[knot-dns-users] zonefile-sync and strange SOA serial

Hi, For many months now, we've been preparing new signers for our internal zones and eventually .is. We've got the first of our test zones live on the production signers, but some things are troubling us. This is the config we're using for zones: template:   - id: default     semantic-checks: on     storage: "/usr/local/etc/knot"     file: "zones/unsigned/%s/%s-soa"     serial-policy: dateserial     zonefile-sync: -1     zonefile-load: difference-no-serial     journal-content: all     notify: hidden_primary     acl: hidden_primary_acl policy:   - id: isnic     algorithm: RSASHA256     ksk-size: 4096     zsk-size: 2048     ksk-lifetime: 365d     zsk-lifetime: 30d     propagation-delay: 1h     rrsig-lifetime: 14d     rrsig-refresh: 7d     rrsig-pre-refresh: 1h --- zones/unsigned is stored in a git repo and changes are deployed by an ansible playbook that checks out the latest revision and reloads the zones. Someone pointed out that zonefile-load: difference-no-serial was risky for something as important as a TLD, but what is the alternative when doing automatic DNSSEC signing on zone data from git? Also, we turned off zonefile-sync, since our current deployment script overwrites the zonefile. Is there a way to load initial zone data from one file, but do zonefile-sync to another? We're seeing this in our logs: Jan 20 09:32:06 ht-signer01 knot[49715]: info: [pp.is.] zone file parsed, serial corrected 1970010100 -> 2022012000 Jan 20 09:32:06 ht-signer01 knot[49715]: info: [pp.is.] loaded, serial 2022011900 -> 2022012000 -> 2022011900, 3830 bytes Any idea what's happening on the second line? It's like knot wants to increment the serial, but then changes it's mind :) .einar