Hi Einar,
thank you for your bug report :)
We are trying to reproduce your observations, but without luck yet.
Anyway, it would be useful if you provide us with more complete
information, mostly (at least) about the server where you do observe the
issue (which is, I assume, the backup signer where the keys are being
restored to):
- Knot DNS version
- configuration file (or at least relevant parts; don't forget to
remove any TSIG secrets or sensitive IPs)
- longer log snippets around the time the issue was observed
- the script that you use for the backup (or at least relevant parts;
unless it is somehow sensitive)
- maybe also the directory with the backup whose "restore" triggers
the issue (don't forget to delete the contents of all the PEM files in
it!!, and note that data.mdb only contains public keys)
I'd also have some more questions to make a complete picture about the
situation:
1) Is it possible that the issue is not really triggered by algorithm
rollover, but by Knot DNS version upgrade? Have you upgraded Knot DNS
recently?
2) Do you use PKCS#11 is any way (either a HSM or SoftHSM), or just
PKCS#8 (PEM files directly accessed by Knot)?
3) Do you somehow clean up the destination Knot's directories before
calling zone-restore?
4) Do you somehow clean up the target directory on the active signer
before performing zone-backup into that directory (or you always create
fresh empty directory for the purpose)?
5) When manipulating with the backup directory, do you somehow write its
content into an existing directory with an older version of the backup
in it?
Thank you much for providing at least some of those!
Libor
On 29. 11. 25 20:22, Einar Bjarni Halldórsson via knot-dns-users wrote:
On 29 Nov 2025, at 17:47, Daniel Salzman <[email protected]> wrote:
To be clear, if you use a PKCS #11 keystore, the zone backup doesn't and can't
back up the
stored private keys. It only backs up metadata stored in the KASP DB.
Therefore, you must also
synchronize contents of the HSM. In the case of SoftHSM, you just copy the
tokens directory.
Sorry for the misunderstanding, I incorrectly used softhsm to mean “not HSM”.
We *are* using the PEM keystore.
.einar
--
--
