zone not getting flushed
On a zone with dnssec-signing enabled the zone is not getting flushed as expected.
Here is a simple example tested with knot 2.6.8 on Debian buster:
$ tail -n +1 /etc/knot/knot.conf /var/lib/knot/zones/example.org test.sh
==> /etc/knot/knot.conf <==
server:
listen: 0.0.0.0@53
listen: ::@53
user: knot:knot
log:
- target: syslog
any: info
policy:
- id: default
algorithm: RSASHA256
ksk-size: 3248
zsk-size: 2432
nsec3: on
nsec3-iterations: 330
template:
- id: default
file: zones/%s
semantic-checks: on
dnssec-policy: default
dnssec-signing: on
zone:
- domain: example.org
zonefile-load: difference
==> /var/lib/knot/zones/example.org <==
example.org. 3600 SOA ns1.example.org. hostmaster.example.org 1530570453 3600 1200 3628800 60
example.org. 3600 NS ns1.example.org.
ns1 3600 A 127.0.0.1
==> test.sh <==
#! /bin/sh
# do zone update as per
# https://www.knot-dns.cz/docs/2.6/singlehtml/index.html#safe-reading-and-editing-zone-file
knotc zone-freeze example.org.
while ! knotc zone-status example.org. +freeze | grep -q 'freeze: yes'; do sleep 1; done
knotc zone-flush example.org.
editor /var/lib/knot/zones/example.org
knotc zone-reload example.org.
knotc zone-thaw example.org.
$ systemctl start knot.service
Jul 13 23:12:59 hostname systemd[1]: Started Knot DNS server.
Jul 13 23:12:59 hostname knotd[16474]: info: Knot DNS 2.6.8 starting
Jul 13 23:12:59 hostname knotd[16474]: info: binding to interface 0.0.0.0@53
Jul 13 23:12:59 hostname knotd[16474]: info: binding to interface ::@53
Jul 13 23:12:59 hostname knotd[16474]: info: changing GID to 105
Jul 13 23:12:59 hostname knotd[16474]: info: changing UID to 103
Jul 13 23:12:59 hostname knotd[16474]: info: loading 1 zones
Jul 13 23:12:59 hostname knotd[16474]: info: [example.org.] zone will be loaded
Jul 13 23:12:59 hostname knotd[16474]: info: starting server
Jul 13 23:12:59 hostname knotd[16474]: info: [example.org.] DNSSEC, key, tag 59494, algorithm RSASHA256, KSK, public, ready, active
Jul 13 23:12:59 hostname knotd[16474]: info: [example.org.] DNSSEC, key, tag 11610, algorithm RSASHA256, public, active
Jul 13 23:12:59 hostname knotd[16474]: info: [example.org.] DNSSEC, signing started
Jul 13 23:12:59 hostname knotd[16474]: info: [example.org.] DNSSEC, successfully signed
Jul 13 23:12:59 hostname knotd[16474]: info: [example.org.] loaded, serial 1530570454
Jul 13 23:12:59 hostname knotd[16474]: info: [example.org.] DNSSEC, next signing at 2018-07-20T23:12:59
Jul 13 23:12:59 hostname knotd[16474]: notice: [example.org.] DNSSEC, KSK submission, waiting for confirmation
Jul 13 23:12:59 hostname knotd[16474]: info: server started in the foreground, PID 16474
Jul 13 23:12:59 hostname knotd[16474]: info: control, binding to '/run/knot/knot.sock'
Jul 13 23:12:59 hostname knotd[16474]: info: [example.org.] zone file updated, serial 1530570453 -> 1530570454
In this example I'm manually increasing the serial of the SOA record by one in the spawned editor without changing anything else.
