I suspect that the RRSIG issue was a consequence of `Unsafe-Operation: No-Check-Keyset`. I would definitely recommend investigating the journal history if you still have it.
Daniel On 6/15/24 00:28, Rob Austein wrote:
Ok, that (finally!) makes sense, including explaining why forcing a retransfer from the secondary's side with `rndc retransfer` fixes the problem, since retransfer almost certainly does AXFR. Thanks Anand! Remains the question of whether the cause was Knot generating a bad IXFR or BIND9 failing to purge data from a partial IXFR. --
--
