[ldns-users] ldns-read-zone -s does not strip DNSKEY

Paul Wouters paul at nohats.ca
Tue Mar 4 16:28:45 UTC 2014


On Tue, 4 Mar 2014, Emil Natan wrote:

> "ldns-read-zone -s" does not strip the DNSKEY RRs, although the manual states: 
> "Strip DNSSEC data from the zone. This option skips every record that is of type NSEC, NSEC3, RRSIG or DNSKEY." Tried with multiple
> zones with the same result. All other DNSSEC specific records are omitted in the output.

That's a bug in the man page?

DS and DNSKEY Resource Records is zone data. The point of the -s option
is to take a signed zone, and get rid of the _signing_ records so it
turns it into an unsigned zone. So DS and DNSKEY should not be stripped.

I can see how someone might want to remove DNSKEY's, but than that
should probably be a different option.

Paul



More information about the ldns-users mailing list