates
an empty file and then $INCLUDE that file in original unsigned zone.

More information about the bind-users mailing list