$ ./test.sh
OK
OK
OK
OK
Jul 13 23:14:38 backroad knotd[16474]: info: [example.org.] control, received command 'zone-freeze'
Jul 13 23:14:38 backroad knotd[16474]: info: [example.org.] zone updates frozen
Jul 13 23:14:38 backroad knotd[16474]: info: [example.org.] control, received command 'zone-status'
Jul 13 23:14:38 backroad knotd[16474]: info: [example.org.] control, received command 'zone-flush'
Jul 13 23:14:45 backroad knotd[16474]: info: [example.org.] control, received command 'zone-reload'
Jul 13 23:14:45 backroad knotd[16474]: warning: [example.org.] check, node example.org., unverifiable signature (record type SOA)
Jul 13 23:14:45 backroad knotd[16474]: info: [example.org.] DNSSEC, key, tag 59494, algorithm RSASHA256, KSK, public, ready, active
Jul 13 23:14:45 backroad knotd[16474]: info: [example.org.] DNSSEC, key, tag 11610, algorithm RSASHA256, public, active
Jul 13 23:14:45 backroad knotd[16474]: info: [example.org.] DNSSEC, signing started
Jul 13 23:14:45 backroad knotd[16474]: info: [example.org.] DNSSEC, successfully signed
Jul 13 23:14:45 backroad knotd[16474]: info: [example.org.] loaded, serial 1530570454 -> 1530570455
Jul 13 23:14:45 backroad knotd[16474]: info: [example.org.] DNSSEC, next signing at 2018-07-20T23:12:59
Jul 13 23:14:45 backroad knotd[16474]: info: [example.org.] control, received command 'zone-thaw'
Jul 13 23:14:45 backroad knotd[16474]: info: [example.org.] zone updates unfrozen
Let's have a look at the zone file:
$ cat /var/lib/knot/zones/example.org
;; Zone dump (Knot DNS 2.6.8)
example.org. 3600 SOA ns1.example.org. hostmaster.example.org.example.org. 1530570455 3600 1200 3628800 60
example.org. 3600 NS ns1.example.org.
example.org. 0 CDNSKEY 257 3 8 AwEAAZgxUMJM2FyMGMMAP3jSOd8Qm/oTeE8FMQN0AV87f4cmw+TOhx/b0NqZao3HTC8tACOqyn/5d/rLYFWDYNjzcvOImh+pzIVNXjytH3PuFqgdQI3Eh6fhHjYHbnHlAx10oVJltjlmBwSIerrRUKflSPzql/5xM3V4Yc4/O7hzWaJihR3GXZN5cRJWDdNjvOqIcqJHzyMiTnw1wfOUCRHKWL1/0SQNizvbloLi3DoqywfdyGjnHC2uanVNA2rSpgkJj7arFx7BbazNGjb9wRC/USp97IJohRB8LokKYj/BnHDZWMLjA0WJj8I8SvnlViefnPaJSZry9YID4qQTCiRXxhtcF02Z74DbxM0077AP36L8eBW1n4+QiLhtdoJKm/UecL+xXC+/5NOeI6bbfboGuHyzi50Ger+jvx+LbZvw5b5F57F70SQJ01jvVLRsDiUCZ41fujzFAiimkzuWiEH6vewDXl1/YLS2gerb5qRvoLWLq9AbWfYljgH1HjwIU5Wf5QXz4D9zJkzEuWWtuIHFrfL3Vz8ERN8=
