How to remove RR from dnssec policy signed zone ?

[vom513]

* Sorry to spam the list guys, just really pulling my hair out with some aspects of this migration I’ve done...

Seems like a simple question ?  And maybe it is but I’m just way off track.

I have a DNSSEC signed zone (dnssec-policy).  It’s also dynamic.  So to make a change (in this case remove a record) - I freeze the zone, edit the file (and up the serial properly), and thaw the zone.

What seems to be happening is (I guess ?) there is some stale nsec3 record ?  When I remove the RR and it’s RRSIG, other validating resolvers report SERVFAIL for the removed RR.  On bind itself I get:

expected covering NSEC3, got an exact match

So it seems like it’s hitting something in the nsec3 chain that’s not there ? Or the record is gone now (it is) and this has left a “gap” in the NSEC3 chain ?  I would expect/want to get an NXDOMAIN and NSEC3 records returned.  I feel like I’m getting something out of whack with BIND’s key/signature/nsec state.

Is there some trick to removing an RR in a zone like this ?  I can’t believe it would be so difficult.