Hi Bastien, Unfortunately, we don't have experience with this issue.
You could try to find what changed since Bookworm https://salsa.debian.org/debian/pcsc-lite/-/commits/master For example https://salsa.debian.org/debian/pcsc-lite/-/commit/d13076c563a43379f901e377565e7f3454e3d214 Daniel On 10/15/25 21:37, Bastien Durel via knot-dns-users wrote:
Hello, I upgraded my signing server to Debian 13, but I have a problem with my HSM : Oct 15 21:09:18 arrakeen knotd[29552]: error: [durel.org <http://durel.org>.] zone event 'load' failed (PKCS #11 token not available) Oct 15 21:09:18 arrakeen knotd[29552]: error: [geekwu.org <http://geekwu.org>.] zone event 'load' failed (PKCS #11 token not available) keymgr gives me the same error : # keymgr geekwu.org <http://geekwu.org>list error: failed to initialize KASP (PKCS #11 token not available) despite hsmwiz being able to access the key : # hsmwiz identify Using reader with a card: Nitrokey Nitrokey HSM (DENK01067960000 ) 00 00 Version : 3.4 Config options : User PIN reset with SO-PIN enabled SO-PIN tries left : 15 User PIN tries left : 3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Default SO-PIN: 3537363231383830 Default PIN: 648219 Now executing: pkcs15-tool --dump Using reader with a card: Nitrokey Nitrokey HSM (DENK01067960000 ) 00 00 PKCS#15 Card [knot]: Version : 0 Serial number : DENK0106796 Manufacturer ID: www.CardContact.de <http://www.CardContact.de> Flags : PRN generation [...] Public EC Key [Private Key] Object Flags : [0x00] Usage : [0x140], verify, derive Access Flags : [0x02], extract FieldLength : 384 Key ref : 0 (0x00) Native : no ID : 74f59bc17317bfccc5806108d84df1abd275faef DirectValue : <present> Knot is using this keystore : keystore: - id: nitrokey backend: pkcs11 config: "pkcs11:pin-value=*** /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" I verified /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so still exists, and ldd doesn't report any missing dependency strace let me see communication with pcscd, whose logs have these : Oct 15 21:20:14 arrakeen systemd[1]: Started pcscd.service - PC/SC Smart Card Daemon. Oct 15 21:20:20 arrakeen pcscd[33186]: 00000000 ../src/auth.c:166:IsClientAuthorized() Process 33204 (user: 134) is NOT authorized for action: access_pcsc Oct 15 21:20:20 arrakeen pcscd[33186]: 00000071 ../src/winscard_svc.c:357:ContextThread() Rejected unauthorized PC/SC client After a bit of digging, I found it's controlled by polkit, and added a brutal rule : cat /etc/polkit-1/rules.d/pcsc.rules /* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */ polkit.addRule(function(action, subject) { if (subject.isInGroup("pcsc")) { return polkit.Result.YES; } }) with knot added to the pcsc group, it can access the HSM again. Do you know of a better way to configure ? NB: I'm using another account, as I began to write this with no DNS server running Regards, -- Bastien Durel --
--
