Hello! I have a Knot 3.2.5 server running here which, for most zones, acts as a bump-in-the-wire signer, and it's doing exactly what I expect it to do. The same server carries a few secondary zones which are not signed, and I notice that when Knot transfers these zones in, it doesn't NOTIFY its secondaries, something which works fine for DNSSEC signed zones. The following configuration is in place: remote:   - id: pdns     address: 192.168.25.45@53     key: dsupload     block-notify-after-transfer: on  # <-------     automatic-acl: on template:   - id: default     zonefile-load: difference     file: "%s"     serial-policy: dateserial     master: pdns     catalog-role: member     catalog-zone: katz1     acl: [ xfr, notify_from_pdns, xfer_to_bind ]     notify: [ s1, s2, s3 ] policy:   - id: manualHSM     manual: on     keystore: thales     cds-cdnskey-publish: rollover     ksk-submission: ds_checker     ds-push: pdns zone:   - domain: sig.example     dnssec-policy: manualHSM     dnssec-signing: on   - domain: notsig.example     dnssec-signing: off When sig.example is transferred in, Knot signs it, NOTIFYs its secondaries (s1--s3), they XFR the zone and all's well. When the unsigned notsig.example is transferred in, the logs indicate Knot is seeing the new serial, and that's it; the secondaries are not NOTIFYd. (I can manually `knotc notify', but that's not the point.) Setting `block-notify-after-transfer: off' on the remote remediates this. Knot then does NOTIFY its secondaries for the unsigned zone (and for the signed zone). The documentation states:     "When incoming AXFR/IXFR from this remote (as a primary server),     suppress sending NOTIFY messages to all configured secondary servers." However, if I swich it off (i.e. enable notification), I do not see the NOTIFY when knot initially transfers the unsigned zone which is then signed and hence then notified. Is this behavior expected, and have I interpreted it correctly? Thanks & best regards,     -JP --