1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.DNS.BIND

  • how to revert signed db zone file to unsgined plain text (remove dn

    From Evan Hunt@21:1/5 to Jelle de Jong on Sun Aug 9 02:51:14 2020
    Copy: bind-users@lists.isc.org

    On Sat, Aug 08, 2020 at 09:17:09PM +0200, Jelle de Jong wrote:
    This will sound counter intuitive but I want to convert a db.powercraft.nl.signed file to db.powercraft.nl (unsigned without keys). I do have the keys used, but not the original file that got singed.

    I know I can convert the raw format to text but the zone file is rather big and i want to get rid of all the sign keys.

    named-compilezone -f raw -F text -o powercraft.nl.text powercraft.nl /var/cache/bind/db.powercraft.nl.signed

    named-checkzone -D -f raw powercraft.nl /var/cache/bind/db.powercraft.nl.signed

    You can just regex out all the DNSSEC-related types. Something like
    this ought to work:

    $ named-compilezone -f raw -F text -s full -o - powercraft.nl | \
    awk '$4 ~ /(DNSKEY|DS|RRSIG|NSEC|NSEC3|NSEC3PARAM)/ {next} {print}'

    --
    Evan Hunt -- each@isc.org
    Internet Systems Consortium, Inc.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jelle de Jong@21:1/5 to Evan Hunt on Sun Aug 9 12:03:22 2020
    Copy: bind-users@lists.isc.org

    On 2020-08-09 04:51, Evan Hunt wrote:
    On Sat, Aug 08, 2020 at 09:17:09PM +0200, Jelle de Jong wrote:
    This will sound counter intuitive but I want to convert a
    db.powercraft.nl.signed file to db.powercraft.nl (unsigned without keys). I >> do have the keys used, but not the original file that got singed.

    I know I can convert the raw format to text but the zone file is rather big >> and i want to get rid of all the sign keys.

    named-compilezone -f raw -F text -o powercraft.nl.text powercraft.nl
    /var/cache/bind/db.powercraft.nl.signed

    named-checkzone -D -f raw powercraft.nl
    /var/cache/bind/db.powercraft.nl.signed

    You can just regex out all the DNSSEC-related types. Something like
    this ought to work:

    $ named-compilezone -f raw -F text -s full -o - powercraft.nl | \
    awk '$4 ~ /(DNSKEY|DS|RRSIG|NSEC|NSEC3|NSEC3PARAM)/ {next} {print}'

    Thank you for your reply, there are still a lot of ;
    resign=20200802123322 lines, but it does clean up a lot better, sorted
    on record type it would become useful, ideas?

    Is there no clean named command to do this output?

    Kind regards,

    Jelle de Jong

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Evan Hunt@21:1/5 to Jelle de Jong on Sun Aug 9 22:38:44 2020
    Copy: bind-users@lists.isc.org

    On Sun, Aug 09, 2020 at 12:03:22PM +0200, Jelle de Jong wrote:
    Thank you for your reply, there are still a lot of ; resign=20200802123322 lines, but it does clean up a lot better, sorted on record type it would become useful, ideas?

    Is there no clean named command to do this output?

    Everything starting with ";" is a comment. Run it through "named-compilezone" again, perhaps with "-s relative" this time (I used "-s full" before
    because it makes processing with awk easier). The result should be be free
    of comments and canonically sorted.

    "named" can do this automatically if you dynamically update a zone and
    remove the DNSKEY rrset. I think "dnssec-signzone -SPRQ" would do it if you marked the keys as deleted with "dnssec-settime" first; I haven't tested
    this, but it should. But I think the awk trick is probably the most straightforward way.

    --
    Evan Hunt -- each@isc.org
    Internet Systems Consortium, Inc.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)