example.org. 0 CDS 59494 8 2 841198346EED8F8B3CF8AB4D453D72A11DFDCFB2964A61E742882FC9B0F6ACD4
example.org. 3600 DNSKEY 256 3 8 AwEAAbpocB9KiiSO3vg3T5tLRJRK1oo6rHIfwZD1ZfFu+nN0UJH+bzQp1wCrTaVFvIu/ibpgBfT0n0trsghJXS8Yqjb26zIdDF/i7cyHN6TTKcBIcnLTJjb6DwaUGP9SqF60+y5AP/CmA8QAe/7oQVoZpRzFdgE0h7BmA8M6vfg4oGY03trgmKQeicjgyhszvzg9vFC0L4ScMo0wu/HNVo67hGFFrX1CI6o2prIEVE49YWWCakUVtXLxZerHRqeen11Fecrh/5je9T01h/lVYDvUstA39qVP6YxP9J/t1bP4br4AT13poa9I+6CFwl0Q+QtkxSYkrJSFZ23ByHrpvYzb+1F/vC0hDH0dydPUfiZCZXElPmwBqI2rLytW/jzSwko52/jffT1C1EO3uusDb/m+C6U=
example.org. 3600 DNSKEY 257 3 8 AwEAAZgxUMJM2FyMGMMAP3jSOd8Qm/oTeE8FMQN0AV87f4cmw+TOhx/b0NqZao3HTC8tACOqyn/5d/rLYFWDYNjzcvOImh+pzIVNXjytH3PuFqgdQI3Eh6fhHjYHbnHlAx10oVJltjlmBwSIerrRUKflSPzql/5xM3V4Yc4/O7hzWaJihR3GXZN5cRJWDdNjvOqIcqJHzyMiTnw1wfOUCRHKWL1/0SQNizvbloLi3DoqywfdyGjnHC2uanVNA2rSpgkJj7arFx7BbazNGjb9wRC/USp97IJohRB8LokKYj/BnHDZWMLjA0WJj8I8SvnlViefnPaJSZry9YID4qQTCiRXxhtcF02Z74DbxM0077AP36L8eBW1n4+QiLhtdoJKm/UecL+xXC+/5NOeI6bbfboGuHyzi50Ger+jvx+LbZvw5b5F57F70SQJ01jvVLRsDiUCZ41fujzFAiimkzuWiEH6vewDXl1/YLS2gerb5qRvoLWLq9AbWfYljgH1HjwIU5Wf5QXz4D9zJkzEuWWtuIHFrfL3Vz8ERN8=
example.org. 0 NSEC3PARAM 1 0 330 316D384BD40F1292
ns1.example.org. 3600 A 127.0.0.1
;; DNSSEC signatures
example.org. 3600 RRSIG NS 8 2 3600 20180727211259 20180713194259 11610 example.org. le3oaghZ9Av3M5ZkfKxbs5J41hncHpkiWeocbvEZR59CguSAAiN9EHvYerN5CAt+4swvT/mzHP0bG9jD9qsGR7niMxyY+3P13YEecQonH+kn7uwWrvmrbJ42oxoKL/F0ivvLUuFhpbo+0YM4dBEbpxYP2Jfxk1vJ5ofrf9goCDITAUK5jdjnz72dvbXKusGFQEmDOtFGzqPkJ8KgykUtqejO6De7KcBe39LyqbCBFIbjkAgzXrygcNRee8deR9+wHN1jBDDZb52Fp/nZNspCqI/C9ttAAnKeUvMp61PiJ4eBJybs4kCColfBoNMHUrCymke5Hm6Ws48siBKLn2lEXXs8dUcI7RWzlcRVN/x04Muhs0Q8XOa3yPPytDPq+TFUBxjhqBQtzMyTVka9RR5pPQ==
example.org. 3600 RRSIG SOA 8 2 3600 20180727211259 20180713194259 11610 example.org. E4gP40Fjee1HYxmmLO/i6lueDagKDjGux6scHfTpk3XWl89LLtSUZAl5bECiE4vK8hP+MVQM1FMAt0fWIxcHGhs5p9Lqt9b/8Io4qpYp2/bZJrqnKOGPw6uc9EN9VGmLQwvjcJF7NFCfR11f9CTsFZKM30HYn85IjheHddwx3/VAd1uxzGNZexS+2ZOL4lvLH7ZxAzGDpOmjpLWFPkYWDBghMnwzx9lyRNmwkNnsk+/WE2VYfMjdzA3S10FkbixvoT3M7XL4HfSGixVGikrkM1aBE+yGKZLXSNnrFvR854vJlce21CFeNimvhp06n/12+oLWkPZI0dIHVcctWOmSWRN6XQF2RlQmTkQxqM43a5gwOuMMFg8Y6Trk0UcCl348gFXfQns+eO8eG4dOZdFmaw==
