> Conclusion - there's a low grade bug in the "rndc sign" code path that
> sets the TTL incorrectly when generating signatures.

A new development on this one - it seems that it's not just 'rndc sign' that does this, but that 'rndc loadkeys' also can (in this instance, it was during the removal of expired keys).  The steps were:

- remove the post published keys from several zones
- use rndc loadkeys to get BIND to load the changed keydata

The outcome: RRSIG's original TTL differs from corresponding records'

It's understood that this shouldn't cause client DNSSEC-validators any problems.