---
type: task
after:
  - ./watch-hosts.md
---

When a host is removed by a network admin, the admin's daemon should modify that
host's file in the common bucket, changing the HostAssigned section to indicate
that the host is no longer present in the network.

All other hosts in the network, when a host is updated with an indication that
it's no longer present in the network, should add that host's certificate
fingerprint to the `pki.blocklist` of their local nebula instance.

The `pki.disconnect_invalid` boolean should always be true in the nebula config.