[ldns-users] ldns-read-zone -s does not strip DNSKEY

Emil Natan shlyoko at gmail.com
Tue Mar 4 16:44:24 UTC 2014


On Tue, Mar 4, 2014 at 6:28 PM, Paul Wouters <paul at nohats.ca> wrote:

> On Tue, 4 Mar 2014, Emil Natan wrote:
>
>  "ldns-read-zone -s" does not strip the DNSKEY RRs, although the manual
>> states:
>> "Strip DNSSEC data from the zone. This option skips every record that is
>> of type NSEC, NSEC3, RRSIG or DNSKEY." Tried with multiple
>> zones with the same result. All other DNSSEC specific records are omitted
>> in the output.
>>
>
> That's a bug in the man page?
>
> DS and DNSKEY Resource Records is zone data. The point of the -s option
> is to take a signed zone, and get rid of the _signing_ records so it
> turns it into an unsigned zone. So DS and DNSKEY should not be stripped.
>
> I can see how someone might want to remove DNSKEY's, but than that
> should probably be a different option.
>
> Paul
>

Agree. Though it should be really nice to have that option because when
using OpenDNSSEC or BIND's Smart signing the DNSKEY in not a part of the
unsigned zone and that can be useful when comparing the signed and unsigned
zones.

ena
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/ldns-users/attachments/20140304/8f7f9a43/attachment.htm>


More information about the ldns-users mailing list