log expired NTA at startup

CHANGES

@@ -1,3 +1,5 @@
+4135.	[cleanup]	Log expired NTA at startup. [RT #39680]
+
 4134.	[cleanup]	Include client-ip rules when logging the number
 			of RPZ rules of each type. [RT #39670]
 

bin/tests/system/dnssec/tests.sh

@@ -1864,7 +1864,8 @@ sleep 4
 #
 # ns4 should be back up now. The NTA for bogus.example should still be
 # valid, whereas badds.example should not have been added during named
-# startup (as it had already expired).
+# startup (as it had already expired), the fact that it's ignored should
+# be logged.
 #
 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n.3
 lines=`wc -l < rndc.out.ns4.test$n.3`
@@ -1875,6 +1876,7 @@ grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1
 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 > /dev/null && ret=1
 $DIG $DIGOPTS a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1
 grep "status: SERVFAIL" dig.out.ns4.test$n.5 > /dev/null || ret=1
+grep "ignoring expired NTA at badds.example" ns4/named.run > /dev/null || ret=1
 
 # cleanup
 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -remove bogus.example > rndc.out.ns4.test$n.6

lib/dns/view.c

@@ -2187,6 +2187,12 @@ dns_view_loadnta(dns_view_t *view) {
 
 			(void) dns_ntatable_add(ntatable, ntaname,
 						forced, 0, t);
+		} else {
+			char nb[DNS_NAME_FORMATSIZE];
+			dns_name_format(ntaname, nb, sizeof(nb));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+				      DNS_LOGMODULE_NTA, ISC_LOG_INFO,
+				      "ignoring expired NTA at %s", nb);
 		}
 	};