Path: csiph.com!newsfeed.xs4all.nl!newsfeed9.news.xs4all.nl!news.uzoreto.com!news.etla.org!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail
From: Evan Hunt <each@isc.org>
Newsgroups: comp.protocols.dns.bind
Subject: Re: how to revert signed db zone file to unsgined plain text (remove dnssec keys)
Date: Sun, 9 Aug 2020 02:51:14 +0000
Lines: 23
Approved: bind-users@lists.isc.org
Message-ID: <mailman.797.1596941434.942.bind-users@lists.isc.org>
References: <9010d1a0-fc3c-3fc3-c94e-bfcae79fab57@powercraft.nl> <20200809025114.GA46379@isc.org>
NNTP-Posting-Host: lists.isc.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: bind-users@lists.isc.org
To: Jelle de Jong <jelledejong@powercraft.nl>
Content-Disposition: inline
In-Reply-To: <9010d1a0-fc3c-3fc3-c94e-bfcae79fab57@powercraft.nl>
Precedence: list
Xref: csiph.com comp.protocols.dns.bind:16045

On Sat, Aug 08, 2020 at 09:17:09PM +0200, Jelle de Jong wrote:
> This will sound counter intuitive but I want to convert a
> db.powercraft.nl.signed file to db.powercraft.nl (unsigned without keys). I
> do have the keys used, but not the original file that got singed.
> 
> I know I can convert the raw format to text but the zone file is rather big
> and i want to get rid of all the sign keys.
> 
> named-compilezone -f raw -F text -o powercraft.nl.text powercraft.nl
> /var/cache/bind/db.powercraft.nl.signed
> 
> named-checkzone -D -f raw powercraft.nl
> /var/cache/bind/db.powercraft.nl.signed

You can just regex out all the DNSSEC-related types. Something like
this ought to work:

$ named-compilezone -f raw -F text -s full -o - powercraft.nl | \
  awk '$4 ~ /(DNSKEY|DS|RRSIG|NSEC|NSEC3|NSEC3PARAM)/ {next} {print}'

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.