how to revert signed db zone file to unsgined plain text (remove dnssec keys)

Jelle de Jong jelledejong at
Sun Aug 9 10:03:22 UTC 2020

On 2020-08-09 04:51, Evan Hunt wrote:
> On Sat, Aug 08, 2020 at 09:17:09PM +0200, Jelle de Jong wrote:
>> This will sound counter intuitive but I want to convert a
>> file to (unsigned without keys). I
>> do have the keys used, but not the original file that got singed.
>> I know I can convert the raw format to text but the zone file is rather big
>> and i want to get rid of all the sign keys.
>> named-compilezone -f raw -F text -o
>> /var/cache/bind/
>> named-checkzone -D -f raw
>> /var/cache/bind/
> You can just regex out all the DNSSEC-related types. Something like
> this ought to work:
> $ named-compilezone -f raw -F text -s full -o - | \
>    awk '$4 ~ /(DNSKEY|DS|RRSIG|NSEC|NSEC3|NSEC3PARAM)/ {next} {print}'

Thank you for your reply, there are still a lot of ; 
resign=20200802123322 lines, but it does clean up a lot better, sorted 
on record type it would become useful, ideas?

Is there no clean named command to do this output?

Kind regards,

Jelle de Jong

More information about the bind-users mailing list