How to remove RR from dnssec policy signed zone ?

Fri Dec 16 04:47:47 UTC 2022

> On Dec 15, 2022, at 11:31 PM, Mark Andrews <marka at isc.org> wrote:
> 
> Stop freezing the zone.  Use nsupdate to update the zone.  Add a record back in at the name using nsupdate.  Then remove using nsupdate.  If you really want to edit the zone by hand use ‘inline-signing yes;’.
> 

Yes, this is exactly what I did a short time after posting to the list :/  nsupdate worked exactly as expected.  I was “doing surgery” on the signed file.  Obviously ended in disappointment.  

For some reason I had it stuck in my head that inline-signing was mutually exclusive with dnssec-policy.  That was my missing piece.  Thanks.