From e7239cb3c12e322d4da2670ddc3597900ae2aede Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Va=C5=A1ek?= <david.vasek@nic.cz>
Date: Tue, 26 May 2026 17:12:40 +0200
Subject: [PATCH] WIP keep trash bin keys (fixup! WIP doc/operation: describe
 cleanup of removed legacy DNSSEC keys)

---
 doc/operation.rst | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/doc/operation.rst b/doc/operation.rst
index 7bcc007d5..c03e86d7d 100644
--- a/doc/operation.rst
+++ b/doc/operation.rst
@@ -1451,6 +1451,7 @@ tools, like in the following example sequence of shell commands (for a PEM kesyt
    $ knotc -b zone-freeze
    $ keymgr -l | while read zone; do keymgr "${zone}" list; done | \
               sed 's@ .*$@.pem\$@' > ~/active_keys.pattern
+   $ keymgr -- trash-list | sed 's@ .*$@.pem\$@' >> ~/active_keys.pattern
    $ find $KEYSTORE -maxdepth 1 -type f | grep -v -f ~/active_keys.pattern | xargs rm
    $ knotc -b zone-thaw
 
@@ -1464,6 +1465,7 @@ or for a PKCS #11 keystore (using the ``p11tool`` command from
    $ knotc -b zone-freeze
    $ keymgr -l | while read zone; do keymgr "${zone}" list; done | \
               sed 's@ .*$@@' > ~/active_keys
+   $ keymgr -- trash-list | sed 's@ .*$@@' >> ~/active_keys
    $ sed "s/../%&/g;s/[a-z]/\U&/g;s/^/id=/;s/$/\;/" < ~/active_keys > ~/active_keys.pattern
    $ p11tool --login --set-pin $MYPIN --list-all-privkeys --only-urls $MYTOKEN | \
               grep -v -f ~/active_keys.pattern | \