example.org. 3600 RRSIG DNSKEY 8 2 3600 20180727211259 20180713194259 59494 example.org. XCL1h78Zf/t0hS1s1tNW5Us8uq2icw/JCeQmFX3T4J+NF9NXeWBjvUMxLmdo3k8nzzTSphNYiN45La42vzu83JfnxSg4Rv2OL/OmFOna+7yFVqZD+5WindHSVAqBMKIXxkfmwMl9PqC/1CM6PJaKoKLD2AOj9dnATGrjunXt2aI0zn96mnYjY+V/S7docdOZlDY/KwHG9upit9EwBGXIs+PUe1i75W1JCc/RenOCZG9By3PblZEI+OwqwXyrJNfu2N1BlUqBddmd7oTZG5fSMJbv9ywp6THCEwGmPNsHtCBWb0/sJCmv5GZj5kvtYMYoN4H44ZZhaZ8zj41LeBsgdmhjpKJ6+xokJEKzCkA9ge/OOWjnMFlRkGy+VcYuQR6WTWCw+OIueQfPZ8tZlYEIaM1eEGncLkGK8hbnbkqXZt3W3vpPtwbjPOd0TuNQD0C6hXFcA0oEik3TII+DOyfXrVtBFH6JG2L8N/isyGmIg4cTp3wPO2h2Ol2++GoealNDxqzY0pFg61JUi65zHQN2EROvMfxevA==
example.org. 0 RRSIG NSEC3PARAM 8 2 0 20180727211259 20180713194259 11610 example.org. VGNSm2jMg+q6N/JtBkvNQS0lsj2HqWT0J+K+2QDpqAvs8KQMNvbQ15cZyEN4hc+FAiwUuWJfyGhWLJNGm6/pFU1zdRlohcFsJ+QG2t3sfbZaGs/Lrd+HwDxRaFoYPf4m8Jr7S/rD3AApM8r40TBFUa1A8GmJ4OfbU60+TS9TRYOZuhZ9qmqo/oyWOJw5eJOIATQhq+eeHLWx04yA7HXILdPozgWa2dcKXLfoKAvWXYRKnXHeYrFK/kmeLA+ulV+icb5ymYX04s9C7U/kojGIN+6GWwmmij7kALfpStIcrpGTkzXMK3EwKstE09YQoA6BiPtu0qU+H6VOQ3P29jbMwD+ciJWztG43prnSHOKx+Mc5l8X5mhbwjhfzAEVuCQtwFKKFoMEqc5wV5whbADaJNQ==
example.org. 0 RRSIG CDS 8 2 0 20180727211259 20180713194259 11610 example.org. XATduwnRJdzFUIliH+LtBdp6vWX7XmZSZDunMxyJrG69sPx1n7e0E/maKA1XUy6ezeItoLTTEnpJW27zybSpc73OtQWqnXRS6tH8FU7nPblKNpbrbhZ7eTEuCkjihjZsLvpuF4tjrJHoyMqD6bXACGk/u0ueEskq+EPfyTcgM9akbqD8jOGj0w2UPgdZfHm305Ae8krU3lT5RjVCX5AZ+HvqWkran2XOZcXy6Q6tDsOlOqYN70jewYcPpf07VaCR6TZ7BmptqsbRQi1DO9U6Czl43HBFjrrmU0vDBmFqPnYMjdXetqcRux+zWHdLBMvHlF507croQxVHF1Gsvkl+MDO/uw8K4LysMi1GvONhdwbzdjH0H96AzuLD7AlWignRd/hBEvf/0fF6Re+jt92AJg==
example.org. 0 RRSIG CDNSKEY 8 2 0 20180727211259 20180713194259 11610 example.org. ANklM+vJ3qAK0N2znGJp1LgLrkL/7YhnnO00I8ouEmwkqIf2u0L72ZV682lvfC5OjIme++4sjnbivG4PStnRncrlbH5dXpB73EnAJBUKumrI55P2PJjYxoQ3lylxtm2N1E+ORnVEl/LiEnoulhdX3BrKPw2M7a2jwxDGtOw9Vi0veVHDSVbfo4THLAPg3l4/4plrLPeYWE2ST3lg5dIzP+ImOb0QcWVEydYT2YXiJCuX8Itnq9pgUplri8K+a8NWgRwc10h0dpX86Mz1BoOK+IeBeidzIXtaQoAXTbWkRTemPwE6Qn/YsvUrb3ZYYcTuC8TTH7cVXeB6HmhKKdtQQDyVdl/9EXF/B+qIOTTxJEVhJiRcQOUdJpC288kZyK/YPAjFqzvCDRJ1Nx98jNBmnQ==
