If your DNS server no longer resolves non-authoritative queries (e.g. not your domains but yahoo.com or whatever.org) and you see this error in named logs:
25-Mar-2020 16:52:52.406 validating @0x7f87047d80d0: dlv.isc.org DNSKEY: verify failed due to bad signature (keyid=19297): RRSIG has expired 25-Mar-2020 16:52:52.406 validating @0x7f87047d80d0: dlv.isc.org DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for 'dlv.isc.org' 25-Mar-2020 16:52:52.406 validating @0x7f87047d80d0: dlv.isc.org DNSKEY: please check the 'trusted-keys' for 'dlv.isc.org' in named.conf.
This means either the entry from trusted-keys in named.conf or the values from bind.keys expired.
You can follow https://www.isc.org/bind-keys/ if you can figure out how to go trough that puzzle.
What I did was much simpler. Read on.
The command dig . dnskey +dnssec will show you DNS keys needed to be put in your configuration file:
19:53:10 root@gate:bind# dig . dnskey +dnssec ; <<>> DiG 9.9.5-9+deb8u18-Debian <<>> . dnskey +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9090 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1452 ;; QUESTION SECTION: ;. IN DNSKEY ;; ANSWER SECTION: . 7523 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU= . 7523 IN DNSKEY 256 3 8 AwEAAc4qsciJ5MdMUIu4n/pSTsSiU9OCyAanPTe5TcMX4v1hxhpFwiTG QUv3BXT6IAO4litrZKTUaj4vitqHW1+RQsHn3k/gSvt7FwyQwpy0mEnS hBgr6RQiGtlBODNY67sTl+W8M/b6SLTAaaDri3BO5u6wrDs149rMELJA doVBjmXW+zRH3kZzh3lwyTZsYtk7L+3DYbTiiHq+sRB4F9XoBPAz5Psv 4q4EiPq07nW3acbW84zTz3CyQUmQkJT9VB1oUKHz6sNoyccqzcMX4q1G HAYpQ7FAXlKMxidoN1Ay5DWANgTmgJXzKhcI2nIZoq1x3yq4814O1LQd 9QP68gI37+0= . 7523 IN DNSKEY 256 3 8 AwEAAeN+h0loXPKt7lFdW2zKIDkVHyJ1aYGUVE1dMNBlRH3kTn40JKcH iPOs+fy0OFVCBwoKa1s9qZtdyP1UC0hgKoldj3oELK1yLI5MUbTMcNkW bBMRuxRz/CgZJu3IxcmuZWZMbn4LQDMj5YeiUiuWns5vipFGWWpyPyoz QXmenSWOK2GJOwcm7I/DyHVtVdztTvqiHqzy2aRoxwPhmEuAoYzzuNJJ w6JNEnXaN/7l2TIciskFyPVPBFZYHnk+1ma906dfehIR190z3lh1ZESL 2Yy3VIE2QGpRU6Px4ydH5sXxZ2wSMgqNNga4kjnfM1msBqk3EI48RvTT kuV0yb1eFuU= . 7523 IN RRSIG DNSKEY 8 0 172800 20200411000000 20200321000000 20326 . a+gSnbQVAQg3MEAg8R8X3O7MY6eu2SyoWbkZqGFomwS3KSAJ1qkWGXSR xh1CwdyW7mBjVBd6ptKWofiVOn/abD5EJf1cLnktSKjMuarpqI1qWwz1 PKi9Ch625jzf+jGn+2CPGSfsd7tpkbjDvirrze/NHckTrtTvZ2esV2Bn PEU87F2I7Bfw603LQS1TbciF1i7k9qsZqYain3whVQrMso7CFhX4jJmr 0x+UfO5Cpmm8CWd6Pgmp+EIZJ4vmPzvpC58RUY1wc/M18CzVZpmPvQAN ywtaHNN/urDDsvibKAeQNdJ07OFBiR9+J2SoCl8aIVfu6PMIKIfyeYAn xLj6KQ== ;; Query time: 8 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Wed Mar 25 19:53:12 EET 2020 ;; MSG SIZE rcvd: 1139
I took the fist line from "ANSWER SECTION" and updated my trusted-keys entry in named.conf like in the example below:
19:56:00 root@gate:bind# grep -A 2 trusted-keys named.conf trusted-keys { . 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU="; };
Also, my previous trusted key was dlv.isc.org. and I had this configured in named.conf, which now is disabled:
dnssec-lookaside . trust-anchor dlv.isc.org.;
Of course, restart of name server is required.
DONE!