From: Daniel Salzman <daniel.salzman@nic.cz>
Date: Mon, 13 Oct 2025 14:13:06 +0000 (+0200)
Subject: dnssec: fix loading from more keystores if the key not in HSM
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=81cb1fe0880cc50ae836b31c99a72f64c5d8aab8;p=thirdparty%2Fknot-dns.git

dnssec: fix loading from more keystores if the key not in HSM
---

diff --git a/src/knot/dnssec/zone-keys.c b/src/knot/dnssec/zone-keys.c
index 31435dd7ed..28fd04c04e 100644
--- a/src/knot/dnssec/zone-keys.c
+++ b/src/knot/dnssec/zone-keys.c
@@ -482,7 +482,7 @@ int kdnssec_load_private(knot_kasp_keystore_t *keystores, const char *id,
                          dnssec_key_t *key, const char **name, unsigned *backend)
 {
 	int ret = DNSSEC_ENOENT;
-	for (size_t i = 0; i < keystores[0].count && ret == DNSSEC_ENOENT; i++) {
+	for (size_t i = 0; i < keystores[0].count && (ret == DNSSEC_ENOENT || ret == DNSSEC_NOT_FOUND); i++) {
 		ret = dnssec_keystore_get_private(keystores[i].keystore, id, key);
 		if (ret == KNOT_EOK) {
 			if (name != NULL) {