ns1.example.org. 3600 RRSIG A 8 3 3600 20180727211259 20180713194259 11610 example.org. Fp4iRI3gIDa6MUgAbivG/1Xff4usmh3AS8CO5ir12NpoPA/g2NZfYzlQ0m1PyY+nStyKIoweMA0XlAyzwHXExACNI2VTmx21vcEggUAIB0F4Sxy0a2/0IMd5M2rOPjP5+s6sMgad7Z+KGxlgZEpcuMTpnROmyjWplmm1g9femT5n9HBgWAoXQ3zFI80jvAL4rtM2vGwol0G8qLB37G7tumWorUH+0jup+wM49bwMJEjx2gOQTAyEPVJ/TkzV9GB/extf9mIyv8QUwVX39uZY7heTMiWpW2uFB6qI8YL+c0sk+QpgPzjt30UFBqMOge/LrxxOitg2oWh8GBoYB8k0UkAbnQVlOmPMP+nTlj6y3fE48ex1CF0J1zOKTIt3nvmPlOHdxjM1eJXflHCtsq3vpw==
;; DNSSEC NSEC3 chain
g8kguklp9p7lr64s5blii14k1099doo6.example.org. 60 NSEC3 1 0 330 316D384BD40F1292 JBLLAITNO58OJ82IFPE1UKQ7UKDL80I3 A RRSIG
jbllaitno58oj82ifpe1ukq7ukdl80i3.example.org. 60 NSEC3 1 0 330 316D384BD40F1292 G8KGUKLP9P7LR64S5BLII14K1099DOO6 NS SOA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY
;; DNSSEC NSEC3 signatures
g8kguklp9p7lr64s5blii14k1099doo6.example.org. 60 RRSIG NSEC3 8 3 60 20180727211259 20180713194259 11610 example.org. lphHsZ/vNjkfCg8yxGQzNz3WprCZVkAHCC6v6GcABjuRlHtmGC5JGn7tYKcA21X9QrJ8jIXnXm+8HhdJJKPpkDHPl1yOGBJCBaQaQ1qTiS3YTJGN8m5pMo2tntdo9j0o0FliArLMJCzVUPUQXwoTZFBBjcxwpi7pw3G/nipOMXIiWPRITQK6K+4gssmBu+vbVLBsgGzKcn8iZ16oQf5I/NHa1+fstNXJAA8a1zriSoNPgFRwxdHuHE3m3sjClwM1vbw+tpy5LsrRCfN6URilVrYo5Z40+qnPEr0k1H3onn4k9DkeJP5wsvFbayHEv38RWCJmuZEHtqMPLKrc7rsOx7Z9FzNItBK8fi6RDRYeFO+6cyEqdy5gJMtU/3JwPaF7YUiQP057oCN1I+rHGOhIcA==
jbllaitno58oj82ifpe1ukq7ukdl80i3.example.org. 60 RRSIG NSEC3 8 3 60 20180727211259 20180713194259 11610 example.org. S1z6eHh6vToYJ1799tiKGgzEmtPUGEbUqwEUUaqgryEOl9YJlDwWZz9gHxvbLxSqoB8pqE8gbK0i+HLY4OJ/Z+aRSFIRq/i81/hlFjs4SYG3KV0DjlfHGhq5WDElCXqG5KQSyOI+icQPTGzc69VQEIEcDGeo3tTe9XFuNJIRBPHlEtN+hl6ko2Ldi3zqRDSg+NmoAdyg51lbPNbsccwQzciGoD7aI46JVzfo7als65oG9Emp0pWn60KsdDjbIoSBN9m4VQkOLoAn7FyA7txoVnrC6JAniSkB3Am4kEG2JFnOO1bp8JTdW/OTaW+fZ76NGmzylDU/OsOIJAxtYORXASkyL/Ek8kJVkOMM/fQCPj7E/g8WgX7d7U9c2u7OLJIq18KmoGJuZeXrV9+jgcWVqQ==
;; Written 19 records
;; Time 2018-07-13 23:12:59 CEST
Let's query the server for it's SOA record and the signature
