[Opendnssec-user] Deleting the zone

Berry A.W. van Halderen berry at nlnetlabs.nl
Mon Jun 24 09:26:26 UTC 2019 

On 6/24/19 11:10 AM, Roman Serbski wrote:
> Hello,
> 
> [Hidden master:192.168.7.46] <---> [OpenDNSSEC:192.168.7.47] <--->
> [Public slave]
> 
> The OS is FreeBSD 11.1-RELEASE with NSD 4.1.24 and OpenDNSSEC 2.1.3
> both installed from ports.
> 
> I occasionally see axfr failures on the hidden master for zones that I
> deleted from OpenDNSSEC, so I guess I missed some cleanup steps.

Is this zone still listed in
  /var/opendnssec/enforcer/zones.xml
or equivalant path depending on yout target installation?

Also is the zone listed when issueing the command
  ods-signer zones

Iff specified in both then the state is al least consistent and
you've probably hit issue
  https://issues.opendnssec.org/browse/OPENDNSSEC-682

The backup, axfr and ixfr files aren't discovered by opendnssec, it
does not scan these directories, so that should not be an issue.
Though OpenDNSSEC does not remove these files when a zone is deleted.

Al through this is not deliberate, and at the moment not that easy to
fix, I am also hesitant to fix this, as some people use this to remov
and add the zone in succession.  There are also people that wan't this
as a safety feature.
But it clutters the directory

\BErry

> 
> example.com doesn't exist on OpenDNSSEC server:
> 
> ods-enforcer zone list | grep -i example
> 
> But ods-signerd still knows about it:
> 
> Jun 24 10:34:57 srv-sign ods-signerd: [xfrd] zone example.com request
> axfr to 192.168.7.46
> Jun 24 10:34:57 srv-sign ods-signerd: [xfrd] bad packet: zone
> example.com received error code NOTAUTH from 192.168.7.46
> Jun 24 10:34:57 srv-sign ods-signerd: [xfrd] bad packet: zone
> example.com received bad xfr packet from 192.168.7.46 (nodata)
> 
> I do see some stale files in tmp -- could this be the cause?
> 
> -rw-r--r--  1 root        opendnssec   5284 Jun 23 06:02 example.com.axfr
> -rw-r--r--  1 root        opendnssec   6467 Jun 24 10:02 example.com.backup2
> -rw-r--r--  1 root        opendnssec  40462 Jun 23 06:02 example.com.ixfr
> 
> And here is how I delete the zone:
> 
> ods-enforcer zone delete --zone example.com
>

More information about the Opendnssec-user mailing list