On 02/01/11 19:44, Paul Wouters wrote: > On Tue, 1 Feb 2011, Torinthiel wrote: > >> >> To clarify things, I'm using BIND 9.7.2-P2. >> >> First is about input file: you can specify on the command line either >> the >> signed version of the zone, or the unsigned one. >> What I'd like to do hovever, is to use both. >> The unsigned zone is much more readable, and can contain $INCLUDE >> directives, >> which makes modification easier. >> But specifying the signed zone has added benefit of reusing existing >> signatures, thus saving on computation time (not that I have a lot to >> save >> on ;). So, I'd like dnssec-signzone to take 'normal' records from >> non-signed >> zone, try to reuse RRSIG records as much as possible, taking them from >> signed zone, and write the result. > > see ldns-read-zone -d (data without sigs) and ldns-read-zone -s (sigs > only) > combined with -n (dont print soa) for one of them.
Thanks, nice tool. I'd have to look at ldns-* as I've only used drill from ldns packages. > > Basically run the signed zone through ldns-read-zone -s, concatenate it > with your unsigned zone, and run it through dnssec-signzone. Or have a script that either strips the data from signed zone or creates an empty file and then $INCLUDE that file in original unsigned zone. Torinthiel _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users