$ kdig +dnssec @localhost example.org -t SOA
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 24517
;; Flags: qr aa rd; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; example.org. IN SOA
;; ANSWER SECTION:
example.org. 3600 IN SOA ns1.example.org. hostmaster.example.org.example.org. 1530570455 3600 1200 3628800 60
example.org. 3600 IN RRSIG SOA 8 2 3600 20180727211445 20180713194445 11610 example.org. lAY4frj2Wxly48bbO/Hw1pHb4qvPSCimvmeDqrX7kbwMbublN5qIIOBW/aMQnW4Vw8GYd61t97ps/bkAg9bGtyD0qHOZCZuK5U1aEGHjcLp/7/+j5bXw95FM75l8M951Hf4RjD26Dq8SXOdnJPqWCasDzg4V0nufBQ7WIQWL6akkxENGvmavHkxiaYU7IlsmbbyOcmC/oeuNr1LY0F3pnmn8m3QR0rK07YJMoVpFPC0/DC4oIbuYaqgCmlj2axGxf2IgvrZOre8HRIPPGRShDUUgVXIzOxFEJOc1TkoXCqYZrqya0qhRmY+Su5v/qSg5ffBAyb0NzHYCkECxBEGM1vnyOw3LuLWRdRTK6lY7VhEu0P+STicCJTC0IMeOXXhwAEMZYpYhYxDXx54Rf++Iaw==
;; Received 450 B
;; Time 2018-07-13 23:19:19 CEST
;; From ::1@53(UDP) in 0.0 ms
Notice the RRSIG for the SOA is different to the zone file.
Try flushing the zone:
$ knotc zone-flush example.org
OK
Jul 13 23:22:34 hostname knotd[16474]: info: [example.org.] control, received command 'zone-flush'
Check the RRSIG in the zone file, notice it's still the old entry:
$ grep SOA /var/lib/knot/zones/example.org
example.org. 3600 SOA ns1.example.org. hostmaster.example.org.example.org. 1530570455 3600 1200 3628800 60
example.org. 3600 RRSIG SOA 8 2 3600 20180727211259 20180713194259 11610 example.org. E4gP40Fjee1HYxmmLO/i6lueDagKDjGux6scHfTpk3XWl89LLtSUZAl5bECiE4vK8hP+MVQM1FMAt0fWIxcHGhs5p9Lqt9b/8Io4qpYp2/bZJrqnKOGPw6uc9EN9VGmLQwvjcJF7NFCfR11f9CTsFZKM30HYn85IjheHddwx3/VAd1uxzGNZexS+2ZOL4lvLH7ZxAzGDpOmjpLWFPkYWDBghMnwzx9lyRNmwkNnsk+/WE2VYfMjdzA3S10FkbixvoT3M7XL4HfSGixVGikrkM1aBE+yGKZLXSNnrFvR854vJlce21CFeNimvhp06n/12+oLWkPZI0dIHVcctWOmSWRN6XQF2RlQmTkQxqM43a5gwOuMMFg8Y6Trk0UcCl348gFXfQns+eO8eG4dOZdFmaw==
jbllaitno58oj82ifpe1ukq7ukdl80i3.example.org. 60 NSEC3 1 0 330 316D384BD40F1292 G8KGUKLP9P7LR64S5BLII14K1099DOO6 NS SOA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY
I found two ways to actually flush the current zone entries:
$ mkdir -m777 /tmp/knot
$ knotc zone-flush example.org +outdir /tmp/knot/
OK
