[Opendnssec-user] Deleting the zone

[Andrew Ivanov]

On Mon, Jun 24, 2019 at 11:54:25AM +0200, Roman Serbski wrote:
> On Mon, Jun 24, 2019 at 11:26 AM Berry A.W. van Halderen
> <berry at nlnetlabs.nl> wrote:
> >
> > Is this zone still listed in
> >   /var/opendnssec/enforcer/zones.xml
> > or equivalant path depending on yout target installation?
> >
> > Also is the zone listed when issueing the command
> >   ods-signer zones
> 
> Hi Berry,
> 
> Thanks for your reply.
> 
> The zone in question doesn't exist in zones.xml
> (/usr/local/var/opendnssec/enforcer/zones.xml in my case), however, it
> does appear in the output of 'ods-signer zones | grep example':
> 
> - example.com
> 
> I also noticed old xml files in signconf directory:
> 
> -rw-r--r--  1 root        opendnssec  1129 Mar 18  2018 example.com.xml.OLD
> -rw-r--r--  1 root        opendnssec  1318 Apr  1 13:41
> example.com.xml.ZONE_DELETED

Hi, my opinion:

That's because ods-signer store zone list internally. It's fully independent from ods-enforcer.

We know that ods-enforser stores zone list in database (mysql in my case). But ods-signer does not.
It loads zones from the file every time you:

- restart ods-signer daemon 
- run command "ods-signer update --all" 

And of course, it does this after receiving internal "update" command from ods-enforcer, but only when you add new one
with command:

# ods-enforcer add -z <zone>

******

ods-enforser removes the zone silently. ods-signer knows nothing about removal.

******

In light of the above, after deleting zone in ods-enforcer, you should run ods-signer commands:

# ods-signer clear <zone>
# ods-signer update --all

First command clear information about adapters.
The second command reload from file and refresh ods-signer's internal list of zones.

Regards,
Andrew

> 
> Regards,
> Roman
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user