On Mon, Jun 24, 2019 at 11:54:25AM +0200, Roman Serbski wrote: > On Mon, Jun 24, 2019 at 11:26 AM Berry A.W. van Halderen > <[email protected]> wrote: > > > > Is this zone still listed in > > /var/opendnssec/enforcer/zones.xml > > or equivalant path depending on yout target installation? > > > > Also is the zone listed when issueing the command > > ods-signer zones > > Hi Berry, > > Thanks for your reply. > > The zone in question doesn't exist in zones.xml > (/usr/local/var/opendnssec/enforcer/zones.xml in my case), however, it > does appear in the output of 'ods-signer zones | grep example': > > - example.com > > I also noticed old xml files in signconf directory: > > -rw-r--r-- 1 root opendnssec 1129 Mar 18 2018 example.com.xml.OLD > -rw-r--r-- 1 root opendnssec 1318 Apr 1 13:41 > example.com.xml.ZONE_DELETED
Hi, my opinion: That's because ods-signer store zone list internally. It's fully independent from ods-enforcer. We know that ods-enforser stores zone list in database (mysql in my case). But ods-signer does not. It loads zones from the file every time you: - restart ods-signer daemon - run command "ods-signer update --all" And of course, it does this after receiving internal "update" command from ods-enforcer, but only when you add new one with command: # ods-enforcer add -z <zone> ****** ods-enforser removes the zone silently. ods-signer knows nothing about removal. ****** In light of the above, after deleting zone in ods-enforcer, you should run ods-signer commands: # ods-signer clear <zone> # ods-signer update --all First command clear information about adapters. The second command reload from file and refresh ods-signer's internal list of zones. Regards, Andrew > > Regards, > Roman > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
