diff --git a/CHANGES b/CHANGES
index 6e2b6fcb98..e538f64523 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+4135.	[cleanup]	Log expired NTA at startup. [RT #39680]
+
 4134.	[cleanup]	Include client-ip rules when logging the number
 			of RPZ rules of each type. [RT #39670]
 
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 624b7b94dc..fd3f6fc2d1 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1864,7 +1864,8 @@ sleep 4
 #
 # ns4 should be back up now. The NTA for bogus.example should still be
 # valid, whereas badds.example should not have been added during named
-# startup (as it had already expired).
+# startup (as it had already expired), the fact that it's ignored should
+# be logged.
 #
 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -d > rndc.out.ns4.test$n.3
 lines=`wc -l < rndc.out.ns4.test$n.3`
@@ -1875,6 +1876,7 @@ grep "status: SERVFAIL" dig.out.ns4.test$n.4 > /dev/null && ret=1
 grep "flags:[^;]* ad[^;]*;" dig.out.ns4.test$n.4 > /dev/null && ret=1
 $DIG $DIGOPTS a.badds.example. a @10.53.0.4 > dig.out.ns4.test$n.5 || ret=1
 grep "status: SERVFAIL" dig.out.ns4.test$n.5 > /dev/null || ret=1
+grep "ignoring expired NTA at badds.example" ns4/named.run > /dev/null || ret=1
 
 # cleanup
 $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 nta -remove bogus.example > rndc.out.ns4.test$n.6
diff --git a/lib/dns/view.c b/lib/dns/view.c
index 6cbbd36856..9e48b53a92 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -2187,6 +2187,12 @@ dns_view_loadnta(dns_view_t *view) {
 
 			(void) dns_ntatable_add(ntatable, ntaname,
 						forced, 0, t);
+		} else {
+			char nb[DNS_NAME_FORMATSIZE];
+			dns_name_format(ntaname, nb, sizeof(nb));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+				      DNS_LOGMODULE_NTA, ISC_LOG_INFO,
+				      "ignoring expired NTA at %s", nb);
 		}
 	};