Hi Randy,

Perhaps during the DDoS, the BIND secondary received a corrupt IXFR that added a new RRSIG, but didn't delete the old one? If that's the case, the old RRSIG will persist until you force AXFR; it's the only way to overwrite the zone fully at the secondary. You can set "provide-ixfr: no" for this zone, and reload the configuration and then re-sign the zone with "knotc zone-sign <zone>". Once the secondary is corrected, you can remove the "provide-ixfr" option to go back to the default of providing IXFR.

You should consider separating the signing and authoritative functions. Your signer should only sign the zones, and provide XFR to permitted secondaries. It's not a good idea to expose a signer directly to the Internet.

Regards,
Anand

On Fri, 14 Jun 2024 at 20:13, Randy Bush <randy@psg.com> wrote:
we may be narrowing it down.

knot returns one RRSIG, bind two, see appended.

my guess is that, if this was generally true, we would have heard about
it before.  so maybe it is something in how we're configured which
tickles bind secondaries the wrong way.  still investigating.

randy

    ryuu.rg.net:/Users/randy> dig +vc +dnssec +norec -t dnskey psg.com @rip.psg.com

    ; <<>> DiG 9.10.6 <<>> +vc +dnssec +norec -t dnskey psg.com @rip.psg.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18969
    ;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 1232
    ;; QUESTION SECTION:
    ;psg.com.                       IN      DNSKEY

    ;; ANSWER SECTION:
    psg.com.                86400   IN      DNSKEY  256 3 8 AwEAAZfG8Y++ZmGXwa1sgmHpruUSPljDwMR2pY5bUjjOaJNyUBeLlEAP Fyya3MNAKryW26yTxFmwYmyt0UtXyc4L7Ib5/J/Ew+putYpjRfslwPlS 5TWblvnbiqGcY/ZMuGrtLeZkvK/o39vXM+Hy5y3xbG4Qu4ySiuW03xMM pN50cr8+VcM2RDQn6/W6kESdiY8WaXyD1DT9eIgIyi5zTaOfhSB7u/g7 H+7LltCAiCZIcIF08CGbS1VEh0YUyw3Th1I6jiQmYeGG6OSGaci5SkjV fGTDpHrJOjFlCnUVfg+cYc1YPEojbmo90qO/nG+VB5I+qDYtkU1IR8EB +qXNi7ZbBt8=
    psg.com.                86400   IN      DNSKEY  257 3 8 AwEAAaCgMhvfatdo1jeqr0AsHJY+QB/QVv2O+9W62Sfj+xKCbV5nGgvu XqPq2A8tXKT1lG1YF0pe3/ABH2iYNZs7v/a6QAb1wEAYasNz6ZlvRca2 bDs6KXz/n2B/Oeb2JoWBJ6OqdNtzkDl6CYEOkQoDWRnbR9jlyINOQ0mN xfTu2wbXMngSIz78yTadpieyuG/B/TsLQ1SlTUSf436G5NMdxzQ8r7j4 5nW7mEORzvvk5Z1mGtfX8v8taw4qFfoIlaf226N06lZ90jpnEHTOGSTA T/ii5WVqjBZGFWFYWrNcHR51zHm4QAGKlZ5hzr6lrGZaXqgY7jE3GaOc 86mZhSlyYIs=
    psg.com.                86400   IN      RRSIG   DNSKEY 8 2 86400 20240627155330 20240613142330 53567 psg.com. JYhwpuCx+3YcZuumCP2g/1iGCqmIKxR1h3FYP8GdwIjY2i8OZ/T91O5S ml+jXmjfvhmb2nZ5+cV4i5KtUjUsS6otrpm4nxuNxUQwDZBxV1VEwFJc frS7TaOC+BrsKndJJIVGQ1HftCHGWSIiE/JEeEgeMrRXVLdCKKzADC7e oTYPOzf1piSO7rbHN4pGirIqTfBMci6xpc8BOlgc17DSB3aZJj5p3nEt Ie/h2goOwh3hue0oh6nuarTnlJhyiKOSBCcSrCjTl1Gfzq9sKyflEA2N NL0lJepqPkyf2kG+HkwGBKmrGlOeUDhNwR9qVwIvd/g/dtOscHnwTOWJ nuf7RQ==

    ;; Query time: 21 msec
    ;; SERVER: 2001:418:1::39#53(2001:418:1::39)
    ;; WHEN: Fri Jun 14 11:01:44 PDT 2024
    ;; MSG SIZE  rcvd: 883


    ryuu.rg.net:/Users/randy> dig +vc +dnssec +norec -t dnskey psg.com @nlns.globnix.net

