[ldns-users] ldns-read-zone -s does not strip DNSKEY
Emil Natan
shlyoko at gmail.com
Tue Mar 4 17:37:32 UTC 2014
... on that matter, it would be nice if ldns-compare-zones can provide
different exit status when the compared zones share identical data and when
they differ (currently the exist status is always 0). Instead I used
ldns-read-zone to sort and canonicalize the data, stripped the DNSSEC data
using "grep" and "diff" to compare the files. Thanks again.
ena
On Tue, Mar 4, 2014 at 7:28 PM, Emil Natan <shlyoko at gmail.com> wrote:
> Sorry, I should have said "comparing the unsigned and signed version of a
> zone". I'm trying to compare the non-DNSSEC data for a zone before and
> after signing. At the end I finished with a long grep that strips the
> DNSSEC data. Thanks.
>
> ena
>
>
> On Tue, Mar 4, 2014 at 7:16 PM, Paul Wouters <paul at nohats.ca> wrote:
>
>> On Tue, 4 Mar 2014, Emil Natan wrote:
>>
>> Agree. Though it should be really nice to have that option because when
>>> using OpenDNSSEC or BIND's Smart signing the DNSKEY in not a
>>> part of the unsigned zone and that can be useful when comparing the
>>> signed and unsigned zones.
>>>
>>
>> but didnt you have a signed zone? Or rather two signed zones to compare?
>>
>> And in case you were not aware, for doing to ods+bind combo signer, we
>> added -0 to ldns-read-zone:
>>
>> Print a (null) for the RRSIG inception, expiry and key data. This
>> option
>> can be used when comparing different signing systems that use the
>> same
>> DNSKEYs for signing but would have a slightly different
>> timings/jitter.
>>
>>
>> Paul
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/ldns-users/attachments/20140304/d644d90f/attachment.htm>
More information about the ldns-users
mailing list