Reverting to Unsigned Recipe

This recipe describes how to revert from signed zone (DNSSEC) back to unsigned (DNS).

Whether or not the world thinks your zone is signed really comes down to the DS records hosted by your parent zone. If there are no DS records, the world thinks your zone is not signed. So reverting to unsigned is as easy as removing all DS records from the parent zone.

Below is an example of removing using GoDaddy web-based interface to remove all DS records.

  1. After logging in, click the green "Launch" button next to the domain name you want to manage.

    Figure 7.12. Revert to Unsigned Step #1

    Revert to Unsigned Step #1

  2. Scroll down to the "DS Records" section and click Manage.

    Figure 7.13. Revert to Unsigned Step #2

    Revert to Unsigned Step #2

  3. A dialog appears, displaying all current keys. Use the far right hand X button to remove each key.

    Figure 7.14. Revert to Unsigned Step #3

    Revert to Unsigned Step #3

  4. Click Save

    Figure 7.15. Revert to Unsigned Step #4

    Revert to Unsigned Step #4

To be on the safe side, you should wait a while before actually deleting all signed data from your zone, just in case some validating resolvers out there have cached information. After you are certain that all cached information have expired (usually this means TTL has passed), you may reconfigure your zone. This is the named.conf when it is signed, with DNSSEC-related configurations in bold:

zone "example.com" IN {
    type master;
    file "db/example.com.db";
    key-directory "keys/example.com";
    inline-signing yes;
    auto-dnssec maintain;
    allow-transfer { any; };
};

Remove the 3 lines so your named.conf looks like this, then use rndc reload to reload the zone:

zone "example.com" IN {
    type master;
    file "db/example.com.db";
    allow-transfer { any; };
};

Your zone is now reverted back to the traditional, insecure DNS format.