For a DNSSEC-enabled domain in OA, the following error is shown on zone validation or during BIND service start-up:
[root@ns1 ~]# named-checkzone -d example.com. /var/named/example.com. loading "example.com." from "/var/named/example.com." class "IN" /var/named/example.com.:1: no TTL specified; using SOA MINTTL instead /var/named/example.com.:6: signature has expired zone example.com/IN: loaded serial 281 (DNSSEC signed) OK
The issue is recognized as POA-110780: Too long expiration date for RRSIG/KSK/ZSK causes BIND validation errors.
There is no impact on DNS resolution for the affected domains by this issue. There is no workarounds to fix the warnings - any zone update triggered from OA will re-write the expiration date of DNSSEC keys.
Contact your TAM/PTA team in order to clarify the status of the issue.