[ldns-users] ldns-read-zone -s does not strip DNSKEY

Willem Toorop willem at nlnetlabs.nl
Tue Mar 4 22:17:59 UTC 2014


op 04-03-14 17:28, Paul Wouters schreef:
> On Tue, 4 Mar 2014, Emil Natan wrote:
> 
>> "ldns-read-zone -s" does not strip the DNSKEY RRs, although the manual
>> states: 
>> "Strip DNSSEC data from the zone. This option skips every record that
>> is of type NSEC, NSEC3, RRSIG or DNSKEY."
> 
> That's a bug in the man page?

> I can see how someone might want to remove DNSKEY's, but than that
> should probably be a different option.

As of commit http://git.nlnetlabs.nl/ldns/commit/?h=develop&id=2e824311
this is fixed in the man page and ldns-read-zone has extra options to
exclude (or include) certain RR types.

To strip all NSEC, NSEC3, RRSIG *and* DNSKEY RRs, one can now do

ldns-read-zone -s -e DNSKEY <zone>

which is equivalent with:

ldns-read-zone -e NSEC -e NSEC3 -e RRSIG -e DNSKEY <zone>

-- Willem




More information about the ldns-users mailing list