Secondary groups are not inherited when dropping permissions
The opendnssec signed files and directories have opendnssec as group and they are readable by group:
drwxr-x--- 7 root opendnssec 4096 Sep 21 2011 /var/lib/opendnssec/
drwxr-xr-x 2 opendnssec opendnssec 4096 Aug 5 08:58 /var/lib/opendnssec/signed
-rw-r--r-- 1 opendnssec opendnssec 24278 Aug 5 04:02 /var/lib/opendnssec/signed/sury.org
The knot user is in opendnssec group:
root@pagan:~# grep knot /etc/group
opendnssec:x:111:knot
knot:x:116:
But Knot DNS cannot read those files:
Aug 5 09:35:46 pagan knot[18797]: [error] Failed to open zone file '/var/lib/opendnssec/signed/sury.org' (Permission denied).