Stop freezing the zone. Use nsupdate to update the zone. Add a record back in at the name using nsupdate. Then remove using nsupdate. If you really want to edit the zone by hand use ‘inline-signing yes;’.
> On 16 Dec 2022, at 14:39, vom513 <vom...@gmail.com> wrote: > > * Sorry to spam the list guys, just really pulling my hair out with some > aspects of this migration I’ve done... > > Seems like a simple question ? And maybe it is but I’m just way off track. > > I have a DNSSEC signed zone (dnssec-policy). It’s also dynamic. So to make > a change (in this case remove a record) - I freeze the zone, edit the file > (and up the serial properly), and thaw the zone. > > What seems to be happening is (I guess ?) there is some stale nsec3 record ? > When I remove the RR and it’s RRSIG, other validating resolvers report > SERVFAIL for the removed RR. On bind itself I get: > > expected covering NSEC3, got an exact match > > So it seems like it’s hitting something in the nsec3 chain that’s not there ? > Or the record is gone now (it is) and this has left a “gap” in the NSEC3 > chain ? I would expect/want to get an NXDOMAIN and NSEC3 records returned. > I feel like I’m getting something out of whack with BIND’s key/signature/nsec > state. > > Is there some trick to removing an RR in a zone like this ? I can’t believe > it would be so difficult. > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
