Issue: server booted with a time in the future, and bind / named downloaded the trust information with a future timestamp
Often you'll see this in the logs:
validating ./DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for '.'
managed-keys-zone: No valid trust anchors for '.'
1) shut down named
2) delete /var/named/dynamic/managed-keys.bind.jnl and create file just containing:
;BIND LOG V9
3) ensure new file is owned by the named user.
4) start up named
You'll see something like this in the logs:
Apr 28 12:49:00 XXXXXX named: managed-keys-zone: journal rollforward failed: no more
Apr 28 12:49:00 XXXXXX named: managed-keys-zone: unable to load from '/var/named/dynamic/managed-keys.bind.jnl'; renaming file to '/var/named/dynamic/jn-xMvuHJmM' for failure analysis and retransferring.
And then your dnssec should start working again...
There's probably better ways to trigger the resolution, but the above seems to work....