[knot-dns-users] what does "disposal of old contents blocked by outstanding zone transfer" mean?

19 Čen 2026

Hello!
I'm testing periodic key rollovers in a playground running Knot DNS 3.5.4 (I am
aware that 3.5.5 is out, but this message is also in the current source code)
Zone transfers are not being performed, neither incoming nor outgoing (the
latter occasionally to see zone content as shown below).
At the completion of each signing operation (with purposely very short
timings), I see the following debug output:
2026-06-19T08:39:32+0000 info: [b.net.] DNSSEC, signing zone
2026-06-19T08:39:32+0000 info: [b.net.] DNSSEC, KSK rollover started
2026-06-19T08:39:32+0000 info: [b.net.] DNSSEC, next key action, KSK tag 18749, submit at
2026-06-19T08:40:42+0000
2026-06-19T08:39:32+0000 info: [b.net.] DNSSEC, key, tag 15175, algorithm ECDSAP256SHA256,
KSK
2026-06-19T08:39:32+0000 info: [b.net.] DNSSEC, key, tag 14234, algorithm ECDSAP256SHA256,
public, active
2026-06-19T08:39:32+0000 info: [b.net.] DNSSEC, key, tag 60870, algorithm ECDSAP256SHA256,
KSK, public, active
2026-06-19T08:39:32+0000 info: [b.net.] DNSSEC, key, tag 18749, algorithm ECDSAP256SHA256,
KSK, public, active+ 2026-06-19T08:39:32+0000 info: [b.net.] DNSSEC, signing started
2026-06-19T08:39:32+0000 info: [b.net.] DNSSEC, successfully signed, serial 94, new RRSIGs
3
2026-06-19T08:39:32+0000 info: [b.net.] DNSSEC, next signing at 2026-06-19T08:40:42+0000
2026-06-19T08:39:32+0000 info: [b.net.] zone file updated, serial 93 -> 94
2026-06-19T08:39:32+0000 debug: [b.net.] disposal of old contents blocked by outstanding
zone transfer
2026-06-19T08:40:42+0000 info: [b.net.] DNSSEC, signing zone
2026-06-19T08:40:42+0000 notice: [b.net.] DNSSEC, KSK submission, waiting for confirmation
2026-06-19T08:40:42+0000 info: [b.net.] DNSSEC, key, tag 15175, algorithm ECDSAP256SHA256,
KSK
2026-06-19T08:40:42+0000 info: [b.net.] DNSSEC, key, tag 14234, algorithm ECDSAP256SHA256,
public, active
2026-06-19T08:40:42+0000 info: [b.net.] DNSSEC, key, tag 60870, algorithm ECDSAP256SHA256,
KSK, public, active
2026-06-19T08:40:42+0000 info: [b.net.] DNSSEC, key, tag 18749, algorithm ECDSAP256SHA256,
KSK, public, ready, active+
2026-06-19T08:40:42+0000 info: [b.net.] DNSSEC, signing started
2026-06-19T08:40:42+0000 info: [b.net.] DNSSEC, successfully signed, serial 95, new RRSIGs
6
2026-06-19T08:40:42+0000 info: [b.net.] DNSSEC, next signing at 2026-07-03T06:45:11+0000
2026-06-19T08:40:42+0000 info: [b.net.] zone file updated, serial 94 -> 95
2026-06-19T08:40:42+0000 debug: [b.net.] disposal of old contents blocked by outstanding
zone transfer
2026-06-19T08:40:42+0000 info: [b.net.] DS check, outgoing, remote 127.0.0.2@53 TCP, key
p01., KSK submission check: negative
2026-06-19T08:40:52+0000 info: [b.net.] DS push, outgoing, remote 127.0.0.2@53 TCP, key
p01., success
2026-06-19T08:41:42+0000 info: [b.net.] DS check, outgoing, remote 127.0.0.2@53 TCP, key
p01., KSK submission check: positive
2026-06-19T08:41:42+0000 notice: [b.net.] DNSSEC, KSK submission, confirmed
The zone itself is trivially short:
$ dig -p 5340 @127.0.0.1 b.net AXFR +noall +answer +onesoa | ldns-read-zone -s
b.net.  60      IN      SOA     ns.b.net. root.b.net. 100 10800 3600 604800 3600
www.b.net.      60      IN      HTTPS   0 b.net.
ns.b.net.       60      IN      AAAA    2001:db8:2::4444
ns.b.net.       60      IN      A       192.0.2.42
b.net.  60      IN      NSEC3PARAM      1 0 0 -
b.net.  60      IN      DNSKEY  257 3 13
zmXFV/KHpRk/E6l7oiRg2f2M+YpWxGqHFJtHmsAFl4KAxZPeiL2VIFLswpGnrwxO47//vz/I1VqsLhmUz9k35A==
;{id = 18749 (ksk), size = 256b}
b.net.  60      IN      DNSKEY  256 3 13
x9PPypMDeXRarFtYwxT5uvQjE/DHQd6g+NcF5FkVGDhz/+Xq2r3ZDfLXYUjW1ivoZHstnH5hSC4znp9oghlLfw==
;{id = 38612 (zsk), size = 256b}
b.net.  60      IN      TXT     "DNS is innocent"
b.net.  60      IN      NS      ns.b.net.
and the IMO relevant bits of the configuration are:
acl:
   - id: all_xfr
     address: [ 127.0.0.1 ]
     action: [ transfer, notify ]
submission:
   - id: pdns_submission
     check-interval: 60s
     parent: pdns_remote
     parent-delay: 10s
template:
   - id: default
     storage: "/tmp/zones"
     zonefile-load: difference
     file: "%s"
policy:
   - id: autoFAST
     keystore: pemstore
     single-type-signing: off
     manual: off
     algorithm: ecdsap256sha256
     ksk-shared: off
     ksk-lifetime: 1h
     zsk-lifetime: 2h
     delete-delay: 1h
     propagation-delay: 10s
     nsec3: on
     nsec3-iterations: 0
     nsec3-salt-length: 0
     nsec3-salt-lifetime: 0
     cds-cdnskey-publish: rollover
     zone-max-ttl: 60s
     ksk-submission: pdns_submission
     ds-push: pdns_remote
zone:
   - domain: b.net
     dnssec-signing: on
     dnssec-policy: autoFAST
     acl: [ all_xfr ]
Ought I be worried about "disposal of old contents blocked by outstanding zone
transfer"? I don't think I've noticed that before.
A second zone which uses the same policy shows the same behaviour.
Best regards,
        -JP

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

[knot-dns-users] what does "disposal of old contents blocked by outstanding zone transfer" mean?