I heard / read from a user that knot resolver must have its own rights for the certificate, but that is not possible, because the key is also intended for other computers and this creates a system risk? Is this a design problem or a bug?
I would not suggest that the private keys should be world-readable. Normal installation uses a special user and group for running Knot Resolver, so you might e.g. switch the file to this group.
Running the daemons as root would seem a higher risk to me, but
otherwise it shouldn't be a problem either. Of course, you can't
change that in kresd.conf, as that's done on systemd level
already. I think it should suffice to use `systemctl edit kresd@.service` and
add
[Service] User=root Group=root
and the same with `systemctl edit kres-cache-gc.service`.
--Vladimir