DNSSEC / BIND breakage

[Wolfgang Rosenauer]

Hi,

one of my DNSSEC/DANE secured domains started breaking as of today and I
do not fully understand why.
Probably bright people here can point me to the correct resolution?

I'm using bind and its
auto-dnssec maintain;
inline-signing yes;

Also I'm not aware that my KSK and ZSK keys have any expiration date but
today DNSSEC started to fail apparently because my RRSIG signatures are
said to be expired.
Actually my first idea is that the automatic maintenance in bind failed
for some reason. So I deleted the journal and signed zone files and
started over by signing the zone from scratch. This at least improved
the situation a little bit according to
http://dnsviz.net/d/rosenauer.org/dnssec/

But still it seems to be broken and I'm lost currently to understand
what is wrong.


Thanks for any pointers,
 Wolfgang