how to revert signed db zone file to unsgined plain text (remove dnssec keys)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

how to revert signed db zone file to unsgined plain text (remove dnssec keys)

Jelle de Jong
Hello everybody,

This will sound counter intuitive but I want to convert a
db.powercraft.nl.signed file to db.powercraft.nl (unsigned without
keys). I do have the keys used, but not the original file that got singed.

I know I can convert the raw format to text but the zone file is rather
big and i want to get rid of all the sign keys.

named-compilezone -f raw -F text -o powercraft.nl.text powercraft.nl
/var/cache/bind/db.powercraft.nl.signed

named-checkzone -D -f raw powercraft.nl
/var/cache/bind/db.powercraft.nl.signed

Kind regards,

Jelle de Jong
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: how to revert signed db zone file to unsgined plain text (remove dnssec keys)

Evan Hunt
On Sat, Aug 08, 2020 at 09:17:09PM +0200, Jelle de Jong wrote:

> This will sound counter intuitive but I want to convert a
> db.powercraft.nl.signed file to db.powercraft.nl (unsigned without keys). I
> do have the keys used, but not the original file that got singed.
>
> I know I can convert the raw format to text but the zone file is rather big
> and i want to get rid of all the sign keys.
>
> named-compilezone -f raw -F text -o powercraft.nl.text powercraft.nl
> /var/cache/bind/db.powercraft.nl.signed
>
> named-checkzone -D -f raw powercraft.nl
> /var/cache/bind/db.powercraft.nl.signed

You can just regex out all the DNSSEC-related types. Something like
this ought to work:

$ named-compilezone -f raw -F text -s full -o - powercraft.nl | \
  awk '$4 ~ /(DNSKEY|DS|RRSIG|NSEC|NSEC3|NSEC3PARAM)/ {next} {print}'

--
Evan Hunt -- [hidden email]
Internet Systems Consortium, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: how to revert signed db zone file to unsgined plain text (remove dnssec keys)

Jelle de Jong
On 2020-08-09 04:51, Evan Hunt wrote:

> On Sat, Aug 08, 2020 at 09:17:09PM +0200, Jelle de Jong wrote:
>> This will sound counter intuitive but I want to convert a
>> db.powercraft.nl.signed file to db.powercraft.nl (unsigned without keys). I
>> do have the keys used, but not the original file that got singed.
>>
>> I know I can convert the raw format to text but the zone file is rather big
>> and i want to get rid of all the sign keys.
>>
>> named-compilezone -f raw -F text -o powercraft.nl.text powercraft.nl
>> /var/cache/bind/db.powercraft.nl.signed
>>
>> named-checkzone -D -f raw powercraft.nl
>> /var/cache/bind/db.powercraft.nl.signed
>
> You can just regex out all the DNSSEC-related types. Something like
> this ought to work:
>
> $ named-compilezone -f raw -F text -s full -o - powercraft.nl | \
>    awk '$4 ~ /(DNSKEY|DS|RRSIG|NSEC|NSEC3|NSEC3PARAM)/ {next} {print}'

Thank you for your reply, there are still a lot of ;
resign=20200802123322 lines, but it does clean up a lot better, sorted
on record type it would become useful, ideas?

Is there no clean named command to do this output?

Kind regards,

Jelle de Jong
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: how to revert signed db zone file to unsgined plain text (remove dnssec keys)

Evan Hunt
On Sun, Aug 09, 2020 at 12:03:22PM +0200, Jelle de Jong wrote:
> Thank you for your reply, there are still a lot of ; resign=20200802123322
> lines, but it does clean up a lot better, sorted on record type it would
> become useful, ideas?
>
> Is there no clean named command to do this output?

Everything starting with ";" is a comment. Run it through "named-compilezone"
again, perhaps with "-s relative" this time (I used "-s full" before
because it makes processing with awk easier). The result should be be free
of comments and canonically sorted.

"named" can do this automatically if you dynamically update a zone and
remove the DNSKEY rrset. I think "dnssec-signzone -SPRQ" would do it if you
marked the keys as deleted with "dnssec-settime" first; I haven't tested
this, but it should. But I think the awk trick is probably the most
straightforward way.

--
Evan Hunt -- [hidden email]
Internet Systems Consortium, Inc.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users