X-RT-Interface: Web MIME-Version: 1.0 References: Content-Transfer-Encoding: binary Content-Type: text/plain; charset="utf-8" Message-ID: X-Mailer: MIME-tools 5.508 (Entity 5.508) In-Reply-To: Content-Disposition: inline X-RT-Original-Encoding: utf-8 RT-Send-CC: Content-Length: 1067 On Thu Oct 12 22:41:54 2017, marka wrote: > I fail to see why this is needed at all. Remove the DS records from > the parent zone > and it doesn't matter if there are DNSSEC records in the zone as there > is no longer > a chain of trust. This is the first step in the process of unsigning > a zone. The use case in this instance, is the need to import a signed zone from a third party via zone transfer, and to strip out the other party's DNSSEC material from the zone. The zone will then be signed again locally, but using a dnssec-signing tool rather than BIND's inline signing (which would otherwise have handled this very well!) > The inline signer without any keys configured for the zone will > achieve this but it > shouldn't be necessary. Are you suggesting that if you import an already-signed zone with "inline-signing yes;" but without providing keys to the inline signer that named will un-sign the zone without erroring over the lack of keys? Yes, this is what's wanted and should be quite easy for BIND to do, but I think it does not do it now.