[knot-dns-users] Re: tcp ddos

Perhaps during the DDoS, the BIND secondary received a corrupt IXFR that added a new RRSIG, but didn't delete the old one? If that's the case, the old RRSIG will persist until you force AXFR; it's the only way to overwrite the zone fully at the secondary. You can set "provide-ixfr: no" for this zone, and reload the configuration and then re-sign the zone with "knotc zone-sign <zone>". Once the secondary is corrected, you can remove the "provide-ixfr" option to go back to the default of providing IXFR.