dnssec/obsolete dns keys removal - how to?

[Florian Piekert]

Hello,

wow, that did the trick. I didn't think of this at all. It -after all- appeared to be VERY obvious. I don't know why I overlooked this possibilty.

THANK YOU!

Am 20.06.2025 um 19:03 schrieb Crist Clark:
> Do you have a <zonefile>.signed file that BIND created? To be 100%, shutdown named, kill that file, then restart. But removing the file and just doing an rndc reload on the zone may be enough.
> 
> On Fri, Jun 20, 2025 at 7:20 AM Florian Piekert via bind-users <bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>> wrote:
> 
>     Dear all,
> 
>     I have tried some faulty ways to setup dnssec for some of my domains about a month ago. This resulted in the creation of several ZSK, KSK and CSK dnssec keys (and files) until I got a configuration that actually was working as it should. Due to proper ignorance and non-knowledge I deleted those files somewhen in between while trying.
> 
>     After a while I got a correct working setup (using the default *facepalm*).
>     Although I have then successfully managed to get the correct key setup into the DS with the root tld zones, I have mysterious DNSKEY entries on my bind installations for these particular domains that I do not seem to get rid of.
> 
>     I do not have the initially created key files anymore, they are nowhere referenced in bind configuration of the zones or anywhere in bind.
> 
>     I even deleted the /var/lib/bind/ directory contents of the master and secondaries, restarted all bind binaries. They are still there. And yes, I shutdown all binds, deleted the files, restarted them again. Still somewhere existing.
> 
>     How do I get these obsolete entries removed?