X-RT-Original-Encoding: utf-8
References: <rt-4.4.1-88549-1507739925-98.0-0-0@isc.org>
 <RT-Ticket-46252@isc.org>
Content-Type: text/plain; charset="utf-8"
X-RT-Interface: Web
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.508 (Entity 5.508)
Content-Disposition: inline
In-Reply-To: <rt-4.4.1-88549-1507739925-98.0-0-0@isc.org>
Message-ID: <rt-4.4.1-4770-1508012491-671.46252-0-0@isc.org>
RT-Send-CC:
Content-Length: 663

I suggested this to the fella at OARC, but I wasn't sure at the time that
it would work, and now I've confirmed that it does: the inline signing code
will strip DNSSEC content and serve an un-signed zone, if you use it without
configuring a local key:

zone example.com {
        type slave;
        masters { <address>; };
        allow-transfer { <addresses>; };
        inline-signing yes;
};

Note the lack of "auto-dnssec maintain", and no signing keys have been
generated. This will set up a server as a bump-in-the-wire "unsigner"
for example.com.

Can someone get back to him with that information? And I'll resolve this
ticket, as there's no work needed.