diff --git a/CHANGES b/CHANGES
index 92323f36b2..abedcfe7b3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5932.	[bug]		Fix rndc dumpdb -expired and always include expired
+			RRsets, not just for RBTDB_VIRTUAL time window.
+			[GL #3462]
+
 5931.	[bug]		Fix DiG query error handling robustness in NSSEARCH
 			mode by making sure that udp_ready(), tcp_connected(),
 			and send_done() callbacks start the next query in chain
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index acbec4e529..bbc6fc35bf 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -58,3 +58,7 @@ Bug Fixes
 - Non-dynamic zones that inherit dnssec-policy from the view or
   options level were not marked as inline-signed, and thus were never
   scheduled to be re-signed. This is now fixed. :gl:`#3438`
+
+- Fix `rndc dumpdb -expired` to include expired RRsets, even if the cache
+  cleaning time window has passed. This will now show expired RRsets that are
+  stuck in the cache. :gl:`#3462`
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 2fd789cdca..f131902d36 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -8661,15 +8661,10 @@ rdatasetiter_first(dns_rdatasetiter_t *iterator) {
 	dns_rbtnode_t *rbtnode = rbtiterator->common.node;
 	rbtdb_version_t *rbtversion = rbtiterator->common.version;
 	rdatasetheader_t *header, *top_next;
-	rbtdb_serial_t serial;
-	isc_stdtime_t now;
+	rbtdb_serial_t serial = 1;
 
-	if (IS_CACHE(rbtdb)) {
-		serial = 1;
-		now = rbtiterator->common.now;
-	} else {
+	if (!IS_CACHE(rbtdb)) {
 		serial = rbtversion->serial;
-		now = 0;
 	}
 
 	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
@@ -8681,19 +8676,9 @@ rdatasetiter_first(dns_rdatasetiter_t *iterator) {
 			if (header->serial <= serial && !IGNORE(header)) {
 				/*
 				 * Is this a "this rdataset doesn't exist"
-				 * record?  Or is it too old in the cache?
-				 *
-				 * Note: unlike everywhere else, we
-				 * check for now > header->rdh_ttl instead
-				 * of ">=".  This allows ANY and RRSIG
-				 *  queries for 0 TTL rdatasets to work.
+				 * record?
 				 */
-				if (NONEXISTENT(header) ||
-				    (now != 0 &&
-				     (now - RBTDB_VIRTUAL) >
-					     header->rdh_ttl +
-						     STALE_TTL(header, rbtdb)))
-				{
+				if (NONEXISTENT(header)) {
 					header = NULL;
 				}
 				break;
@@ -8725,22 +8710,17 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) {
 	dns_rbtnode_t *rbtnode = rbtiterator->common.node;
 	rbtdb_version_t *rbtversion = rbtiterator->common.version;
 	rdatasetheader_t *header, *top_next;
-	rbtdb_serial_t serial;
-	isc_stdtime_t now;
 	rbtdb_rdatatype_t type, negtype;
 	dns_rdatatype_t rdtype, covers;
+	rbtdb_serial_t serial = 1;
 
 	header = rbtiterator->current;
 	if (header == NULL) {
 		return (ISC_R_NOMORE);
 	}
 
-	if (IS_CACHE(rbtdb)) {
-		serial = 1;
-		now = rbtiterator->common.now;
-	} else {
+	if (!IS_CACHE(rbtdb)) {
 		serial = rbtversion->serial;
-		now = 0;
 	}
 
 	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
@@ -8766,17 +8746,8 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) {
 					/*
 					 * Is this a "this rdataset doesn't
 					 * exist" record?
-					 *
-					 * Note: unlike everywhere else, we
-					 * check for now > header->ttl instead
-					 * of ">=".  This allows ANY and RRSIG
-					 * queries for 0 TTL rdatasets to work.
 					 */
-					if (NONEXISTENT(header) ||
-					    (now != 0 &&
-					     (now - RBTDB_VIRTUAL) >
-						     header->rdh_ttl))
-					{
+					if (NONEXISTENT(header)) {
 						header = NULL;
 					}
 					break;