Hello.
I would recommend
ldns-read-zone -s -e DNSKEY -e CDNSKEY -e CDS
Not part of BIND but a proven tool nevertheless ;-)
Petr Špaček
Internet Systems Consortium
On 12. 12. 25 18:30, Crist Clark wrote:
Had the same question last May. Didn’t find a way with BIND tools,
https://lists.isc.org/mailman/htdig/bind-users/2025-May/109848.html
<https://lists.isc.org/mailman/htdig/bind-users/2025-May/109848.html>
On Fri, Dec 12, 2025 at 7:56 AM Benoit Panizzon <[email protected]
<mailto:[email protected]>> wrote:
Hi Team
Of course I was also hit in the face be the inline-signing change when
using dnssec policies.
https://kb.isc.org/docs/bind-920-changes#runtime-configuration
<https://kb.isc.org/docs/bind-920-changes#runtime-configuration>
resulting in broken validation chains etc.
I would like to start over with the affected signed zones.
I made sure to commit all changes back to the file with rndc sync -clean
And now I would like to start over by removing all signatures from the
zone file and properly use inline-signing=yes with unsigned base files.
dnssec-signzone can remove -Q inactive key or -R unpublished keys
But I found no option to remove all signatures. How do I get to a
pristine zone file without dnssec from a file with signatures?
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
