This recipe describes how to revert from signed zone (DNSSEC) back to unsigned (DNS).
Whether or not the world thinks your zone is signed really comes down to the DS records hosted by your parent zone. If there are no DS records, the world thinks your zone is not signed. So reverting to unsigned is as easy as removing all DS records from the parent zone.
Below is an example of removing using GoDaddy web-based interface to remove all DS records.
After logging in, click the green "Launch" button next to the domain name you want to manage.
Scroll down to the "DS Records" section and click Manage.
A dialog appears, displaying all current keys. Use the far right hand X button to remove each key.
Click Save
To be on the safe side, you should wait a while before actually
deleting all signed data from your zone, just in case some validating
resolvers out there have cached information. After you are certain that all
cached information have expired (usually this means TTL has passed), you may
reconfigure your zone. This is the named.conf when it is
signed, with DNSSEC-related configurations in bold:
zone "example.com" IN {
type master;
file "db/example.com.db";
key-directory "keys/example.com";
inline-signing yes;
auto-dnssec maintain;
allow-transfer { any; };
};Remove the 3 lines so your named.conf looks like
this, then use rndc reload to reload the zone:
zone "example.com" IN {
type master;
file "db/example.com.db";
allow-transfer { any; };
};Your zone is now reverted back to the traditional, insecure DNS format.
Gab
Twitter