How to remove RR from dnssec policy signed zone ?
Mark Andrews
marka at isc.org
Fri Dec 16 04:31:33 UTC 2022
Stop freezing the zone. Use nsupdate to update the zone. Add a record back in at the name using nsupdate. Then remove using nsupdate. If you really want to edit the zone by hand use ‘inline-signing yes;’.
> On 16 Dec 2022, at 14:39, vom513 <vom513 at gmail.com> wrote:
>
> * Sorry to spam the list guys, just really pulling my hair out with some aspects of this migration I’ve done...
>
> Seems like a simple question ? And maybe it is but I’m just way off track.
>
> I have a DNSSEC signed zone (dnssec-policy). It’s also dynamic. So to make a change (in this case remove a record) - I freeze the zone, edit the file (and up the serial properly), and thaw the zone.
>
> What seems to be happening is (I guess ?) there is some stale nsec3 record ? When I remove the RR and it’s RRSIG, other validating resolvers report SERVFAIL for the removed RR. On bind itself I get:
>
> expected covering NSEC3, got an exact match
>
> So it seems like it’s hitting something in the nsec3 chain that’s not there ? Or the record is gone now (it is) and this has left a “gap” in the NSEC3 chain ? I would expect/want to get an NXDOMAIN and NSEC3 records returned. I feel like I’m getting something out of whack with BIND’s key/signature/nsec state.
>
> Is there some trick to removing an RR in a zone like this ? I can’t believe it would be so difficult.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list