    ; <<>> DiG 9.10.6 <<>> +vc +dnssec +norec -t dnskey psg.com @nlns.globnix.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9580
    ;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 1232
    ;; QUESTION SECTION:
    ;psg.com.                       IN      DNSKEY

    ;; ANSWER SECTION:
    psg.com.                86400   IN      DNSKEY  256 3 8 AwEAAZfG8Y++ZmGXwa1sgmHpruUSPljDwMR2pY5bUjjOaJNyUBeLlEAP Fyya3MNAKryW26yTxFmwYmyt0UtXyc4L7Ib5/J/Ew+putYpjRfslwPlS 5TWblvnbiqGcY/ZMuGrtLeZkvK/o39vXM+Hy5y3xbG4Qu4ySiuW03xMM pN50cr8+VcM2RDQn6/W6kESdiY8WaXyD1DT9eIgIyi5zTaOfhSB7u/g7 H+7LltCAiCZIcIF08CGbS1VEh0YUyw3Th1I6jiQmYeGG6OSGaci5SkjV fGTDpHrJOjFlCnUVfg+cYc1YPEojbmo90qO/nG+VB5I+qDYtkU1IR8EB +qXNi7ZbBt8=
    psg.com.                86400   IN      DNSKEY  257 3 8 AwEAAaCgMhvfatdo1jeqr0AsHJY+QB/QVv2O+9W62Sfj+xKCbV5nGgvu XqPq2A8tXKT1lG1YF0pe3/ABH2iYNZs7v/a6QAb1wEAYasNz6ZlvRca2 bDs6KXz/n2B/Oeb2JoWBJ6OqdNtzkDl6CYEOkQoDWRnbR9jlyINOQ0mN xfTu2wbXMngSIz78yTadpieyuG/B/TsLQ1SlTUSf436G5NMdxzQ8r7j4 5nW7mEORzvvk5Z1mGtfX8v8taw4qFfoIlaf226N06lZ90jpnEHTOGSTA T/ii5WVqjBZGFWFYWrNcHR51zHm4QAGKlZ5hzr6lrGZaXqgY7jE3GaOc 86mZhSlyYIs=
    psg.com.                86400   IN      RRSIG   DNSKEY 8 2 86400 20240626012025 20240611235025 53567 psg.com. G37kmJujQDabkfi9uQkgbaYfSm3f7D8Z7ulaH+a8MOaE23s1ZX0MMUkF gaZ6ESgJechUXt7mWRnuLQtp+G5GhnQz80NO1ZUba3EPU4ITAd2MRykn p3gM1dy82eGojjHDhLNIdE1FPExhmbluQx1WpCJPPCRc+oy0eAGfoLtu cPFhBH1s31EVvN4wXF1x8LJ3GQz7kn7BehMDFHEA4lAX9L5zRsLmYX6J 5wWH9HZ2pCLkqzYR78/9iqmmmiUlEjfW0j0egjYCk1Fxm2GSpEMRy0q2 s+cChVRpg/WvHH2ORjGf9MyAFKyu7k71F0R/vncbU5mkdymR23UEvILt 1xuAYQ==
    psg.com.                86400   IN      RRSIG   DNSKEY 8 2 86400 20240627155330 20240613142330 53567 psg.com. JYhwpuCx+3YcZuumCP2g/1iGCqmIKxR1h3FYP8GdwIjY2i8OZ/T91O5S ml+jXmjfvhmb2nZ5+cV4i5KtUjUsS6otrpm4nxuNxUQwDZBxV1VEwFJc frS7TaOC+BrsKndJJIVGQ1HftCHGWSIiE/JEeEgeMrRXVLdCKKzADC7e oTYPOzf1piSO7rbHN4pGirIqTfBMci6xpc8BOlgc17DSB3aZJj5p3nEt Ie/h2goOwh3hue0oh6nuarTnlJhyiKOSBCcSrCjTl1Gfzq9sKyflEA2N NL0lJepqPkyf2kG+HkwGBKmrGlOeUDhNwR9qVwIvd/g/dtOscHnwTOWJ nuf7RQ==

    ;; Query time: 250 msec
    ;; SERVER: 2a02:898:31::53:0#53(2a02:898:31::53:0)
    ;; WHEN: Fri Jun 14 11:01:27 PDT 2024
    ;; MSG SIZE  rcvd: 1178
--