Berwn
56f0af3153
knotd runs as the "knot" user, so the shared TSIG key file needs owner/group knot — it was root-only and knot couldn't read it. systemd-resolved's stub listener was holding port 53, so knot's 0.0.0.0@53 / ::@53 TCP bind failed. Disable the stub (resolution still works via nss-resolve) to free the port.