On Thu Oct 12 22:41:54 2017, marka wrote:
> I fail to see why this is needed at all.  Remove the DS records from
> the parent zone
> and it doesn't matter if there are DNSSEC records in the zone as there
> is no longer
> a chain of trust.  This is the first step in the process of unsigning
> a zone.

The use case in this instance, is the need to import a signed zone from a third party via zone transfer, and to strip out the other party's DNSSEC material from the zone.  

The zone will then be signed again locally, but using a dnssec-signing tool rather than BIND's inline signing (which would otherwise have handled this very well!)

> The inline signer without any keys configured for the zone will
> achieve this but it
> shouldn't be necessary.

Are you suggesting that if you import an already-signed zone with "inline-signing yes;" but without providing keys to the inline signer that named will un-sign the zone without erroring over the lack of keys?

Yes, this is what's wanted and should be quite easy for BIND to do, but I think it does not do it now.