> On 1 Dec 2025, at 11:32, Libor Peltan <[email protected]> wrote: > > 1) Is it possible that the issue is not really triggered by algorithm > rollover, but by Knot DNS version upgrade? Have you upgraded Knot DNS > recently?
I just ran `knotc zone-ksk-submitted` on three different servers, all with zones migrating from RSASHA256 to ECDSAP256SHA256 and I’m not seeing the error (yet). All three sets of servers are running Knot 3.5.2 on FreeBSD 14.3. Either the error happens later, when the old keys are purged, or the error has been fixed between 3.5.0 and 3.5.2. I did upgrade a server to 3.5.2 and saw the error, but that was after rollover had finished on the primary when it was running 3.5.0. I’m going to attempt to downgrade a server to 3.5.0 and perform an algorithm rollover and sync. If the error appears, we’ll know it’s in the rollover itself where some state is produced which causes the error. .einar --
