hi anand, > Perhaps during the DDoS, the BIND secondary received a corrupt IXFR that > added a new RRSIG, but didn't delete the old one? If that's the case, the > old RRSIG will persist until you force AXFR; it's the only way to overwrite > the zone fully at the secondary. You can set "provide-ixfr: no" for this > zone, and reload the configuration and then re-sign the zone with "knotc > zone-sign <zone>". Once the secondary is corrected, you can remove the > "provide-ixfr" option to go back to the default of providing IXFR.
bingo!!! thank you randy --
