This article is written in an effort to aid those who are considering Knot DNS as a replacement for OpenDNSSEC.

More specifically, in this article we’ll be showing how to:

• make Knot use HSMs via the PKCS11 interface
• seamlessly transition from OpenDNSSEC to Knot
• then transition from HSM to automatically managed in-memory keys

If you’ve never interacted with Knot before, please familiarize yourself with the basics. Our documentation provides a great novice-friendly introduction.