$ grep SOA /tmp/knot/example.org
example.org. 3600 SOA ns1.example.org. hostmaster.example.org.example.org. 1530570455 3600 1200 3628800 60
example.org. 3600 RRSIG SOA 8 2 3600 20180727211445 20180713194445 11610 example.org. lAY4frj2Wxly48bbO/Hw1pHb4qvPSCimvmeDqrX7kbwMbublN5qIIOBW/aMQnW4Vw8GYd61t97ps/bkAg9bGtyD0qHOZCZuK5U1aEGHjcLp/7/+j5bXw95FM75l8M951Hf4RjD26Dq8SXOdnJPqWCasDzg4V0nufBQ7WIQWL6akkxENGvmavHkxiaYU7IlsmbbyOcmC/oeuNr1LY0F3pnmn8m3QR0rK07YJMoVpFPC0/DC4oIbuYaqgCmlj2axGxf2IgvrZOre8HRIPPGRShDUUgVXIzOxFEJOc1TkoXCqYZrqya0qhRmY+Su5v/qSg5ffBAyb0NzHYCkECxBEGM1vnyOw3LuLWRdRTK6lY7VhEu0P+STicCJTC0IMeOXXhwAEMZYpYhYxDXx54Rf++Iaw==
jbllaitno58oj82ifpe1ukq7ukdl80i3.example.org. 60 NSEC3 1 0 330 316D384BD40F1292 G8KGUKLP9P7LR64S5BLII14K1099DOO6 NS SOA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY
Jul 13 23:26:57 hostname knotd[16474]: info: [example.org.] control, received command 'zone-flush'
and:
$ knotc -f zone-flush example.org
OK
$ grep SOA /var/lib/knot/zones/example.org
example.org. 3600 SOA ns1.example.org. hostmaster.example.org.example.org. 1530570455 3600 1200 3628800 60
example.org. 3600 RRSIG SOA 8 2 3600 20180727211445 20180713194445 11610 example.org. lAY4frj2Wxly48bbO/Hw1pHb4qvPSCimvmeDqrX7kbwMbublN5qIIOBW/aMQnW4Vw8GYd61t97ps/bkAg9bGtyD0qHOZCZuK5U1aEGHjcLp/7/+j5bXw95FM75l8M951Hf4RjD26Dq8SXOdnJPqWCasDzg4V0nufBQ7WIQWL6akkxENGvmavHkxiaYU7IlsmbbyOcmC/oeuNr1LY0F3pnmn8m3QR0rK07YJMoVpFPC0/DC4oIbuYaqgCmlj2axGxf2IgvrZOre8HRIPPGRShDUUgVXIzOxFEJOc1TkoXCqYZrqya0qhRmY+Su5v/qSg5ffBAyb0NzHYCkECxBEGM1vnyOw3LuLWRdRTK6lY7VhEu0P+STicCJTC0IMeOXXhwAEMZYpYhYxDXx54Rf++Iaw==
jbllaitno58oj82ifpe1ukq7ukdl80i3.example.org. 60 NSEC3 1 0 330 316D384BD40F1292 G8KGUKLP9P7LR64S5BLII14K1099DOO6 NS SOA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY
Jul 13 23:28:39 hostname knotd[16474]: info: [example.org.] control, received command 'zone-flush'
Jul 13 23:28:39 hostname knotd[16474]: info: [example.org.] zone file updated, serial 1530570455 -> 1530570455
If I read the documentation correctly knot should automatically flush the zone file (default zonefile-sync is 0). Additionally a zone-flush command without "-f" should work.