how to revert signed db zone file to unsgined plain text (remove dnssec keys)

Evan Hunt each at
Sun Aug 9 02:51:14 UTC 2020

On Sat, Aug 08, 2020 at 09:17:09PM +0200, Jelle de Jong wrote:
> This will sound counter intuitive but I want to convert a
> file to (unsigned without keys). I
> do have the keys used, but not the original file that got singed.
> I know I can convert the raw format to text but the zone file is rather big
> and i want to get rid of all the sign keys.
> named-compilezone -f raw -F text -o
> /var/cache/bind/
> named-checkzone -D -f raw
> /var/cache/bind/

You can just regex out all the DNSSEC-related types. Something like
this ought to work:

$ named-compilezone -f raw -F text -s full -o - | \
  awk '$4 ~ /(DNSKEY|DS|RRSIG|NSEC|NSEC3|NSEC3PARAM)/ {next} {print}'

Evan Hunt -- each at
Internet Systems Consortium, Inc.

More information about the bind-users mailing list