diff --git a/net-dns/knot/files/knot-3.5.2-fix_automagic_pkcs11.patch b/net-dns/knot/files/knot-3.5.2-fix_automagic_pkcs11.patch
new file mode 100644
index 000000000000..4cc4bf2aa609
--- /dev/null
+++ b/net-dns/knot/files/knot-3.5.2-fix_automagic_pkcs11.patch
@@ -0,0 +1,40 @@
+PR merged https://gitlab.nic.cz/knot/knot-dns/-/merge_requests/1830.patch
+remove automagic for PKCS #11 support
+add a option pkcs11 to handle this
+--- a/configure.ac
++++ b/configure.ac
+@@ -151,9 +151,9 @@ PKG_CHECK_MODULES([gnutls], [gnutls >= 3.6.10], [
+     CFLAGS="$CFLAGS $gnutls_CFLAGS"
+     LIBS="$LIBS $gnutls_LIBS"
+ 
+-    AC_CHECK_FUNC([gnutls_pkcs11_copy_pubkey], [enable_pkcs11=yes], [enable_pkcs11=no])
+-    AS_IF([test "$enable_pkcs11" = yes],
+-        [AC_DEFINE([ENABLE_PKCS11], [1], [PKCS #11 support available])])
++    AC_CHECK_FUNC([gnutls_pkcs11_copy_pubkey],
++        [AC_DEFINE([HAVE_GNUTLS_PKCS11], [1], [gnutls_pkcs11_copy_pubkey available])
++         gnutls_pkcs11=yes], [gnutls_pkcs11=no])
+ 
+     AC_CHECK_DECL([GNUTLS_SIGN_EDDSA_ED448],
+         [AC_DEFINE([HAVE_ED448], [1], [GnuTLS ED448 support available])
+@@ -170,7 +170,21 @@ PKG_CHECK_MODULES([gnutls], [gnutls >= 3.6.10], [
+ ], [
+     AS_IF([test "$enable_redis" != "module"], [AC_MSG_ERROR([GnuTLS library not found])])
+ ])
++# PKCS11 support
++AC_ARG_ENABLE([pkcs11],
++   AS_HELP_STRING([--enable-pkcs11=auto|yes|no], [Support PKCS #11 [default=auto]]),
++   [], [enable_pkcs11=auto])
++
++AS_CASE([$enable_pkcs11],
++   [auto], [AS_IF([test "$gnutls_pkcs11" = "yes"], [enable_pkcs11=yes], [enable_pkcs11=no])],
++   [yes],  [AS_IF([test "$gnutls_pkcs11" = "yes"], [enable_pkcs11=yes], [
++     AC_MSG_ERROR([PKCS11 not available])])],
++   [no], [],
++   [*], [AC_MSG_ERROR([Invalid value of --enable-pkcs11.])]
++)
+ AM_CONDITIONAL([ENABLE_PKCS11], [test "$enable_pkcs11" = "yes"])
++AS_IF([test "$enable_pkcs11" != "no"], [
++  AC_DEFINE([ENABLE_PKCS11], [1], [Define to 1 to enable PKCS #11 support using GnuTLS])])
+ 
+ AC_ARG_ENABLE([recvmmsg],
+    AS_HELP_STRING([--enable-recvmmsg=auto|yes|no], [enable recvmmsg() network API [default=auto]]),
diff --git a/net-dns/knot/knot-3.4.9.ebuild b/net-dns/knot/knot-3.4.9-r1.ebuild
similarity index 97%
rename from net-dns/knot/knot-3.4.9.ebuild
rename to net-dns/knot/knot-3.4.9-r1.ebuild
index 5d652d70eec3..38bdcb1191ca 100644
--- a/net-dns/knot/knot-3.4.9.ebuild
+++ b/net-dns/knot/knot-3.4.9-r1.ebuild
@@ -100,6 +100,11 @@ BDEPEND="
 	verify-sig? ( sec-keys/openpgp-keys-knot )
 "
 
+PATCHES=(
+	# PR 1830 merged
+	"${FILESDIR}"/${PN}-3.5.2-fix_automagic_pkcs11.patch
+)
+
 VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/${PN}.asc
 
 # Used to check cpuset_t in sched.h with NetBSD.
@@ -146,6 +151,7 @@ src_configure() {
 		$(use_enable fastparser)
 		$(use_enable geoip maxminddb)
 		$(use_with idn libidn)
+		$(use_enable pkcs11)
 		$(use_enable quic)
 		$(use_enable systemd)
 		$(use_enable utils utilities)
diff --git a/net-dns/knot/knot-3.5.2.ebuild b/net-dns/knot/knot-3.5.2-r1.ebuild
similarity index 98%
rename from net-dns/knot/knot-3.5.2.ebuild
rename to net-dns/knot/knot-3.5.2-r1.ebuild
index 4da2752199b5..40d6a8dbd423 100644
--- a/net-dns/knot/knot-3.5.2.ebuild
+++ b/net-dns/knot/knot-3.5.2-r1.ebuild
@@ -108,6 +108,11 @@ VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/${PN}.asc
 # False positive because linux have sched.h too but with cpu_set_t
 QA_CONFIG_IMPL_DECL_SKIP=( cpuset_create cpuset_destroy )
 
+PATCHES=(
+	# PR 1830 merged
+	"${FILESDIR}"/${PN}-3.5.2-fix_automagic_pkcs11.patch
+)
+
 python_check_deps() {
 	use doc || return 0
 	python_has_version "dev-python/sphinx[${PYTHON_USEDEP}]" \
@@ -148,6 +153,7 @@ src_configure() {
 		$(use_enable fastparser)
 		$(use_enable geoip maxminddb)
 		$(use_with idn libidn)
+		$(use_enable pkcs11)
 		$(use_enable quic)
 		$(use_enable redis redis $(usex daemon client))
 		$(use_enable systemd)