How to remove all signatures from zonefile (inline signing trouble after upgrading to 9.20)
Petr Špaček
pspacek at isc.org
Fri Dec 12 18:25:20 UTC 2025
Hello.
I would recommend
ldns-read-zone -s -e DNSKEY -e CDNSKEY -e CDS
Not part of BIND but a proven tool nevertheless ;-)
Petr Špaček
Internet Systems Consortium
On 12. 12. 25 18:30, Crist Clark wrote:
> Had the same question last May. Didn’t find a way with BIND tools,
>
> https://lists.isc.org/mailman/htdig/bind-users/2025-May/109848.html
> <https://lists.isc.org/mailman/htdig/bind-users/2025-May/109848.html>
>
>
> On Fri, Dec 12, 2025 at 7:56 AM Benoit Panizzon <benoit.panizzon at imp.ch
> <mailto:benoit.panizzon at imp.ch>> wrote:
>
> Hi Team
>
> Of course I was also hit in the face be the inline-signing change when
> using dnssec policies.
>
> https://kb.isc.org/docs/bind-920-changes#runtime-configuration
> <https://kb.isc.org/docs/bind-920-changes#runtime-configuration>
>
> resulting in broken validation chains etc.
>
> I would like to start over with the affected signed zones.
>
> I made sure to commit all changes back to the file with rndc sync -clean
>
> And now I would like to start over by removing all signatures from the
> zone file and properly use inline-signing=yes with unsigned base files.
>
> dnssec-signzone can remove -Q inactive key or -R unpublished keys
>
> But I found no option to remove all signatures. How do I get to a
> pristine zone file without dnssec from a file with signatures?
More information about the bind-users
mailing list